The USB malware vector

You're having a coffee and surfing when an apologetic stranger asks if she can charge her Android phone on your USB port. But she's installing malware on your PC. Here's how to stop it.
Written by Robin Harris, Contributor

Ease of use trumped security in the USB design. Devices don't need a unique serial number. There's no way a host can detect malicious firmware. Devices can have multiple identities - and change them at will.

Nightmare on USB street

But it doesn't have to be that way. Let power be power and data be data: they're on separate pins!

Hence the USB condom: a device that passes power but not data. Voila! Safe coffee-shop sharing. 

Of course USB's security issues don't stop with phones. Malware could be installed on virtually any USB device with a microcontroller: thumb drives; webcams; music players.

But the attractive stranger with a dying phone seems like the most likely vector. A stranger who probably doesn't know they're spreading malware.

The Storage Bits take

There's a couple of ways USB condoms could be rendered obsolete. One is power-only USB ports on PCs - not likely - or switchable power/data ports - only slightly more likely.

Another is to remove the ability to update the firmware in USB controllers. That seems like less of a stretch, especially for highly engineered products like phones and tablets where USB functionality is well-defined. But also not likely.

Should the average user worry about USB-spread malware? Not yet.

But if you keep commercially important documents - ones competitors want - on your notebook, it's an extra bit of protection. You can chat up that attractive stranger and protect your data.

Comments welcome, as always. What other USB vectors can you think of?

Editorial standards