Computer mouses, keyboards, USB sticks and hubs, power banks, chargers – the USB interfaces of computers and smartphones are in great demand. The risks that USB accessories can involve are rarely questioned. However, the USB interface is very susceptible to misuse due to its flexibility. From a technical point of view, it is relatively easy to simulate USB input devices, to load USB sticks with malicious software or to eavesdrop on input via manipulated devices and interfaces. Even systems that are well protected per se can thus be infected and manipulated.

Hardware and software problems possible

Not only the hardware, but also the software of the various USB devices can cause problems. Security researchers recently found 26 new software bugs in USB driver stacks. The distribution of the bugs across the operating systems was striking – 18 vulnerabilities affect the Linux operating system platform, ten of which are classified as security-critical and have already been patched. The effects on Windows and MacOS ranged from a system freeze to a reboot to a crash (Blue Screen of Death).

Fuzzing: Creative bug hunting

The USB vulnerabilities were discovered by fuzzing. Data is transferred to the interface via a simulated USB device according to the principle of random input. In the test routines, random and invalid inputs are deliberately generated to check the behavior of the underlying driver software. Already in 2017, a Google researcher discovered 79 bugs in USB drivers using fuzzing.

These observations suggest that various security problems can occur via a direct physical connection. A concrete example of this is the security gap discovered in 2019 in the popular Logitech Presenters, when the USB Found Adapter allowed unauthorized input for attackers. In this case only the hardware replacement of the USB dongle helped.

Precautions and protection

One essential point to get the all-clear: In order to exploit these weak points, a physical connection must be available. The most important tip: Do not connect unknown USB accessories to your system! This applies especially to USB input devices from unknown sources, such as found USB sticks or other USB input devices. Public USB charging stations, for example for smartphones, also carry risks.

In addition to updates of the operating system, please also pay attention to updates of your accessories.[1] Serious manufacturers offer software and hardware updates even after purchase, which is well worth the additional costs compared to “no-name” products.

[3] https://www.us-cert.gov/ncas/tips/ST08-001