Â
You probably have a handful of USB drives around your computer, they are useful and ubiquitous. After reading this article and watching the video below you might think twice before plugging in a found USB drive or one from a casual acquaintance. USB was dreamt up way back in 1994 and has gone through many versions since then. USB has a simple 4 pin contact, two for power and 2 for bi-directional data transmission. Even though it has a very simple electrical interface there are many types of devices that can be plugged in and run over USB, you can see the 2 hex digits in the table below which represent all of the USB class devices (via). The device passes this class number to the computer when powered to allow the computer to understand what has been plugged in. Â
Karsten Nohl and Jakob Lell from SR Labs did some reverse engineering to a simple USB thumb drive. They have created a thumb drive that can power up as a class 08h mass storage and display the files. It can then change to a class 03h device which is a HID such as a keyboard. Now the thumb drive can easily perform some keystrokes which can do things such as open a shell window and perform any commands you like.
If you think plugging in a phone into your computer to charge it is harmless guess again. At 24:46 in the video a properly setup phone is plugged into the USB port and with no obvious changes all of your Paypal passwords are now being sent to the hackers. This demonstration software has been released for security professionals to ensure they are protected against this attack.
 Of course it was just a matter of time for this exploit to be performed, much of the controller chips are fully documented and easily available. There are also lots of fake drive manufactures who have hacked their own firmware to allow them to have incorrect size information to be displayed to allow drives with small amounts of NAND memory to show up and act as a huge drive.
I can see all of the large manufactures with solid supply chains start to sell devices that have their driver firmware stored in ROM or in EEPROM memory that has a write fuse blown to prevent future writing of the firmware. We see this in microcontrollers and don`t think twice about it.
It is now up to us, the consumer, to demand with our purchasing dollars that devices that are sold to be free of this type of attack.
USB Device classes include:
| Class | Usage | Description | Examples, or exception |
|---|---|---|---|
| 00h | Device | Unspecified | Device class is unspecified, interface descriptors are used to determine needed drivers |
| 01h | Interface | Audio | Speaker, microphone, sound card, MIDI |
| 02h | Both | Communications and CDC Control | Modem, Ethernet adapter, Wi-Fi adapter |
| 03h | Interface | Human interface device (HID) | Keyboard, mouse, joystick |
| 05h | Interface | Physical Interface Device (PID) | Force feedback joystick |
| 06h | Interface | Image | Webcam, scanner |
| 07h | Interface | Printer | Laser printer, inkjet printer, CNC machine |
| 08h | Interface | Mass storage (MSC or UMS) | USB flash drive, memory card reader, digital audio player, digital camera, external drive |
| 09h | Device | USB hub | Full bandwidth hub |
| 0Ah | Interface | CDC-Data | Used together with class 02h: communications and CDC control |
| 0Bh | Interface | Smart Card | USB smart card reader |
| 0Dh | Interface | Content security | Fingerprint reader |
| 0Eh | Interface | Video | Webcam |
| 0Fh | Interface | Personal Healthcare | Pulse monitor (watch) |
| 10h | Interface | Audio/Video (AV) | Webcam, TV |
| DCh | Both | Diagnostic Device | USB compliance testing device |
| E0h | Interface | Wireless Controller | Bluetooth adapter, Microsoft RNDIS |
| EFh | Both | Miscellaneous | ActiveSync device |
| FEh | Interface | Application-specific | IrDA Bridge, Test & Measurement Class (USBTMC), USB DFU (Direct Firmware Update) |
| FFh | Both | Vendor-specific | Indicates that a device needs vendor-specific drivers |