There are bulletins at us-cert.gov today for both Windows and Mac OS X being vulnerable to potential Human Interface Device (HID) functionality over USB exploit. The simplest way to explain this vulnerability is that both OS X and Windows lack a warning when you connect a USB connected device such as a smart phone when it is given keyboard or mouse capability. This could lead to a number of different compromises of the host system. This vulnerability has existed since USB HID support was added to both operating environments but was only publicly demonstrated recently. An example was demonstrated at the Black Hat DC conference, Cnet ran an article about it on January 19th.
Other USB related risks
USB connected devices have become a more common source of virus and malware infections. In 2010 there was actually a worm that spread via USB memory sticks called “Conficker” worm. As early as 2008 USB was becoming recognized as a much more common vector for virus propagation.
Since USB devices involve user interaction, it is an area where user education and caution is key. We can count on Apple and Microsoft to respond to this HID issue, but we can also say with certainty that there will be others that will come up in the future. Here are some simple suggestions to prevent becoming a victim:
Tips for individuals
- Store your USB storage devices in a safe place.
- Use memory sticks only from extremely trusted sources.
- Do not allow others to use your computer to charge their USB devices.
- Purchase memory sticks from trusted sources in clearly sealed packaging.
Extra tips for businesses
- Include an area that governs USB devices in your Acceptable Usage Policy (AUP).
- Do not allow third parties to use USB devices or charge phones on your corporate systems.
- Consider implementing software or software policies that control access to USB ports on your systems.
You might also want to read these related articles on how you can function more securely: