New Research Shows How USB Cable Can Become Attack Tool

Posted: March 7, 2011 at 1:02 am, Last Updated: March 4, 2011 at 2:57 pm

By Catherine Ferraro

Angelos Stavrou. Creative Services photo

It’s a pretty common occurrence that happens every day — you notice your smartphone needs charging so you quickly hook it up to a computer. You continue on with your daily tasks, trusting that the smartphone is doing nothing more than powering up or synching your calendar and contacts.

All the while, the smartphone may be actively and stealthily taking over your computer.

This is the conclusion of new research by Angelos Stavrou, assistant professor of computer science in Mason’s Volgenau School of Engineering. Stavrou and Mason graduate student Zhaohui Wang figured out how to attack smartphones and computers using nothing more than a simple universal serial bus (USB) cable.

Their study details the various attack methods for three scenarios: phone-to-computer attacks, computer-to-phone attacks and phone-to-phone attacks.

These days, the new generation of smartphones, such as the iPhone and Android, have many of the same applications as a personal computer — Internet browsing, GPS navigation, e-mail —that make them more convenient when on the go.

In addition, the USB cable has become the standard tool for charging a phone and communicating and synchronizing the contents of the phone with computers and other phones.

However, the lack of protection offered by the USB cable when it is hooked up to a phone or computer makes it prone to exploitation by malicious hackers who want to nab someone’s personal information.

“The typical user inherently trusts the connection when hooking up devices using a USB cable because they think they know what it is supposed to do, and they own the two connecting devices,” says Stavrou. “Attacks through USB cables haven’t been seen before, so there are no defenses in place to prevent or even detect them.”

According to Stavrou, when a USB cable is connected to a computer or smartphone, a message pops up indicating that the computer has detected a connection. However, the message may be visible for less than a second, and the user may not even notice it.

To make matters worse, note the researchers, both the computer and smartphone are completely unaware of the type of device that is connected to the USB port. As a result, very little, if any, user interaction is necessary for the USB device to take over the system.

For the purposes of their study, the researchers used the Google Android smartphone to write software that changes the functionality of the USB device. This software, which can actually be written for any smartphone, allows a person to launch a covert attack while charging a smartphone or while syncing information between a smartphone and a computer.

Once the USB cable has been compromised, it can pretend to be a human interface device (HID), adding keyboard or mouse functionality to the connection. This enables the attacker to begin typing commands or clicking the mouse to take control of the computer. At this time, the attacker is free to steal files or download malicious software.

The original compromise of a person’s phone or computer can be as easy as tricking them into downloading an application or other infected program. The compromise can also occur if the phone or computer is left unattended, giving an attacker time to download malicious software. When the user connects his or her phone to the computer, the attacker now has access to the phone.

And the infection continues to spread, notes Stavrou, even from phone to phone.

“If your computer becomes compromised and you connect your phone to the computer using a USB cable, you’ve just, unknowingly, compromised your phone,” says Stavrou. “Then, if you connect your phone to someone else’s phone or to another computer, you have just infected both devices.”

According to Stavrou and Wang, antivirus software is not effective in stopping such an attack because it can’t tell whether the user has given his or her permission for the USB device to perform the actions.

Although there is not much a person can do to protect against this threat at this time, notes Stavrou, their main goal is to help educate researchers and the general public about the dangers.

“The smartphone basically has all of the same capabilities as a computer and needs to be treated with the same vigilance that a person treats their personal computer,” says Stavrou.

“Our view of smartphones as dumb devices needs to change, and we need to recognize that they are just as vulnerable as regular computers and, therefore, prone to malicious attacks.”

Write to mediarel at