To show that this attack is not only possible with USB thumb drives, the researchers will also use an Android phone connected to the computer to emulate a rogue network card.
Any USB connection can turn evil, Nohl said. If you let someone connect a USB thumb drive or charge a phone on your computer you essentially trust them to type commands on your computer, he said.
The attacks developed by Security Research Labs underline the difficulty of having both the versatility of the USB standard and security at the same time. The greatest feature of USB -- its plug-and-play capability -- turns out to be its greatest vulnerability as well, according to Nohl.
Unfortunately, there's no easy fix for this problem. The Security Research Labs researchers have identified several ways to address this issue, but none of them solve the problem completely or in a timely manner.
One place where the issue could be fixed is in the USB specification by requiring that a secure pairing process is used when adding new USB devices to a computer, similar to the one used for Bluetooth devices. However, even if the USB specification is changed, it could take years before the new standard is adopted and new devices replace the old ones.
OSes could also ask users to confirm the addition of new USB devices to their computers and then remember the approved devices -- a sort of USB firewall. However, this might not even be possible because many USB devices use a string of zeros for their serial number and there's no way for the OS to distinguish between them, Nohl said. Also, this doesn't solve the attack vector where the USB device infects the boot sector from outside the OS.
An obvious place to fix the issue would be in the USB microcontrollers themselves by requiring firmware updates to be digitally signed or by implementing some sort of hardware locking mechanism that prevents overwriting the firmware once the device leaves the factory. Nohl said that he and his team haven't seen such protections in any of the USB thumb drives they tested.
Even if manufacturers start implementing such protections there would have to be a way to tell new USB thumb drives apart from old, insecure ones, so that users can make an informed decision about which devices they connect to their computers.
Finally, a more short-term solution would be for users to start understanding the risks and be cautions about which USB devices they plug into their computers, Nohl said. For the purpose of exchanging files with other people an SD (Secure Digital) memory card would be a safer choice than a USB thumb drive, he said.