An attack vector that most companies are not prepared for was highlighted this week by Angelos Stavro, an assistant professor at George Mason University, and his student Zhaohui Wang. They essentially made changes to the USB driver of an Android smartphone and allowed a surreptitious attack to be launched when connected to a computer for charging or syncing.

The modification exploits the standard Human Interface Device aspect of the USB protocol to transmit illicit keystrokes over the cable--which can be easily tailored to steal data or perform an exploit. And because there is no way to tell a simulated keyboard apart from a real one, malware created along this line will not necessarily be stopped by antivirus software.

The heart of the matter here is the ease with which an attacker can break into existing antimalware defenses via a USB port, given that the protocol has no provisions for user authentication. Indeed, similar exploits can already be conducted via dedicated USB development devices such as the Teensy USB Development Board. In fact, security researcher Adrian Crenshaw actually incorporated the development board inside a USB mouse as a proof-of-concept.

In this case, Stavro and Wang developed two exploits: One that will run on the computer, as well as one that is launched from an Android phone. Stavro mused how a compromised home computer can be used to break into an Android phone as it is connected, which can be used to compromise other computers--in short, introducing a new cross-platform virus spread via USB ports.

For more on this story:
- check out this article at CNET News

Related Articles:
Infected USB flash drive led to worst U.S. military breach in history 
McAfee: Malware at all-time high 
PandaLabs predicts a grim cybersecurity outlook for 2011
Building leper colonies for infected computers