Some cybersecurity experts, like Rapid7's Trey Ford, say the danger of sharing USB devices have been spotted before.
But SRLabs chief scientist Karsten Nohl, a member of the team that discovered the flaw, said the implications are now clear. Downloading the wrong app can infect your phone, then compromise your computer. And borrowing a stranger's USB stick could infect your computer permanently.
"Someone asking, 'Can I charge my Android on your computer?' will have a much different connotation in the future," Nohl said.
Hacker makes encrypted message app
The problem is made worse, because modern day antivirus and protection software won't catch it. USB duping isn't technically a computer virus in action, just a device masquerading as another one. So, there's no solution for it right now except simply barring Flash drives.
That's the approach the U.S. military takes at sensitive locations. The Pentagon disabled its computers USB ports and banned the use of Flash drives in 2008 to prevent infection of government computers there.
The flaw was discovered by SRLabs researchers Nohl, Jakob Lell and Sascha Krissler, and will be explained in detail at the Black Hat cybersecurity conference next week in Las Vegas.
The team tested with several types of Flash drives, as well as Android smartphones, which connect to computers via USB ports. The team did not test iPhones or other smartphones.
But it's not about a specific kind of device. At its very core, the USB flaw exists because of the convenient nature of computer Universal Serial Bus ports -- they're universal. They accept all sorts of devices -- mouses, microphones, printers and more.