Stop sharing USB Flash drives - right now

USB hack
USB-connected devices have a fatal flaw. Say no to strangers' flash drives -- and smartphones too.

It's time to start thinking of smartphones and USB Flash drives like toothbrushes or razors -- for personal use only.

German security researchers have discovered that USB-connected devices have a fatal flaw. Anything that connects via USB can be reprogrammed to pose as another device.

That means a stranger's USB stick could dupe your computer into thinking it's a keyboard, then type in certain commands and quietly take control of your laptop.

Or it could pose as a network card, rerouting your Internet traffic so everything you do can be spied on.

Identity theft, bank fraud, extortion -- you name it. Anything follows. And any talented computer engineer can tamper with a device's firmware to dupe a computer.

Related story: Dark Mail - email that hides from the NSA

Some cybersecurity experts, like Rapid7's Trey Ford, say the danger of sharing USB devices have been spotted before.

But SRLabs chief scientist Karsten Nohl, a member of the team that discovered the flaw, said the implications are now clear. Downloading the wrong app can infect your phone, then compromise your computer. And borrowing a stranger's USB stick could infect your computer permanently.

"Someone asking, 'Can I charge my Android on your computer?' will have a much different connotation in the future," Nohl said.

Hacker makes encrypted message app
Hacker makes encrypted message app

The problem is made worse, because modern day antivirus and protection software won't catch it. USB duping isn't technically a computer virus in action, just a device masquerading as another one. So, there's no solution for it right now except simply barring Flash drives.

That's the approach the U.S. military takes at sensitive locations. The Pentagon disabled its computers USB ports and banned the use of Flash drives in 2008 to prevent infection of government computers there.

Cybersecurity: How safe are you? A custom Flipboard magazine

The flaw was discovered by SRLabs researchers Nohl, Jakob Lell and Sascha Krissler, and will be explained in detail at the Black Hat cybersecurity conference next week in Las Vegas.

The team tested with several types of Flash drives, as well as Android smartphones, which connect to computers via USB ports. The team did not test iPhones or other smartphones.

But it's not about a specific kind of device. At its very core, the USB flaw exists because of the convenient nature of computer Universal Serial Bus ports -- they're universal. They accept all sorts of devices -- mouses, microphones, printers and more.

"That simplicity has a cost," Nohl said.

CNNMoney Sponsors