Picture this: You're surfing the Internet while waiting for your flight to board, when the man sitting next to you asks if he can charge his Android through your laptop's USB port, having forgotten his charger at home. You oblige.
Unbeknownst to you, the seemingly friendly stranger has programmed his mobile device to pose as a keyboard, tricking your computer into providing unfettered remote access to all of your private files. Or perhaps the phone behaves like a network card, rerouting all of your online traffic so that the cyber-criminal can see everything you are doing on the web. That means he now has access to your medical records, banking information and social security number, putting you at serious risk of identity theft, credit fraud or even extortion.
It may sound like a scene from a spy movie, but a new report written by a group of German security experts says it is all too possible. Even worse - they found that antivirus and protection software installed on your computer will not realize that anything is amiss. That's because, technically, your system does not have a virus. Rather, the smartphone has been programmed to pretend that it is another device - a relatively simple trick but one that existing security programs won't catch. Jakob Nohl and Karsten Lell from SR Labs in Berlin say that means users need to be extremely cautious about what devices they allow to connect to their computers, treating USB ports much like toothbrushes - for personal use only.
Nohl and Lell say you should also be wary of connecting any pre-owned or recycled USB device to your computer, even if it came from a friend. A good rule of thumb: If you don't know exactly where a memory stick, keyboard or mouse has been, don't use it, as it could be infected. Nohl and Lell say their research indicates that virtually anything that can be plugged into a USB port may be used as a kind of virtual Trojan horse. The researchers found the Android operating system to be particularly vulnerable. While they did not test iPhones, they concluded that the risk of hacking exists across all USB devices.
"The interface standard conquered the world over the past two decades thanks to its versatility: Almost any computer peripheral, from storage and input gadgets to health care devices, can connect over the ubiquitous technology," Nohl and Lell wrote on their blog. "And many more device classes connect over USB to charge their batteries. This versatility is also USB's Achilles' heel: Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing."
The SR Labs' research confirms that our personal information continues to be vulnerable in evolving and unprecedented ways. While you should limit others' access to your computer's USB ports, it is also wise to take extra steps to protect your identity in case a hacker is able to infiltrate your records. Consider investing in a credit monitoring service, which can alert you to certain activity that may indicate fraud connected to your name. While such services cannot guarantee your protection, they can help minimize your risk. You should also be sure to use unique and hard-to-crack passwords that combine letters, numbers and symbols. Do not repeat passwords across sites and change your passwords periodically. A password management program like SafeConnex can help protect your entry codes from hackers, sheltering them in a convenient and easy-to-reference password vault.