USB has become so commonplace that we rarely worry about its security implications. USB sticks undergo the occasional virus scan, but we consider USB to be otherwise perfectly safe - until now.
This talk introduces a new form of malware that operates from controller chips inside USB devices. USB sticks, as an example, can be reprogrammed to spoof various other device types in order to take control of a computer, exfiltrate data, or spy on the user.
We demonstrate a full system compromise from USB and a self-replicating USB virus not detectable with current defenses.
We then dive into the USB stack and assess where protection from USB malware can and should be anchored.