Cyber-security experts have dramatically called into question the safety and security of using USB to connect devices to computers.
In one demo, shown off at the Black Hat hackers conference in Las Vegas, a standard USB drive was inserted into a normal computer.
Malicious code implanted on the stick tricked the machine into thinking a keyboard had been plugged in.
After just a few moments, the “keyboard” began typing in commands – and instructed the computer to download a malicious program from the internet.
Another demo, shown in detail to the BBC, involved a Samsung smartphone.
When plugged in to charge, the phone would trick the computer into thinking it was in fact a network card. It meant when the user accessed the internet, their browsing was secretly hijacked.
Mr Nohl demonstrated to the BBC how they were able to create a fake copy of PayPal’s website, and steal user log-in details as a result.
Unlike other similar attacks, where simply looking at the web address can give away a scam website, there were no visible clues that a user was under threat.
The same demo could have been carried out on any website, Mr Nohl stressed.
On Friday, Microsoft published a security advisory that acknowledged the bug. In the advisory, the company also said that other versions of Internet Explorer, including the newer IE9 and IE10, are not affected, and that the firm is working on an update to patch the problem. No timetable for a fix was provided. The next scheduled security update from Microsoft will ship Tuesday, May 14.
Microsoft confirmed that all versions of IE8, including copies running on XP, Vista and Windows 7, are at risk.
Meanwhile, Microsoft urged users of Vista and Windows 7 to upgrade from IE8 to IE9 and IE10, respectively. People running Windows XP — the apparent target of the watering hole attacks — have no such option, as neither IE9 or IE10 run on the 12-year-old operating system. The newest versions of Chrome and Firefox, however, do support Windows XP.
Customers can also deploy the Enhanced Mitigation Experience Toolkit (EMET), to lock down IE8, making exploits more difficult for hackers. EMET 3.0 or the beta of EMET 4.0 can be downloaded from Microsoft’s website.
While it’s possible that Microsoft will craft a patch for the vulnerability in time to include it in the scheduled May 14 updates, it’s more likely the company will issue a fix outside of that schedule, as it did in January. Then, Microsoft took 16 days from issuing an advisory to patching IE. If it followed the same timetable with the newest flaw, it would ship a fix after this month’s Patch Tuesday.