Chrome OS takes steps to block ‘Rubber Ducky’ USB attacks
Google is making Chromebooks less susceptible to sabotage via USB port
Google has said it will allow users to disable the USB ports on their Chromebooks when the screen is locked, in an attempt to counteract the problem of hackers exploiting the tech to infect a machine with malware.
USB ports may have provided the world with a very easy standard of sharing data, but they have also given hackers an equally easy opening, provided they have physical access.
These so-called "Rubber Ducky" attacks involve inserting a malicious thumb drive into a USB port, which tricks the computer into believing it is a keyboard, which then runs malicious commands. A number of variants of this nasty trick have emerged over the years, including BadUSB, PoisonTap, USBdriveby and USBHarpoon.
There's one surprisingly simple fix that eliminates the problem in one fell swoop though: if a hacker has to have physical access, then it makes sense that the computer's owner can't be around at the time. With that in mind, simply disabling the USB ports when the computer is screen locked sidesteps the issue. In other words, when the computer is unattended, it simply won't read any USB devices connected until it's unlocked again.
This is the approach that Apple took with an update to iOS last year, and now it looks like it's coming to Chrome OS. As spotted by Chrome Story, an update to the operating system's Canary build gives users the option to disable USB ports when the screen is locked. Users can enable it by modifying the Chrome OS flag: chrome://flags/#enable-usbguard
Helpfully, the USB ports will only be disabled for new devices so if you've started a big file copy and left your Chromebook unattended, you won't come back to find that its given up halfway through.
USB Guard is currently in the Canary build of Chrome OS, but you would imagine it'll emerge in a stable build of the operating system in the very near future.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
After a false career start producing flash games, Alan Martin has been writing about phones, wearables and internet culture for over a decade with bylines all over the web and print.
Previously Deputy Editor of Alphr, he turned freelance in 2018 and his words can now be found all over the web, on the likes of Tom's Guide, The i, TechRadar, NME, Gizmodo, Coach, T3, The New Statesman and ShortList, as well as in the odd magazine and newspaper.
He's rarely seen not wearing at least one smartwatch, can talk your ear off about political biographies, and is a long-suffering fan of Derby County FC (which, on balance, he'd rather not talk about). He lives in London, right at the bottom of the Northern Line, long after you think it ends.
You can find Alan tweeting at @alan_p_martin, or email him at mralanpmartin@gmail.com.