Researchers at SR Labs have uncovered a flaw in USB firmware that impacts virtually all devices that contain USB connectivity. The flaw allows surveillance type access and injection of malware into PCs without administrative access or any authentication at all. It also allows the attacker to gain full control of the device and even reroute internet traffic for interception. It is also very hard to detect, and even harder to get rid of, as it deals with firmware and would persist through formats and not be picked up by any virus scanner.
The team is expected to do a talk featuring the vulnerability, and their exploit of it known as BadUSB, at the Black Hat security conference in Las Vegas this week.
Some security researchers have guessed that this is the firmware level flaw that is exploited by the NSA's Cottonmouth device. Which is a chip that is covertly implanted into the cables/plugs of USB devices in order to enable the type of functionality described by the vulnerability. This would be another interesting case of the state intentionally weakening the security of the public in order to exploit vulnerabilities on its enemies.