Computer users pass around USB sticks like electronic business cards. Although we know they often carry malware infections, users depend on antivirus scans and the occasional reformatting to keep thumb drives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.
That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present this week at the Black Hat security conference, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken.
The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted.
These problems can’t be patched by antivirus or anti-malware programs because it’s actually exploiting the very way that USB is designed. So, if you’re concerned about this security exploit, you have to consider a USB infected and throw it away as soon as it touches a non-trusted computer.’
The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones and USB Cameras have firmware that can be reprogrammed—in addition to USB memory sticks. It even possible to impersonate a USB keyboard and suddenly start typing commands.
The malware can silently hijack internet traffic too, mimicking a USB network card and changing a computer’s DNS settings to redirect traffic to any servers it pleases. Or if the code is planted on a phone or another device with an internet connection, it can act as a man-in-the-middle, secretly spying on communications as it relays them from the victim’s machine.
Another major concern is that the infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer.
BadUSB’s ability to spread undetectably from USB to PC and back raises questions about whether it’s possible to use USB devices securely at all. We’ve known all along that if you give someone access to your USB ports, they can do bad things to your computer. What this appears to demonstrate is that it’s also possible to go the other direction, which suggests the threat of compromised USB devices is a very serious problem.”
There’s even some speculation that the USB attack may in fact already be common practice with the NSA based on a report about a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden. The device, which hid in a USB peripheral plug, was identified in a collection of NSA internal documents as surreptitiously installing malware on a target’s machine. The exact mechanism for that USB attack wasn’t described.
The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB devices. To avoid the attack, all you have to do is not connect your USB device to computers you don’t own or don’t have good reason to trust—and don’t plug untrusted USB devices into your own computer.
In the long term, USB manufacturing companies could change their process and implement code-signing protections on all of their devices.
In the immediate future, BadUSB-created cracking tools will be able to create compromised devices that will have the potential to be a new and deadly attack vector for hackers.
You can read more about these USB threats here: