Everyone uses devices with a USB port, but now some analysts are saying USB has a serious security flaw. Researchers have created a type of malware called BadUSB that showcases how your private files could be compromised, simply by sharing a USB drive. Here’s what you need to know in order to stay safe.
1. USB Drives Could Be as Dangerous for Computers as Infected Needles Are for People
Did you know you could install malware on a regular USB keyboard? Well, you can. Because USB is crazy insecure. http://t.co/erezENg0Qg
— Joe Brown (@joemfbrown) July 31, 2014
9to5Mac reports that security researchers have found a fundamental flaw with USB. This vulnerability to malware has the researchers comparing the humble USB drive to a lethal syringe laced with disease:
“Rather than storing malicious files on a USB device, the researchers managed to hack the USB controller chip that enables a USB device to communicate with a computer, changing its firmware. That means it can allow absolutely any USB device, from a USB key to a keyboard, to be compromised…
As it’s undetectable, the exploit could be silently added to a USB key when it is inserted into a PC, and then infect the next device it’s connected to. There is, say the researchers, no protection at all against the method of attack short of never sharing USB devices – treating them as you’d treat a hypodermic needle: only ever using one you know to be brand new, and not dreaming of allowing anyone else to share it.”
The report goes on to say that these vulnerabilities cannot be patched.
2. Karsten Nohl & Jakob Lell Created BadUSB Malware
Learn about the kind of data hackers love to steal in the report above.
Karsten Nohl and Jakob Lell are the researchers who discovers this security flaw. They are researchers for the security consultancy SR Labs. The duo will present their findings next month at a Black Hat conference.
As part of their proof-of-concept to demonstrate the security issues inherent in USB, the two created a nasty bit of malware called BadUSB. Wired reports that BadUSB can quickly and invisibly attack an infected computer:
“BadUSB…can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.”
3. There May Be Long-Term Fixes for USB Malware
While there may be no short-term solutions for dealing with infected computers, ZDNet suggests that there are long-term solutions for USB-transmitted malware. These fixes might include having USB chipset manufacturers take a second look at their firmware, or having security companies pay closer attention to the ways USB-transmitted malware can edit firmware. The best course of action may be to simply not share USB drives or any USB device with others.
4. The NSA May Already Be Taking Advantage of This Vulnerability
Some of the sources Wired consulted in their article about BadUSB say that the NSA might already be aware of such USB-based hacking measures. Wired spoke with University of Pennsylvania computer science professor Matt Blaze:
“Blaze speculates that the USB attack may in fact already be common practice for the NSA. He points to a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden. The device, which hid in a USB peripheral plug, was advertised in a collection of NSA internal documents as surreptitiously installing malware on a target’s machine. The exact mechanism for that USB attack wasn’t described.
“I wouldn’t be surprised if some of the things [Nohl and Lell] discovered are what we heard about in the NSA catalogue.'”
5. USB Infections Could Travel Both Ways
Gizmodo writes that a potential USB infection could transmit in both directions: “A USB stick could infect a computer with its malware, say, and the PC could then infect any USB device plugged into it.”
Gizmodo’s advice for keeping your computer safe from any USB-transmitted malware is simple. Don’t use any untrusted USB devices in your computer, and don’t insert any of your “clean” USB drives into the computer of anyone you don’t trust.