Although computer security experts have long been aware of security issues related to USB storage devices, new research shows that an internal flaw in the firmware of all USB devices makes them vulnerable to undetectable security attacks. By rewriting the code in a device's firmware, a hacker can easily infect any computer to which the device is attached. This vulnerability requires extra vigilance in how USB devices are used.
Karsten Nohl and Jakob Lell, scientists at Security Research Labs, have created a new form of malware by reverse engineering the firmware in USB devices. The modified firmware infects computers when the USB device is plugged in, and then infected computers spread the infection to other attached USB devices. Because the infection is coded into the device's firmware and not stored in its memory, the infection is not traceable by normal malware scanners. This security flaw, called BadUSB by the team, is extremely difficult to remove by standard computer security protocols.
Because BadUSB is firmware-based, all USB devices are vulnerable to infection. This includes USB mice, keyboards, cameras, MP3 players and smartphones, as well as USB thumb drives and other external storage devices. Once the firmware is reverse engineered, it can switch software transfers for malicious versions, act as a keyboard and virtually type malicious commands, and hijack Internet traffic by changing your computer's DNS settings. Security experts hypothesize that the National Security Agency uses similar firmware modifications in USB devices to spy on computers by diverting information from infected machines.
BadUSB exploits the design of the controller chip that runs all USB devices. USB controller chips are not code-signed. This means that anyone can change the chips' programming without special codes or clearances. There is also no standard code available to compare specific device codes against to check for abnormalities. The best defense against attack is to treat every USB device as a security risk. Do not plug devices into computers with questionable security, and do not plug USB devices from untrusted sources into your computer. Remember that every USB device is only as secure as all the computers with which it has connected.
As more computer users become aware of security risks associated with cloud computing, hard storage on USB devices initially appears a safer option. The reveal of serious security issues associated with USB storage is a reminder that all digital storage includes security risks. Multiple channels and up-to-date security professionals are essential to keep computer systems free of infections and educate users on safe computer protocols.
BadUSB is a serious security flaw, but there is no need to panic. Nohl and Lell are presenting their research into the flaw at Black Hat USA 2014, a major security conference in Las Vegas. The conference will provide the nation's top security experts with exposure to the details of the vulnerability in USB devices and will encourage research into future solutions.
Photo courtesy of patrisyu at FreeDigitalPhotos.net