A few months ago, white hat security expert Karsten Nohl of SR Labs revealed that computer USB devices are wide open to malware attack through a hole named “BadUSB.” Nohl held off on releasing the code behind the vulnerability at the time. But now, at the DerbyCon hacking conference in Louisville, Kentucky, computer security researchers Adam Caudill and Brandon Wilson have made the decision to release full details about BadUSB to the public.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the DerbyCon audience. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
According to Caudill and Wilson’s research, a hacker could use a readily available USB microcontroller to impersonate a keyboard and run any number of dangerous, data-stealing commands on any computer it's plugged in to. Because of the nature of BadUSB, the attack would not be caught by a computer’s anti-virus program nor would traces of it be left behind after. In short, BadUSB can turn any USB storage stick into a weapon.
One of the most worrying aspects of BadUSB is that the vulnerability is not easily patched. Many USB devices would require major redesigns, and some currently in use might never be secured. Full protection against BadUSB could take many years, if not a decade. “It’s unfixable for the most part,” Nohl admitted.
Releasing the code behind BadUSB to the public is a double-edged sword. One the one hand, it gives hackers the information they need to readily exploit it, which significantly increases the risk to the public. But at the same time, shedding light on the security vulnerability makes it easier for researchers to come up with defenses against it. It also sends a strong message that USB is not secure and pressures device makers to fix the issue with haste.
How can you stay safe? Exploiting BadUSB would require an infected USB device to be physically attached to your computer. It makes sense, then, to use extreme caution when dealing with USB devices (thumb drives, etc.) of unknown origin. Only use USB storage devices you know to be new and untouched by others, if possible.
[Removable USB thumb drive via Shutterstock]
From Clairvaux on October 25, 2014 :: 7:06 pm
How is this new ? We already knew that computers in open settings, such as offices, were very vulnerable to malware injection through USB thumb drives. The only difference with this flaw seems to be that no anti-malware software will block it.
But having a policy against open, available USB ports, and against non-vetted USB memory devices was already paramount for organisations.
Reply
From Josh Kirschner on October 26, 2014 :: 5:48 pm
You’re right, USB keys have always been a potential means of infection, but this latest exposed attack vector is far harder to detect and prevent. So it further emphasizes the importance of protecting USB access in organizations and avoiding using untrusted USB devices in personal computers.
FWIW, for many organizations, USB keys are a basic means of information delivery (we use them all the time at Techlicious, as every PR firm and CE company uses them to deliver press kits). Knowing that our anti-malware protection won’t stop attacks of the nature described above is very disturbing.
Reply