Tech Made Simple

Hot Topics: Holiday Gift Ideas | How to Fix Bluetooth Pairing Problems | How to Block Spam Calls | Snapchat Symbol Meaning

We may earn commissions when you buy from links on our site. Why you can trust us.

author photo

USB Devices May Be Next Malware Threat

by Fox Van Allen on October 03, 2014

USB storage device on laptopA few months ago, white hat security expert Karsten Nohl of SR Labs revealed that computer USB devices are wide open to malware attack through a hole named “BadUSB.” Nohl held off on releasing the code behind the vulnerability at the time. But now, at the DerbyCon hacking conference in Louisville, Kentucky, computer security researchers Adam Caudill and Brandon Wilson have made the decision to release full details about BadUSB to the public.

“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the DerbyCon audience. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”

According to Caudill and Wilson’s research, a hacker could use a readily available USB microcontroller to impersonate a keyboard and run any number of dangerous, data-stealing commands on any computer it's plugged in to. Because of the nature of BadUSB, the attack would not be caught by a computer’s anti-virus program nor would traces of it be left behind after. In short, BadUSB can turn any USB storage stick into a weapon.

One of the most worrying aspects of BadUSB is that the vulnerability is not easily patched. Many USB devices would require major redesigns, and some currently in use might never be secured. Full protection against BadUSB could take many years, if not a decade. “It’s unfixable for the most part,” Nohl admitted.

Releasing the code behind BadUSB to the public is a double-edged sword. One the one hand, it gives hackers the information they need to readily exploit it, which significantly increases the risk to the public. But at the same time, shedding light on the security vulnerability makes it easier for researchers to come up with defenses against it. It also sends a strong message that USB is not secure and pressures device makers to fix the issue with haste.

How can you stay safe? Exploiting BadUSB would require an infected USB device to be physically attached to your computer. It makes sense, then, to use extreme caution when dealing with USB devices (thumb drives, etc.) of unknown origin. Only use USB storage devices you know to be new and untouched by others, if possible.

[Removable USB thumb drive via Shutterstock]


Topics

Computer Safety & Support, News, Computers and Software, Computers & Accessories, Accessories, Blog


Discussion loading

gravatar

From Clairvaux on October 25, 2014 :: 6:06 pm


How is this new ? We already knew that computers in open settings, such as offices, were very vulnerable to malware injection through USB thumb drives. The only difference with this flaw seems to be that no anti-malware software will block it.

But having a policy against open, available USB ports, and against non-vetted USB memory devices was already paramount for organisations.

Reply

gravatar

From Josh Kirschner on October 26, 2014 :: 4:48 pm


You’re right, USB keys have always been a potential means of infection, but this latest exposed attack vector is far harder to detect and prevent. So it further emphasizes the importance of protecting USB access in organizations and avoiding using untrusted USB devices in personal computers.

FWIW, for many organizations, USB keys are a basic means of information delivery (we use them all the time at Techlicious, as every PR firm and CE company uses them to deliver press kits). Knowing that our anti-malware protection won’t stop attacks of the nature described above is very disturbing.

Reply

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships | Licensing & Permissions
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.