It’s no big surprise USB drives can carry malware, or that they can infect our computers if we don’t use antivirus software and reformatting to keep them malware-free.
But those aren’t the only reasons USB drives are not secure, say researchers at SR Labs. By creating their own malware, named “BadUSB,” they’ve found USB devices have deeper, more fundamental problems in terms of their security. A USB drive carrying BadUSB can take over a PC, change files on a memory stick without a user noticing, and redirect that user’s Internet traffic – and as the malware is housed inside a USB drive’s firmware, rather than in the flash memory storage, its code can’t be deleted even after all the other files on the drive have been wiped, according to a story by Wired.
The worst part of all this is the USB drive can’t be patched, say the two researchers who made the discovery. Karsten Nohl and Jakob Lell spent months reverse-engineering a USB drive’s basic firmware, altering the controller chips allowing USB drives to communicate with a PC through a USB port and to transfer files between the PC and USB drive. That means cleaning a USB through scanning and deleting files doesn’t deal with the firmware itself. They’ll be presenting their findings next week during Black Hat, a security conference in Las Vegas.
Nor is this discovery limited to just USB drives – any USB device can have its firmware reprogrammed, and that includes keyboards, mice, and smartphones. That means the list of possibilities is endless, with a hacker using this technique being able to replace software with corrupted versions, to type commands, to siphon traffic off to other servers, or to spy on communications from one machine to another.
Given what Nohl and Lell have found, what does this mean for consumers using USB drives? Essentially, we’ll have to approach their use in a whole different way – almost like hypodermic needles, Nohl told Wired. Any time users connect a USB drive to their desktops, they’ll need to be mindful of who gave it to them, and whether that person is trustworthy, which takes away from the convenience of using the drive.
The alternative would be to convince USB device makers the threat is real – but in the meantime, USB drive users will just have to pay attention to how they’re using them.