A pair of security researchers recently discovered a major vulnerability present in nearly every USB-connected device. Karsten Nohl and Jakob Lell created the BadUSB malware as a proof-of-concept virus that they are presenting at the Black Hat security conference in Las Vegas this week. According to the duo, the malware shows that malicious software attacks on the firmware of USB devices can remain undetected for long periods of time through the use of reformatting techniques that enslave devices including smartphones, keyboards, mice and thumb drives.
Nohl and Lell discovered the vulnerability when they realized that the controller chips used in common USB devices aren't protected against malicious reprogramming. The firmware of a thumb drive can be reformatted to make it execute malicious commands without a user knowing anything is wrong, meaning that the BadUSB malware won't just infect just a user's computer, but any device the USB is plugged into. Most people don't realize that connecting a USB to a computer is more complicated than simply allowing a connection. It opens a portal that allows connected devices to have nearly unlimited access to hardware and software, creating a major security concern.
When plugged into an infected computer, Android smartphones can be exploited and turned into compromised network cards, fooling the computer into visiting malicious pages that pose as popular sites like Facebook and Google. An infected device could also impersonate a keyboard and type commands that could lead to a variety of issues, including installing more malware and deleting important files from a hard drive. BadUSB is embedded directly into the firmware of USB devices, making it nearly impossible for an average user to remove the malware from the device. Extreme measures would have to be taken to fully disinfect the firmware, such as disassembling and reverse-engineering a compromised device.
"The next time you have a virus on your computer, you pretty much have to assume your peripherals are infected, and computers of other people who connected to those peripherals are infected," said Nohl.
No help in sight
Unfortunately, there doesn't seem to be any effective ways of preventing a BadUSB-type attack, or removing the malware from an infected device. The anti-virus software used by most companies can't scan the firmware of a device and the firewalls of USBs aren't able to block devices with this kind of infection, according to the researchers. The malicious software associated with BadUSB can infiltrate a computer's embedded USB devices or compromise the PC's basic input-output system inside the motherboard, meaning it can't be removed simply by reformatting a hard drive or reinstalling an operating system.
According to Nohl and Lell, the best way to protect systems in the short-term is to only use thumb drives and other USB-connected devices that have been used only in a secure environment and never connect a device to an unknown computer or share it with an unknown user.
"If you put anything into your USB [slot], it extends a lot of trust," Nohl said. "Whatever it is, there could always be some code running in that device that runs maliciously. Every time anybody connects a USB device to your computer, you fully trust them with your computer. It's the equivalent of [saying] 'here's my computer; I'm going to walk away for 10 minutes. Please don't do anything evil.' "
Alternatives to USB
This new vulnerability poses a major problem for enterprises that share files between employees on thumb drives. It's a convenient method for collaboration, but one that can create drastic cybersecurity issues. One way to avoid falling victim to a BadUSB infection is to utilize cloud storage services. Enterprises that keep documents in the cloud can offer employees easy access to files while still ensuring security. The cloud storage allows documents to be accessed from anywhere with an Internet connection without having to connect a strange device and expose a system to malicious activity.