It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.
That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.
“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”
The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets. To avoid the attack, all you have to do is not connect your USB device to computers you don’t own or don’t have good reason to trust—and don’t plug untrusted USB devices into your own computer. But Nohl admits that makes the convenient slices of storage we all carry in our pockets, among many other devices, significantly less useful. “In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” says Nohl. “You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer. And that’s incompatible with how we use USB devices right now.”
As a tech, I carry a flash drive with me 24/7. I am consistently checking and cleaning the device, so I don't become the Typhoid Mary of the 21rst century. I have been known to destroy one, and throw it in the trash, if I find anything more than a piece of malware on it.
And despite this being true since the inception of the USB storage device, nothing has started on fire yet.
If you're really concerned enable write protection on your flash drive
I doubt that "write protection" would do anything to prevent the firmware from being overwritten. It would protect the storage, not the firmware.
What's somewhat scary to me is that anything can be used -- if you take an extra USB mouse with you on a tech call and have to use it, it can be used to infect any computer that you subsequently use the mouse on. In a sense, it's a bit like the AIDs virus, when the PSAs were "when you sleep with someone, you're sleeping with all of their previous partners"… when you use a mouse, if any computer it was ever plugged into had this malware, you're going to get it, too.
originally posted by: gspat
The only firmware I thought that could be re-written was a computer BIOS, and that's because it's usually on an EEPROM rather than hard coded on a chip.
That's what I find strange in this article, they talk about any USB device, but I doubt they use rewritable chips on USB mouses or keyboards or even thumbdrives (or whatever they are called), as that would result in a higher cost.
How can you fix this?
Get an Anti-Virus.
originally posted by: adjensen
They do. As an example, here's a Microsoft article on how to update the firmware of one of their USB mice: How to update firmware and software for the Habu Laser Gaming Mouse. Here's an article explaining how to update the firmware in a USB headset: Plantronics DSP headset Firmware Update procedure Instructions. And directions for updating the firmware in a USB game controller: Heres How To Update Your Xbox One Controller Firmware.
I don't know that every single USB device has updatable firmware, but I haven't found any that don't.
When you think about it, your belief that it would be more expensive is probably exactly the opposite -- if a bug is found in the code running on a USB device, it's a lot cheaper to issue a firmware upgrade than it would be to recall all of those devices in order to replace a faulty chip.
For the technically inclined, here are the technical specifications of how to write a program that updates USB firmware: Universal Serial Bus Device Class Specification for Device Firmware Upgrade