Two security researchers recently discovered that USB users need to worry not only about files infected with malware residing inside the drive, but also about infections directly built into the device’s firmware.
After months of reprogramming the firmware of thumbdrives, researchers Jakob Lell and Karsten Nohl managed to create a proof-of-concept (POC) malware that is invisible and able to be installed on a USB device, according to Wired.
The malware, dubbed BadUSB, can execute a variety of malicious activities, including take over a PC, hijack a browser’s DNS settings, invisibly alter files installed from a memory stick and impersonate a USB keyboard and type commands. If the thumb drive is connected to a smartphone, it can read a user’s communications and send them to a remote location.
Corrupted At The Core
Part of what makes this new malware so dangerous is that it resides in the USB’s firmware that controls basic functions. Because of this, the attack code can avoid detection long after it would appear to an average user that the device’s contents had been deleted.
BadUSB malware is not only reserved for thumb drives, but any USB device. Smartphones, mice and keyboards all have USB firmware that can be reprogrammed. Anytime a USB stick is plugged into a computer its firmware can be altered by malware on the PC, and infections can happen in the reverse as well, which creates a big problem for enterprise security because of the rate at which employees share information with thumb drives.
“We’ve all known that if you give me access to your USB port, I can do bad things to your computer,” University of Pennsylvania computer science professor Matt Blaze said in an interview with Wired. “What this appears to demonstrate is that it’s also possible to go the other direction, which suggests the threat of compromised USB devices is a very serious practical problem.”
USB Malware Easy to Spread
The research duo say the worst part isn’t that the malware can infect any USB device — it’s that reformatting won’t fix the problem. According to ZDNet, long-term fixes can be achieved by chipset manufacturers creating stronger firmware that can’t be easily modified, as well as security companies checking USB devices for changes to firmware that weren’t authorized.
In the short-term, however, Lell and Nohl suggest only using thumb drives in highly secure environments. The pair liken using thumb drives to hypodermic needles — trust only those that have been used inside one’s own personal environment and disposing of any that have in contact with unknown devices.
“In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” said Nohl. “You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer. And that’s incompatible with how we use USB devices right now.”