Research Compares USB devices to Dirty Needles – What now?

Flash drives: we share them with friends knowing full well that if they come back with some mysterious .exe the last thing we should do is open it. Easy enough to remember and easy enough to avoid. But what if the malware is hidden? What if there’s no trace of malware, or .exe, at all?

New research from a pair of independent security pros has proven that USB firmware can be reverse engineered to act as malware. That means that the hard coded instructions that tell your flash drive how to operate can be altered, to behave maliciously. It’s not just flash drives, though. It’s anything that uses the USB protocol. Like mouses and keyboards and public phone charging stations and printers.

In their proof-of-concept hell spawn, white hat researchers Karsten Nohl and Jakob Lell achieved complete control of a test computer by reprogramming a USB memory stick to be recognized as a USB-connected keyboard instead. From there, it was a merely a matter of telling the memory stick to act like a keyboard and issue malicious commands. Quite fittingly, the researchers have named their creation BadUSB.

BadUSB was made possible by the fact that USB firmware does not implement code signing, meaning it can be updated and altered by un-certified sources – like hackers.

For users, this now means that essentially all USB technology is vulnerable; and, it’s not just a one-way street. In theory, malware can now also be created to infect the PC, spread to a connected USB device and transform that device’s firmware into malware.

Sound freaky? Some reports are suggesting that this type of thing has been being done by the NSA for years. With public disclosure, it is now only a matter of time before attacks go mainstream.

In the meantime, we’d suggest saying no the next time someone wants to share files unprotected.

For complete coverage, see the original article at Wired.