If you depend on a USB device to transfer files from one machine to another, you may want to start thinking about cloud storage. That’s because researchers have discovered a flaw in USB design specifications that could put your machines at risk.
According to SR Labs, a German security firm, the versatility of USBs are also their Achilles heel. Think about it for a minute. Almost any computer, from desktops to healthcare devices to storage, can connect using USBs.
“Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing,” SR Labs wrote in a blog post warning about what it is calling BadUSB. “To turn one device type into another, USB controller chips in peripherals need to be reprogrammed. Very widely spread USB controller chips, including those in thumb drives, have no protection from such reprogramming.”
The Really Bad News
Once reprogrammed, SR Labs warned, benign devices can turn malicious. The firm outlined three specific ways a good USB turns into a so-called BadUSB.
SR Labs warns a device can emulate a keyboard and issue commands on behalf of the logged-in user to enter files or install malware. In turn, the firm explains, such malware could infect the controller chips of other USB devices connected to the computer.
Alternatively, the device could also spoof a network card and change the computer’s DNS setting to redirect traffic. Or, the firm explained, a modified thumb drive or external hard disk can boot a small virus when it detects that the computer is starting up. That virus infects the computer’s operating system prior to boot.
If you think that’s bad news consider this: There’s no known defense. According to SR Labs, malware scanners can’t access the firmware running on USB devices. That, the firm continued, is because USB firewalls that block certain device classes do not exist. What’s more, behavioral detection is difficult because the behavior of a BadUSB device looks like a user has merely plugged in a new device.
And that’s not even the worst of it. SR Labs is also warning that clean up after an infection is a difficult task, in part, because reinstalling the operating system doesn’t address BadUSB infections at the root.
“The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer,” the firm said. “A BadUSB device may even have replaced the computer’s BIOS -- again by emulating a keyboard and unlocking a hidden file on the USB thumb drive. Once infected, computers and their USB peripherals can never be trusted again.”
How To Protect Yourself
We turned to Paul Ducklin, a senior security advisor at Sophos, to get his take on BadUSB. He told us this has been a potential problem for years and the wheels aren't entirely coming off yet.
“The biggest risk right now with putting your USB into someone else's computer is that they could, if they wanted, scrape all the off it -- including stuff you thought you'd deleted -- while displaying your PPT file for the duration of your lecture, or whatever, and you'd simply never know,” Ducklin said.
“So if you want a USB security bridge to cross before sweating over this new, BlackHat-friendly one, [then] data leakage protection -- and/or device encryption -- are your first friends to make,” he added.