Ever used someone’s USB stick to share or transfer files? The answer is most probably ‘Yes’. Well, before you pass a memory stick around you have to think twice. This is because the security of USB has literally been broken!
In most cases people rely on antivirus and occasional reformatting to give them a sense of security but the problem with USB goes is bigger than that. It goes to the core of their design.
Next week security researchers Karsten Nohl and Jakob Lell are going to present findings that will demonstrate how the security of USB has long been compromised.
The two researchers created a malware which they called BadUSB that can be installed on any USB device. Once installed is will take over your computer altering files in your memory stick and even redirecting your internet traffic.
The attack code of the malware is hidden in the USB and even deleting the files in it or formatting it can not remove the code. This is because it does not reside in the flash memory but in the firmware that controls the basic functions of the USB.
This poses a great problem that is not easy to fix unless sharing of USB devices is completely banned. Another way would be to completely seal or destroy you USB ports.
“These problems can’t be patched. We’re exploiting the very way that USB is designed. In this new way of thinking, you have to consider a USB infected and throw it away as soon as it touches a non-trusted computer,” said Nohl.
Karsten Nohl and Jakob Lell will present their findings at the Black Hat security conference in Las Vegas next week.
They are not the first researchers to raise a red flag on the inherent risk in using USB devices. But they didn’t merely copy their own custom coded infections into USB devices, they spent months reverse engineering the firmware that runs the basic functions of USB devices.
Their finding is a shocker. The two found that USB firmware can be reprogrammed to hide an attack code. “You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean, but unless the IT guys have the reverse engineering skills to find and analyze that firmware, the cleaning process doesn’t even touch the files we’re talking about,” said Nohl.
To make matters worse, this problem is not limited to USB stick only but it cuts across all manner of USB devices including mice, keyboards and even smartphones.
Any device that can be connected to a PC or any other gadget via USB is not safe. So even before you plug your Android into a PC think about the risk you are exposing it to.
The attack code can do all the bad things to you. It can replace the software your are trying to install with a corrupted one or one that has been pirated, it can impersonate a USB keyboard and start typing commands, it can hijack internet traffic and even spy on your communications and relay your messages to someone else.
To be safe you can start treating your USB as a hypodermic needle – no sharing!