Security researchers at Security Research Labs in Berlin have found a fundamental flaw (dubbed BadUSB) in USB devices that allows any compromised USB device to take over your computer. There are no known effective defenses against this variety of USB attack and solutions are estimated to be months and even years away.
The vulnerability arises because USB controllers can have their firmware easily reprogrammed so that they announce themselves as a different device type, a versality that has made USB extremely popular. However, benign devices can also be reprogrammed to turn malicious:
- A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
- The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
- A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
With billions of USB devices out there, we could be facing a serious security situation of enormous proportion. And, don’t expect an immediate fix anytime soon. Your only protection: practice safe
sex USB use: only plug in USB devices that you 100% trust into your computer; and, do not plug your USB device into another computer. Sound advice.
Editor’s note: This might or might not become the serious threat that SR Labs describe. But after they have presented their proof-of-concept, I guess any one who wants to will be able (and have the know-how) to exploit this vulnerability. Will this mean that even out-of-the-box USB devices from unreliable sources could be already compromised? Hopefully, the USB Implementers Forum (USB IF, the USB standards body) gets together soon to propose a quick solution.