USB has just become BadUSB


Last month I wrote how BYOD can have serious security implications for businesses. A more serious security threat has now come on the horizon and it has come from the most unlikely of places, USB. Security researchers, Karsten Nohl & Jakob Lell from Security Research Labs in Berlin have discovered a major flaw in USB that could potentially affect billions of USB devices worldwide and they have dubbed it BadUSB.

Karsten &Jakob have developed several proof-of-concept attacks that they plan to present at the Black Hat security conference in Las Vegas next week. Although BadUSB at the moment is just theoretical, it is an accident waiting to happen.

What is BadUSB?

BadUSB works on the principle that every USB device has a controller chip that controls the USB connection to other devices. USB devices include mice, keyboards, external hard disks, DVD players, smartphones and printers. In fact all modern office equipment are USB devices. Security Research Labs have revealed that these controller chips have firmware that can be reprogrammed to do anything and that this reprogramming is virtually impossible to detect.

What could happen?

A nightmare scenario is about to unfold and there may be no immediate cure. USB Memory sticks could be reprogrammed so that they can spread malware, masquerade as another device or even rewrite the firmware of other attached USB devices. If a mass storage device is reprogrammed so that it masquerades as a network controller, all of your network communications get redirected to the device. Network communications includes websites, emails and passwords. This means that this flaw can take down most of the world’s devices.

How can we protect ourselves?

The only way we can protect ourselves is by only using USB devices that we trust. Once your USB memory stick has been used in more than one device then it’s safe to assume that it has been compromised. Also since most computers can’t be kept 100% malware free, your computer can infect your own USB devices without you knowing.

As all desktop computers use USB mice and keyboards, how can we guarantee that they have not been compromised? Any antivirus and antimalware software that we have can’t detect any changes in firmware. So maybe the only real way of protecting ourselves is to either not use USB devices or have each USB port on your computer designated to only take a certain device. Since all modern computer peripherals use USB to connect then not using USB devices will be hard to do. If by chance your computer has PS2 ports then you could start using PS2 keyboards and mice.

Also if you want to share data between computers start using memory cards like SD cards as all modern laptops have built in card readers

What do we do in the meantime?

Make sure that only USB devices you trust are used.
Make sure that any computers you use have less chance of downloading malware on to any USB sticks that you have.
Make sure that the preview pane on your email is not on as it reads your email and download files to your computer.
Keep an eye on this blog and the news for updates on BadUSB which will be appearing after next week’s Black Hat security conference in Las Vegas.