Most of us rely on USBs for digital communication between different computers worldwide. A recent new exploit has revealed a very, very serious vulnerability in the way universal serial buses work, and if it falls in the wrong hands, it can very much wreak havoc on about every computer there is.
Security researchers Karsten Nohl and Jakob Lell have reverse engineered the firmware that controls the basic communication functions of USB. Doing so, they’ve also written a piece of malware, called BadUSB, that can “be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic.”
The things that can be done using the exploit seem to be endless. An example: a USB device could emulate a USB-connected keyboard and automatically send over all sorts of keystrokes that, when combined, could lead to various issues – installing malware, wiping key files off a drive, copying files over to the USB device, etc.
Worse, it doesn’t appear that there are any effective ways to prevent (or clean) an attack launched by the corrupted firmware of any USB-connected device.
There is virtually no way to check whether a device’s firmware has been tampered with, and if you do find any, there’s no single-trusted version of it to check against. The exploit can also travel both ways: a USB stick could infect a computer with its malware, say, and the PC could then infect any USB device plugged into it.
“To make matters worse, cleanup after an incident is hard: Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root. The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive.”
The solution? There isn’t one. The only thing that you can do at this time is to NOT connect USB devices to computers you don’t trust, or don’t connect untrusted USBs to your computer. Who knows what might happen?
The security researcher pair will demonstrate their findings at this year’s Black Hat conference in Las Vegas on 7th August. If there’s anything important and previously unknown announced during their keynote, we’ll update this article.
Until then, beware of untrusted USBs!