BadUSB Exploit Can Hack Any USB-Based Device – Undetectable and Unfixable

Most of us rely on USBs for digital communication between different computers worldwide. A recent new exploit has revealed a very, very serious vulnerability in the way universal serial buses work, and if it falls in the wrong hands, it can very much wreak havoc on about every computer there is.

Security researchers Karsten Nohl and Jakob Lell have reverse engineered the firmware that controls the basic communication functions of USB. Doing so, they’ve also written a piece of malware, called BadUSB, that can “be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic.

The things that can be done using the exploit seem to be endless. An example: a USB device could emulate a USB-connected keyboard and automatically send over all sorts of keystrokes that, when combined, could lead to various issues – installing malware, wiping key files off a drive, copying files over to the USB device, etc.

Worse, it doesn’t appear that there are any effective ways to prevent (or clean) an attack launched by the corrupted firmware of any USB-connected device.

There is virtually no way to check whether a device’s firmware has been tampered with, and if you do find any, there’s no single-trusted version of it to check against. The exploit can also travel both ways: a USB stick could infect a computer with its malware, say, and the PC could then infect any USB device plugged into it.

“To make matters worse, cleanup after an incident is hard: Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root. The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive.”

The solution? There isn’t one. The only thing that you can do at this time is to NOT connect USB devices to computers you don’t trust, or don’t connect untrusted USBs to your computer. Who knows what might happen?

The security researcher pair will demonstrate their findings at this year’s Black Hat conference in Las Vegas on 7th August. If there’s anything important and previously unknown announced during their keynote, we’ll update this article.

Until then, beware of untrusted USBs!

13 comments

  1. Does BadUSB need a USB drive to spread or can it disseminated by embeding it in other, benign software?

    • BadUSB currently exploits a Universal Serial Bus’s firmware. Meaning, any thing that uses USB ports, such a keyboards, mouses, and other accessories can be targeted. The whole issue lies in the fact that the actual firmware is targeted instead of any data, and there’s no current control check for it.

      • You missed the point of my question. I understand that BadUSB affects any device using an USB port. However, can BadUSB malware code itself be embedded in some innocuous piece of software such as a browser extension or a game or a LibreOffice update to be delivered/installed when that piece of software is executed?

  2. Since virtually every inexpensive USB device (mouse, keyboard, camera, etc.) is produced off-shore, isn’t it highly likely that a majority of USB devices could already contain malware? If this is undetectable, then basically all current protection measure that we commonly use is irrelevant.

    • Exactly. There’s no current way to know how many devices are infected, and no current control version to check it against.

    • This seems to be OS agnostic, as it appears to affect a USB device’s firmware. Scary as it sounds, I don’t think running Linux will help in this situation.

      • Switching to another OS isn’t likely to lessen the chances of your device being infected.

  3. “Security researchers Karsten Nohl and Jakob Lell have reverse engineered the firmware that controls the basic communication functions of USB. Doing so, they’ve also written a piece of malware, called BadUSB, that can “be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic.”

    What I take from this:
    — Does this mean that BADUSB is not actually out there in the wild, only the vulnerability is?
    — Given open-source’s approach to dealing with this sort of vulnerability vs proprietary, I’ll stay with open-source, thanks. They’ll fix it and put it into the Linux kernel while the other mob are still nutting out how best to tackle the job, mark my words.

    • There’s no idea at this time whether BadUSB is out there in the wild or not. As mentioned in the article, there’s no current control version to check devices against, at this point in time, every one of the billions of devices that rely on USB for connection could be infected.

      • “There’s no idea at this time whether BadUSB is out there in the wild or not.”

        Well, one would hope the malware creators – in this case security researchers Karsten Nohl and Jakob Lell – would have taken care to not let their little creation go walk-about, don’t you think? After all, *they* have “reverse-engineered the firmware that controls the basic communication functions of USB” and have also “also written a piece of malware, called BadUSB”.
        And then, published this accomplishment on public media.

        Subsequently letting this go viral would have the just the slightest hint of carelessness about it, don’t you think?

        However, the vulnerability? that’s another matter altogether: one I’m quite certain the open-source community are gearing up to deal with, as they have with so many other vulnerabilities… quickly and definitively.

  4. I think the gist of this is that any external (or internal) plug and play device can spoof plug and play information and provide it to the firmware when queried. Some USB Flash Controller chips can have their firmware updated, Most however are OTP; USB flash drives are usually considered disposable. I did not find any firmware updates for the mouses, kbds, webcams, USB-video, and USB-serial cables we are currently using. However several standalone cameras do have firmware updates as do external hard drives, high end USB-network, usb-video adapters, and phones/media devices. Firewire also supports input devices, so should also be a target. An “invisible keyboard” or “invisible system bios flash” attack would require some foreknowledge of the system being attacked, an obvious advantage to minority operating systems like Linux. At one time the USB 1.0 spec (rem USB 1.1 was the public release) included automatic driver install as a convenience; and original MP3 standard allowed for automatic codec update link in the music file which has since been disabled by most media player software.

  5. A $3 USB wireless adapter I bought at Fry’s had only a radio and a USB-to-SPI chip. “Unknown device until sofware driver was installed. The $30 USB-to-VGA adapter uses a chipset that the manufacturer specs don’t indicate the option for a firmware update. A Cisco adapter does offer a firmware update; a “name brand” USB Flash drive (with known data loss issues) had a firmware update to fix the problem but apparently once it was “bricked” that was it.

Comments are closed.

Sponsored Stories