The common USB stick has become the most common way of sharing and storing files on-the-go. With this in mind, a variety of malware and viruses were created in an attempt to take control of computers who do not have any security measures installed, such as antivirus software. Other means of ‘cleaning’ an USB drive would be to format its content, leading to every file being deleted along with any malware and virus program that might be present on the drive.
However, two security researchers state that security problems with USB drives run deeper than expected. They state that the “risk isn’t just in what they carry, it’s built into the core of how they work.” This is why security researchers Karsten Nohl and Jakob Lell plan to present a proof-of-concept malicious software by the name of BadUSB which is stated to highlight that USB devices have long been fundamentally broken.
BadUSB can be installed on a USB device to completely take over a PC silently, alter files and even redirect the user’s internet traffic. The malware is said to be installed on the flash drive’s firmware and not the memory, which means that the code can remain hidden long after the flash memory has been erased. Also, the researchers state that there is no easy fix for the vulnerability. They say that the USB stick needs to be blocked from sharing its content with the system or, plainly said, the USB drive needs to be physically removed to stop the infection.
“You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’” says Nohl. But unless the IT guy has the reverse engineering skills to find and analyze that firmware, “the cleaning process doesn’t even touch the files we’re talking about.”
It is said that the vulnerability is not limited to USB drives. All sort of USB devices, spanning from keyboards to smartphones and even cameras can have their firmware reprogrammed with the malware in question. The researchers have stated that they used the BadUSB program on an Android device, having a “grab bag of evil tricks” happening as a result. Nohl and Lell tell that it replaced software being installed with a corrupted or backdoored version and even impersonated a USB keyboard that suddenly started typing commands.
The researchers tell that the infection can travel both from a computer to the USB and the other way around. Matt Blaze, a computer science professor from the University of Pennsylvania, is also aware of the shallow security veil that USB drives present. He also speculates that the NSA could have made a common practice out of infecting USB devices using this approach.
Matt points to a spying device by the name of ‘Cottonmouth’, which has been revealed in one of Edward Snowden’s leaks. The device, which hid in a USB peripheral plug, was advertised in a collection of NSA internal documents as surreptitiously installing malware on a target’s machine. However, the exact mechanism for that USB attack wasn’t described.