A pair of security researchers from SR Labs have uncovered a fundamental flaw in the way USB devices work. It affects every single USB device out there and worse yet, there’s no line of defense short of prohibiting USB stick sharing or filling your USB ports with superglue.
The flaw that security researchers Karsten Nohl and Jakob Lell plan to present next week at the Black Hat security conference in Las Vegas runs deeper than simply loading a USB drive with malware. Instead, it’s built into the core of how the technology works.
After spending several months reverse engineering the firmware that handles the basic communications functions of USB devices, they were able to reprogram the firmware to hide malicious code. This firmware is present on every USB device within the controller chip – the component that facilitates communication between the USB device and the computer it’s plugged in to.
By loading malicious code on the firmware, it’s essentially hidden from sight. Anti-virus scanners can’t pick it up and formatting won’t help, either.
To prove their point, the team created a piece of malware called BadUSB that can be used to completely take over a PC, alter files invisibly and even redirect a user’s Internet traffic.
And just to be clear, we aren’t talking about just USB flash drives but any device that connects via USB: keyboards, mice, smartphones, tablets, you name it. Worst yet, it’s nearly impossible to determine if a device has been tampered with. The researchers say there isn’t even any trusted USB firmware to compare code against.
Matt Blaze, a computer science professor at the University of Pennsylvania, speculates the attack may already be common practice for the NSA. He points to a spying device called Cottonmouth that was mentioned in one of Edward Snowden’s many leaks. Exact details of the device weren’t mentioned but the leak claimed the tool hid in a USB peripheral plug.