USB Has a Fundamental Security Flaw That You Can't Detect

We all rely on USB to interconnect our digital lives, but new research first reported by Wired reveals that there's a fundamental security flaw in the very way that the humble Universal Serial Bus functions, and it could be exploited to wreak havoc on any computer.

Wired reports that security researchers Karsten Nohl and Jakob Lell have reverse engineered the firmware that controls the basic communication functions of USB. Not only that, the've also written a piece of malware, called BadUSB, that can "be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user's internet traffic."

Embedded within USB devices—from thumb drives thorough keyboards to smartphones—is a controller chip which allows the device and a computer it's connected to send information back and forth. It's this that Nohl and Lell have targeted, which means their malware doesn't sit in flash memory, but rather is hidden away in firmware, undeletable by all but the most technically knowledgable. Lell explained to Wired:

"You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it's 'clean... [But these] problems can't be patched. We're exploiting the very way that USB is designed."

The kicker is that it's virtually impossible to check whether a device's firmware has been tampered with, and even if it was, there's no single trusted version of it to check against. It's also worth pointing out that it can travel both ways: a USB stick could infect a computer with its malware, say, and the PC could then infect any USB device plugged into it.

So it's fairly worrying that the pair of researchers have demonstrated—and will present at the upcoming Black Hat security conference in Las Vegas—that the flaw can be exploited on thumb drives, mice, keyboards and even an Android smartphone. (It should, in theory, work on any USB device that can have its firmware reprogrammed). Some of Wired's sources even speculate that the hack could already be being used by the NSA.

That's a lot of bad news—so what can you do about it? Technically speaking, very little: there's no patch of code that can be be used to solve the problem. Instead, both the USB Implementers Forum and the researchers point out that a change in the way we use USB is the only solution: don't plug a USB device into any computer you don't 100 percent trust, and don't plug untrusted USB device into your computer either. That may prove inconvenient—but it may also save you from a very nasty surprise, too. [Wired]

Image by Tasha Chawner under Creative Commons license