Are USB Devices About to Provide the Next Big Malware Scare?

Scott Calonico

2014 is shaping up to be the year when everyone becomes truly scared of technology.

It seems that not a week goes by without a new story about compromised security or privacy. The latest story really is a rather scary one, and one that relates to one of the humblest of technical items, the USB interface.

Wired magazine has revealed that researchers have found a flaw in the core architecture of the USB bus that can allow the firmware of USB devices to be infected with malware that is practically undetectable and impossible to clean.

According to the Wired report, the malware, for now nicknamed “BadUSB” could do all of the following things:

  • Take control of a connected PC.
  • Modify device DNS settings.
  • Add new files or change existing ones.

Most worryingly of all, due to ubiquity of the USB interface, the malware could be carried by anything from USB keyboards to mobile devices (such as smartphones) and memory keys.

As things stand, the exploit is technically unpatchable, according to Karsten Nohl, one of the researchers, who said “we're exploiting the very way that USB is designed.”

As the malware sits on the firmware of a USB device, erasing the device, even by means of formatting a USB memory stick, for example, would not remove the threat.

Furthermore, the virus could theoretically spread very easily, effectively being passed from the firmware of one USB device to the firmware of another connected device.  According the researchers, all USB devices are potentially vulnerable.

What to do?

Many companies already use solutions to lock down USB ports to prevent the spread of viruses, or the unauthorised copying of data.

The researchers in this case seem to suggest that soon people may have to take this further, and essentially assume that every USB device is potentially compromised as soon as it’s been connected to any machine that could be considered “untrusted.”

What seems unclear at this point is whether hackers have already made use of this vulnerability. The report is certainly enough to make security-conscious users a little more cautious of their use of USB devices.

One thing that’s for sure is that cyber criminals must, right now, being doing their best to replicate the findings of the researchers, with a view to using the vulnerability for personal gain.

USB devices have just become the latest technical thing to be that bit more wary of…