Business

Why you can no longer trust any USB device plugged into your PC

Image Credit: Lighthunter/Shutterstock

Are you sitting down? Good. ‘Cause I’ve got some really bad, scary news to share with you: Every single device plugged into a USB port on your computer could pose a threat worse than any malware we’ve ever seen.

Yes, it’s as bad as it sounds.

Two researchers for the security consultancy SR Labs, Karsten Nohl and Jakob Lell, have discovered that USB devices such as the ubiquitous thumb-drive or even a USB keyboard or mouse, can have its firmware reprogrammed by malicious software to deliver virtually any kind of attack once it’s connected to a computer’s USB port.

You might be tempted to think that if you’re running the latest anti-virus software from McAffee or Norton you’re safe from such USB-based malware. But you aren’t.

“No effective defenses from USB attacks are known. Malware scanners cannot access the firmware running on USB devices,” say the pair in their brief on the SR Labs site.

The problem arises from the fact that traditional anti-virus software is designed to look at the file contents of an attached drive. In other words, if you can see a file on a USB key with Windows Explorer or the Mac OS Finder, your anti-virus software can scan it even if it’s “hidden.”

But that’s not where Nohl and Lell, who have managed to reverse engineer the fundamental firmware for USB devices, have hidden their nasty code. They’ve found a way to re-write the firmware — that’s the code that tells a PC what to do when the device is plugged in. Anti-virus software simply can’t (currently) access this part of a USB device.

What could a USB device that has been compromised in such a way do to your computer? Anything.

In an interview with Wired, Nohl describes it this way: “It can do whatever you can do with a keyboard, which is basically everything a computer does.”

Perhaps the most disturbing part of what Nohl and Lell have dubbed the “BadUSB” exploit is that it can pass from USB device to PC and then from PC to USB device completely untraced and invisible. “You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’” Nohl told Wired.

Because of this, if Nohl and Lell are correct, there is simply no way to trust a USB device that has ever been plugged into another PC — that is, of course, assuming your machine hasn’t already been infected.

Worse still, if someone can get a compromised version of the firmware onto your device at the factory level, you wouldn’t even be able to trust a product fresh from its packaging. This has already happened with traditional file-level malware.

The two researchers are scheduled to present their findings next month at the Black Hat security conference in Las Vegas.

If they successfully convince manufacturer and security experts that the threat is real, it could result in a massive re-architecting of the USB standard for improved security against such an exploit. Until then, Nohl and Lell say they will be careful with whom they share the technical components of their discovery.

It’s worth noting that Nohl and Lell’s exploit has not yet been independently verified and could still be debunked by security experts once they’ve had a chance to analyze the pair’s findings.


Mobile developer or publisher? VentureBeat is studying mobile app analytics. Fill out our 5-minute survey, and we'll share the data with you.
22 comments
Js Watt
Js Watt

"no longer" as if there hasn't been an issue the whole time.

Steve Kerney
Steve Kerney

Agreed, the only people that should be worried by this are the ones who buy USB drives from Chinese websites or eBay in bulk. Malicious USB firmware can pretty much only be plausibly inserted at the factory/manufacturing level...

Vitaliy Yanko
Vitaliy Yanko

USB Vaccine apps are live for 5+ years, as well as HIPS software. Not so scary...

Klancy Kennedy
Klancy Kennedy

There is a big difference between running lines of code and being able to emulation keyboard or mouse movements. What they said in the interview is mighty sketchy. I.e. don't panic, you're still safe. It is plausible, however that someone could create a device that would operate blindly by emulating a mouse moving to the corner of the screen to hit your start button, then key out a few commands, maybe blindly navigate around to click 'yes' on a window that confirms authority for a program or process to act, which would then download a real virus that can actually do something substantial. It's a long, convoluted, highly implausible way to attack someone.

John Borgen
John Borgen

 So....before we all start throwing away our USB devices maybe we should wait until the findings are corroborated. Seriously, this is one pair of programmers and their findings haven't been verified yet. No reason to panic, just remain vigilant. If the threat is real there's no evidence that it's been exploited yet.

Jim Meyer
Jim Meyer

This has been an issue forever as you can make a usb drive look like a HID Device (Human Interfaced Device) ie a keyboard which then can self type and run a program on the drive. EASY!

Jeff Perkowitz
Jeff Perkowitz

This is why it's important to buy from reputable stores like Amazon, or direct from Apple, Dell, etc.. Buying a phone on Ebay that is shipped from Hong Kong can lead to all sorts of issues.

Bryan Lamb
Bryan Lamb

"It’s worth noting that Nohl and Lell’s exploit has not yet been independently verified and could still be debunked by security experts" -- so why don't you hire a security expert and do this before publishing that the sky is falling? Otherwise... publishing this is about as bad as blindly forwarding an email chain letter to all your friends without first checking it out on Snopes.

Tim Dick
Tim Dick

This has been known since at least 2004. It is how the US / Israeli Stuxnet attack virus was propagated into Iran and how China has made exploits in the US. It is why many government PCs have no USB jacks or they are epoxied-shut. https://en.wikipedia.org/wiki/Stuxnet

Stephanie Holmes
Stephanie Holmes

Will it ever end? Everything we do and use is plagued with the potential for fraud. I am an honest person trying to make my way. Feeling frustrated.

Bob Fraser
Bob Fraser

@Chuco Montoya yes, excuse me while I use my "cloud keyboard" and "cloud mouse" ...this article is not about usb drives that you can store regular files on. it's about devices that you attach that have firmware that is altered.

Da Hacker
Da Hacker

The keyboard emulator does not have to move the pointer. Simply emulate pressing Windows key-R  ... then type the name of the program on the usb stick... or regedit... etc.