Are you sitting down? Good. ‘Cause I’ve got some really bad, scary news to share with you: Every single device plugged into a USB port on your computer could pose a threat worse than any malware we’ve ever seen.
Yes, it’s as bad as it sounds.
Two researchers for the security consultancy SR Labs, Karsten Nohl and Jakob Lell, have discovered that USB devices such as the ubiquitous thumb-drive or even a USB keyboard or mouse, can have its firmware reprogrammed by malicious software to deliver virtually any kind of attack once it’s connected to a computer’s USB port.
You might be tempted to think that if you’re running the latest anti-virus software from McAffee or Norton you’re safe from such USB-based malware. But you aren’t.
“No effective defenses from USB attacks are known. Malware scanners cannot access the firmware running on USB devices,” say the pair in their brief on the SR Labs site.
The problem arises from the fact that traditional anti-virus software is designed to look at the file contents of an attached drive. In other words, if you can see a file on a USB key with Windows Explorer or the Mac OS Finder, your anti-virus software can scan it even if it’s “hidden.”
But that’s not where Nohl and Lell, who have managed to reverse engineer the fundamental firmware for USB devices, have hidden their nasty code. They’ve found a way to re-write the firmware — that’s the code that tells a PC what to do when the device is plugged in. Anti-virus software simply can’t (currently) access this part of a USB device.
What could a USB device that has been compromised in such a way do to your computer? Anything.
In an interview with Wired, Nohl describes it this way: “It can do whatever you can do with a keyboard, which is basically everything a computer does.”
Perhaps the most disturbing part of what Nohl and Lell have dubbed the “BadUSB” exploit is that it can pass from USB device to PC and then from PC to USB device completely untraced and invisible. “You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’” Nohl told Wired.
Because of this, if Nohl and Lell are correct, there is simply no way to trust a USB device that has ever been plugged into another PC — that is, of course, assuming your machine hasn’t already been infected.
Worse still, if someone can get a compromised version of the firmware onto your device at the factory level, you wouldn’t even be able to trust a product fresh from its packaging. This has already happened with traditional file-level malware.
The two researchers are scheduled to present their findings next month at the Black Hat security conference in Las Vegas.
If they successfully convince manufacturer and security experts that the threat is real, it could result in a massive re-architecting of the USB standard for improved security against such an exploit. Until then, Nohl and Lell say they will be careful with whom they share the technical components of their discovery.
It’s worth noting that Nohl and Lell’s exploit has not yet been independently verified and could still be debunked by security experts once they’ve had a chance to analyze the pair’s findings.