Why the Security of USB Is Fundamentally Broken

by Andy Greenburg,  Wired News

Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.

At this week’s Black Hat security conference, SR Labs security researchers Karsten Nohl and Jakob Lell will present a new proof-of-concept malware that exploits a fundamental flaw in the USB format. Called BadUSB, the malware lives in the firmware of a USB device, where it is virtually undetectable and can freely manipulate files, redirect Internet traffic, issue commands as a USB keyboard, and invisibly spread from USB device to computer to USB device.

BadUSB exploits the fact that USB firmware does not use code-signing restrictions and a lack of any trust reference USB firmware that potentially infected devices could be compared against, making it almost impossible to detect. The researchers suspect a leaked NSA program to spread malware using USB devices likely worked on similar principles.

Such a fundamental flaw raises the question of whether any USB device can be trusted. Nohl says until fundamental changes are made to USB firmware, USB devices should be treated like hypodermic needles: used once and thrown away, never to be shared.

Nohl and Lell are presenting their research on BadUSB at the Black Hat conference, but are unsure how much, if any, of the malware they will release publicly. Nohl says he is torn between the need to galvanize manufacturers into making changes to eliminate the vulnerability, and the serious threat the malware could pose in the wild.  Report

DCL:  See also “Why your washing machine is a security risk” by Mark Ward, BBC News.