New malware exploits USB, but isn't really that scary

Another day, another apocalyptic prognostication of computer security doom, this time focusing on the omnipresent USB connection. It's called 'BadUSB', and it's a malware proof-of-concept created by security researchers Karsten Nohl and Jakob Lell that exploits a flaw in and resides in the firmware that controls the basic function of USB devices. The researchers claim that it's not a problem that can be patched, saying that they're "exploiting the very way that USB is designed," but in the end all they've done is highlight that you shouldn't go around plugging USB drives, devices, or whatnot that you don't trust into your computer.

There are a lot easier ways to hack most any computer, especially when this method requires achieving physical access. As we've said many times before, once you've lost physical control of your device, all bets are off. This is just one more way, although it's exploiting something that we take for granted these days.

Because the BadUSB code lives in the USB firmware of the device, it's not something that can be easily purged from a device. Wiping or reformatting a USB drive doesn't touch the USB firmware, so the malware would still be present. BadUSB could allow any connected computer to be exploited over that connection, with Nohl and Lell offering more traditional exploits from there such as replacing files on the computer with additional malware, acting as a virtual keyboard to execute commands on the computer, or hijacking and spying on internet traffic.

BadUSB is also self-propagating: it can copy itself onto a computer and reprogram the USB firmware of other attached USB devices. It can even reside in non-storage devices, such as smartphones and mice.

While we doubt that this is in fact an impossible-to-patch exploit — certainly, patching the USB firmware on computers to prevent such access seems like a possibility, and very few would likely go through the effort of patching their flash drives — in the meantime it poses a theoretical challenge for users.

But it all boils down to this: Don't plug anything you don't trust into your computer, your smartphone, or your tablet. That's pretty much common sense, though, so just think before you plug your phone into a random computer to charge, or you accept a USB drive from a stranger. Be smart about what you plug into your computer, and (far more importantly) keep your eyes open for the online threats that are coming at you every day in the real world.

Source: Wired

 

Reader comments

'BadUSB' malware highlights the danger of plugging random mystery drives into your computer

62 Comments

More traditional USB malware used to spread like a common cold around my university campus' computers until they tightened security. I imagine having it in USB firmware wouldn't be very different, can one device actually attack a computer and then subsequently attack the firmware of another USB device tho?

That part didn't seem clear... If you have to physically/manually hack into the firmware it seems like a relatively tame threat over what's already out there, but if not, it's gonna spread across public access computers like wildfire. (since people can't just run AV on the drives at home to clean them up)

Only on windows. And once microsoft turn off autorun by default the problem largely went away.

I sincerely doubt there is enough storage, let alone processing power, in a mouse or keyboard such that an off the shelf keyboard or mouse could be simply reprogrammed to be a threat. Mice and keyboards do not have the ability to run programs on the host, or access the system bus. They simply send data when asked. And your mouse driver isn't going to dutifully run some executable code sent to it by your mouse.

Your camera, some thumb drives, smartphones, tablets, printers, fear them.

DARN!! Came here to acknowledge that was a palm pre usb plug as well. I barely stopped using that charger about a month ago. Miss you old friend (RIP PALMela < --- My pre's name)

I came to say the same ! webOS was better than every other OS. Only issue with software was the lack of apps. It was fast and buttery smooth on the webOS 2,x devices.

Posted via Android Central App

I loved the fact I could tell instantly which side of the plug was which at a glance. I used that plug for long after Pré+ died... but lost it at some point.

Still got my touchstone mounted on my dash, as a reminder.

This is exactly what brought me to the comments section as well. I feel like other Android (to say nothing of other platforms) is still catching up to some of the functionality that was core to the UX of WebOS.

I'm a little late to the party but I was also going to say the same thing! I had to finally give up my WebOS days just a few weeks ago after water damaging my Pre+ and my Pre2 just not working like it should. I too still have my USB cord and actually use it to power my MotoX! Still got the WebOS in my DNA!

Same here, I picked up several of the charging adapters and cords when they went super cheap on Amazon. Great quality accessories.

Posted via Android Central App

I couldn't figure out why that plug hit me with a wave of sad nostalgia until you posted this.

I miss Palm so much. :(

Lol I noticed that too. I still have a bunch of them.. Perfect phone chargers, the little chrome dimple allows me to plug it in right side up every time.

I still use the Palm USB cable in my car every day! They made the tip just the right size! Those were the good ol days of WebOS.

Count me in, came here to comment on the plug. I use several palm usb cords. The little dimple is actually really nice for using when you can't see so you can orient the plug correctly.

I also still use my Touchpad (in spirit) running Android. Had to activate my sprint pre for a few weeks too when my nexus died last month... Talk about nostalgia...

Posted via Android Central App

I'm trying to find out more information as to how this vulnerability works exactly. I use Ubuntu Linux exclusively for personal (and work, often) use, and I can't really visualize how this would work. I mean, there are various ways to run program (as far as I can tell. I'm not an expert by any stretch of the imagination) I can:

go to the program file and make it executable (using chmod)
download the .deb and run it

Actions that require me to elevate my privileges (by running sudo and providing my password).

Unless they found a way to run programs directly on the USB that somehow listens to traffic or something, I really can't visualize how this could affect Linux computers, or OsX for that matter (although OsX tends to be more 'user friendly')

Can someone point me to an information paper out there that talks about this?

I imagine that it mainly focuses on Windows users as most of these malware types do. However, I haven't done my research so don't quote me.

I also run Linux (Mageia). I think this stuff is mostly hype. I, too, tried to research it and it just says things like trying to run malware on a reboot or emulate a keyboard (why would that require firmware changes?)... like that is some new type of risk? I think they are just hiding a file outside of any filesystem and returning that when the user tries to access a file on a flash drive, but who knows.

There are very few details out yet (that I would find) that explain exactly what the deal is.

To infect a system the 1st step is to get the initial code executed -- a mal-ware file could sit there on your hard drive all day, all week, all year, & if nothing ever executed the code it contains, it'll just sit there, waiting, inert. That's why those spreading this stuff go to such lengths to get you to run their exploit's code.

USB is a way for all sorts of devices to communicate -- plug a USB device into a PC & it asks: "What are you?" What if the device lies? In a minor way that's what happens when you attach many cells/tablets to a PC via USB -- they might tell Windows: "I'm a storage device, just like a USB stick." A USB device could as easily say I'm a keyboard or mouse or printer etc., ultimately triggering code execution as the OS sets about getting the device to work.

The basic idea's been around for quite a while -- years ago I remember reading how you could make an early MP3 player act like storage so you could access your files, compromise the system or network, copy files to the player, & hopefully leave without anyone suspecting anything because it was just a MP3 player. Then when USB sticks came out they worked on figuring out how to get them bootable, playing with the firmware, & the bad guys were figuring out ways they could alter it for exploits even then.

Hey Nonexus, did you ever get to play with webOS? I ask because most of us, after seeing the palm cord, are crying here like a Native American on the side of the road that just saw someone litter.

Nope, I was all BlackBerry back then. Never had the opportunity.

Everyone raves about it, and I feel bad for how it died. Would have loved to get my hands on one

Posted via Android Central App

No worries, some of what we now take for granted in android and ios came from webOS. I was the odd ball to all my blackberry friends. ....so it goes.

Yeah I keep hearing that and give me a sad knowing that I missed out.

Blackberry wasn't my choice it was the company phone so I went with it. You know how it goes...

Posted via Android Central App

I do.....why I carry a work iPhone along with the note3, that still does 75% of my job without being supported like the ios.

I am glad my days of doing that is over. Now if I carry 2 (or 3!) phones around it is because I want to.

I hated carrying around 2 phones with a passion.

As always, the devil is in the details, but, if this thing can self-propagate from a USB device to a computer and then to another USB device, this is a VERY big deal, since, at that point, not only can you not plug an unknown USB device into your own computer, but you cannot plug your own USB device into an unknown computer. And if it propagates by rewriting firmware on a computer as opposed to placing files on the HDD, then you aren't safe if you boot from a live CD before you plug that device in.

And, the thing is, what constitutes an "unknown" device? If a manufacturer's equipment gets compromised, then you could have many infected devices shipping out in their nice little blister packs, just waiting for people to plug them in.

I'm not ready to panic, since there are more details to discover, but this could be a pretty serious issue. Only time will tell.

This is really nothing new. I remember reading an article several years back (like, more than 7) about a security company that was hired by a bank to look for potential vulnerabilities in their system. The next day, the company delivered a list of logins to the bank. They got them by scattering a bunch of cheap, infected USB drives around the parking lot. Human nature being what it is, a number of the bank employees found the drives and plugged them into their desktop to see what was on them.

Of course, this sort of issue will be a thing of the past, once our robot overlords finally take over. Or the zombies. Whoever's first.

Nothing new here *AND* it's not easy.
1. You need to know the controller type in the USB device.
2. If the firmware is flash-able (most is not) you will need to compromise the firmware of the device.
3. Now you have a device that can either use it's firmware to deliver another type of virus or do malicious things.

This will not allow you to infect another USB device at that level. Different controller, firmware not able to upgrade, etc.
You will be able to propagate regular virus type stuff.

This is NSA, CIA spy type stuff where you create a flash drive with firmware that bypasses login and starts to copy files or installs key loggers and such.... This is a sophisticated attack.

This is not going to be something that the common hacker or phisher uses.

Yeah, that's what it sounded like on the surface, dunno why it's big news all of a sudden. They're literally hacking a device first in order to do anything else with it, yeah it can be nastier than a regular USB device but unless someone infiltrates a whole production line of devices it's not a widespread threat.

Considering that many USB drives are made in China, and considering the power of the Chinese government, I don't think that gaining access to those production lines would be much of a problem.

Posted via Android Central App

So don't buy shady no name drives to save $5? The point is that while the drive itself would presumably be hard to clean, the malware it'd be distributing isn't anything new or exploiting any new vector beyond the way the drive is compromised... Easy to avoid and easy to repel even if you happen to come in contact with one.

It's not like it's a crippling blow to USB interoperability, unlike far worse vulnerabilities that have been found in recent years like that DNS mess a while ago or Heartbleed more recently.

It's a sophisticated attack, but the danger is that it's one that would be pretty difficult to counter. And, honestly, I don't trust the CIA or NSA any more than I trust the average malware writer. They're all pretty much morally bankrupt.

Posted via Android Central App

I have been using Ubuntu exclusively since 2009 and forget what virus and malware is. Plug in and out what I like. Mostly windows malware can not even read Linux Harddisk Format. Only the other way around, yes.