This past August, we reported on a new vulnerability with USB firmware called BadUSB. This vulnerability was discovered by Karsten Nohl of SR Labs. The BadUSB vulnerability was presented at the Black Hat security conference as a theoretical risk, but now, the code has leaked and this risk has become a reality. Oops.

This is pretty grim news because it essentially means that every USB device is at risk. When you stop and consider how dependent we’ve all become on USB technology, it becomes a fairly overwhelming risk that we’re all facing. How exactly does BadUSB put your device at risk? To answer this, let’s revisit our blog article from this past August.

They came to the conclusion that the USB software is fundamentally broken and can be exploited by hackers. This is a major find because they’re saying that it’s the firmware used in every USB device that is flawed, which is separate from the flash memory the device uses to do what it’s designed to do.

To bring attention to this USB vulnerability, the two researchers created a malware called BadUSB. This malware has the potential to comprise an entire PC if it’s installed on a USB drive. This malware can alter files, manipulate Internet browsing, and more–all without being detected! BadUSB is able to bypass detection measures from security protocols such as antivirus scans by embedding itself within the firmware that controls the functions of the USB device. Therefore, even if the device’s flash memory storage were deleted, it wouldn’t erase the BadUSB malware.

Essentially, once a device becomes infected with BadUSB, the malware is on there for good and it can’t be fixed. A simple patch won’t do the trick. The problem lies within the physical device itself and would take rewriting the code of the USB device.

Then there’s this word of warning that we issued last month. This is one of those rare times where it doesn’t feel good to be right:

If this malware were to be used by hackers and become widely distributed, then the only way to counter BadUSB would be to stop using USB devices altogether.

Herein lies the core of the problem with BadUSB; even though the original discoverer of the vulnerability made it a point to not release the code, it has still somehow leaked and USB devices around the world are now vulnerable. The hackers responsible for the leak are Adam Caudill and Brandon Wilson. At the Derbycon conference, they spoke of how they successfully reverse-engineered the firmware, and in order to escalate the risk, they went ahead and publicly posted the code to Github.

Why in the world would a hacker do such a dastardly deed? Do they enjoy watching the world burn? Are they anarchists who want to see society crumble? Not so much. These hackers are actually concerned about digital security, so they publicly released the code as a way to challenge the USB device manufacturers to step up their game and come up with a fix. Caudill explains his actions to WIRED magazine:

If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it. You have to prove to the world that it’s practical, that anyone can do it…That puts pressure on the manufactures to fix the real issue.

Basically, if USB manufacturers don’t act and secure their USB firmware, then all of our PCs and smartphones can be turned in reprogrammable computers. According the BadUSB malware’s architect Karsten Nohl, a fix that redesigns the USB would take ten years to implement due to the widespread use of USB technology. All of this makes BadUSB a very scary costume choice for your office’s upcoming Halloween party.

How do you prevent your device from becoming infected with the BadUSB malware? The answer is to be extra careful about what you plug into your USB port.

  • Only allow trusted USB devices to connect to your PC.
  • When using your USB device in public, don’t give hackers a chance to upload the malware by leaving your device unattended.
  • From here on out, if you’ve got a chance to avoid USB technology, then do so.

Whether or not you agree with Caudill’s and Wilson’s actions to release the BadUSB code, the reality of the situation is that your data is now less safe today than it was back in August. For more tips on how to protect your technology from new threats such as this, call Net It On, LLC at (732) 360-2999.

October 13, 2014
Directive