By Paul Hirsch, Citon Senior Network Engineer
At the recent Black Hat security conference in July, a pair of security researchers from Germany unveiled a new type of attack they dubbed “BadUSB.” USB thumb drives have long been used to carry viruses and malware, but this new type of attack takes things to a whole new level.
By reprogramming the firmware (the software programmed into the USB device itself), an attacker can perform all sorts of nasty things without antivirus or the usual security measure detection.
For example, a USB printer could be programmed to also pretend it is a USB keyboard. When the victim plugs in the printer, it would issue a set of keystrokes to download and install malware, taking over the victim’s machine. From the perspective of the machine, it would look like the user had plugged in a second keyboard and typed the commands themselves. Fake hard drives, fake network cards and all sorts of other fake devices could be flashed into just about any USB device.
The big deal with BadUSB is persistence. An infected USB keyboard, mouse, thumb drive, camera, cellphone, etc. can reinfect over and over. Reloading the computer won’t fix it. Buying a new computer won’t fix it. It’s enough to make a person paranoid.
Last week, code was released on the Internet for BadUSB, making it a very real threat to anything with a USB port. (In other words, just about every computing device in use on the planet.) The security community has started to respond with an array of defenses, but because this involves vulnerabilities in physical hardware, this problem will be with us for a long time.
There are two things you can do now to reduce the risk:
- Don’t connect USB devices to your computer(s) unless they come from a trusted source.
- Don’t log in as a user with local administrative rights to your computer(s).
Neither of the above prevent BadUSB attacks completely. They only reduce the chances of connecting a device with BadUSB firmware and reduce the damage a BadUSB device can do once connected.
Worried about BadUSB or security in general? Contact Citon for help.
- Wired Article on BadUSB Code Release – http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/
- Video of the BlackHat 2014 technical presentation of BadUSB – https://www.youtube.com/watch?v=nuruzFqMgIw