Computer users normally pass around USB thumb drives much like silicon business cards these days and although we know they could carry malware and virus’ on these devices, we depend on antivirus scans and the occasional reformatting or deleting of these devices to keep our thumb drives from becoming the carrier for the next digital epidemic.
But the badUSB security flaw affecting most USB devices seems to run deeper than initially thought: revealed at a Black Hat cybersecurity conference this summer several security experts were able to demonstrate how their malware can infect the firmware of a USB device: such as a USB mouse or keyboard for instance – something you would always have connected to your computer, re-program it so as to do the hackers bidding. That could be anything from recording all of your keystrokes, monitoring the websites you go to, or installing additional malicious software onto your computer. The worse part about this security flaw is that this can go completely undetectable for any malware or anti-virus program.
Firmware is usually found on all USB devices and it is a layer of software that allows the device to talk and work with your computer. So, when you plug in a USB device, say a mouse, it will use it’s firmware to talk to the computer telling it what it is and what it can do. Normally for most USB devices in stores these days, the firmware is set at the manufacturing plant it comes from and normally does not get changed or updated. And so, malware or virus scanners, up to this point, don’t normally have the capabilities or access to the low level firmware functions found on USB devices.
So the malware software created by these security experts, called BadUSB, can alter the firmware on any USB device without actually getting detected by any antivirus scanner and therefore demonstrating at the moment, that it is nearly impossible to prevent this security hack without actually disabling all of your USB ports on a computer.
At the moment, these security experts have released their BadUSB software code to the public (it is hard to tell at the moment if that was a good or bad t thing) in hopes that others will find a solution. In addition, they seem to be close to narrowing down the companies who’s USB devices are vulnerable so people can stay away from purchasing them.
So, if this security flaw in all USB devices has you worried there are some measures you could reside to. For instance, using wireless Bluetooth devices to replace your USB mouse and keyboard, and purchasing Wi-Fi enabled printers instead of USB ones might be an option in the interim. Also, an alternative to using USB thumb drives might be using cloud storage like Dropbox or OneDrive. Until there is a fix, one must be inclined to treat USB devices (especially thumb drives) like hypodermic needles that can’t be shared among users.
So, with that in mind, Twitter seems to have the most updated information on this latest security threat and if you go to twitter.com/hashtag/badusb
you can keep abreast of any new developments.
Leave a Reply