/ Sign-up

Don't Panic Over the Latest USB Flaw

By - Source: Tom's Guide US | B 6 comments
Tags :

In 1979, Douglas Adams wrote the immortal guiding principle of The Hitchhiker's Guide to the Galaxy: DON'T PANIC. Computer users would be wise to heed those words regarding the BadUSB malware that made headlines yesterday by being able to compromise almost any computer. Yes, it's bad, but it's not as bad as you might think.

In case you missed it, BadUSB is malware that hides in the firmware of USB drives. Security researchers Karsten Nohl and Jakob Lell will present their full findings on the software, which they created, next week at the Black Hat USA security conference in Las Vegas.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

Wired wrote that malware of this type could cause an "epidemic." Nohl told Reuters that BadUSB functioned like a "magic trick." Publications from ZDNet to VentureBeat predicted apocalyptic consequences for BadUSB.

But take a deep breath, because BadUSB is not likely to open the floodgates to a computing cataclysm — or, at least, not likely to open them any wider.

First things first: BadUSB is a proof-of-concept attack, designed by security researchers. They're not going to release it into the wild, and most malicious hackers (who lack both the resources and know-ho to design something similar) would rather rely on tried-and-true phishing and malware attacks. These attacks are easy to avoid with a little common sense and even the most rudimentary antivirus software.

Furthermore, demonstrating something like BadUSB at a conference like Black Hat is basically an open invitation for the security community to fix this vulnerability before it becomes widespread. With some of the world's foremost researchers and hackers on the case, prophylactic and curative measures won't be too far behind.

Perhaps the most important point is that USB sticks compromising PCs is nothing new; it's actually the easiest way for malefactors to get ahold of your system. Any public computer is susceptible to sneaky USB-based malware (and, in fact, most hotel computers are just ripe for hacking). Even so, USB hacks are relatively uncommon, compared to online ones.

The reason why is because USB attacks — even sophisticated ones like BadUSB — are extremely easy to prevent. If you own a private computer, you control who has access to it. If you buy a new USB stick, it will not come with any unwanted software. Simply use your judgment when accepting sticks from friends or third parties, and you're not likely to contract any malware.

Make no mistake: BadUSB is a fantastic proof-of-concept, and lays bare some serious problems with USB stick security. But, like anything else in the world of computing, you can avoid trouble using a little common sense.

Marshall Honorof is a Staff Writer for Tom's Guide. Contact him at mhonorof@tomsguide.com. Follow him @marshallhonorof and on Google+. Follow us @tomsguide, on Facebook and on Google+.

This thread is closed for comments
  • 0 Hide
    K-beam , August 1, 2014 10:36 AM
    "These attacks are easy to avoid with a little common sense and even the most rudimentary antivirus software."
    Unless it's a nasty rootkit. I just had one that had gotten through ZoneAlarm and AVG. Solution-reinstall.
  • -2 Hide
    ickibar1234 , August 1, 2014 1:58 PM
    Intriguing, a USB stick that can make the computer think it's a keyboard, maybe a mouse to control the computer.
  • -2 Hide
    phil42 , August 1, 2014 8:02 PM
    this is driving home the idea that these computers that we live our lives on are full of security holes and any or all of us could be the next target
  • Display all 6 comments.
  • -1 Hide
    rollzroyce22 , August 4, 2014 8:33 AM
    The author does not seem to understand the impact of this. They have reverse engineered the firmware that controls the basic communication functions of USB... The Malware piece was in addition.
  • 0 Hide
    Kopy-Rite , August 5, 2014 12:47 PM
    This is far more theoretical -- an improbable -- than many are painting it to be.

    There are a half dozen popular USB controllers -- dozens more that are less popular. Each have their own models. SMI, Chipsbank, Alcor, Buildwin, and so on.

    They are paired with a HUGE variety of memory in a variety of configurations. Hynix, Samsung, Toshiba, Micron, and so on.

    You need to have the proper controller programming tool for the chip, and the proper database of memory chips.

    There is not some universal programming tool that would allow your computer to infect any USB inserted into it.
  • 0 Hide
    rcprimak , August 5, 2014 7:16 PM
    Kopy-Rite's post is verbatim the same post I've seen in five or six Comments Threads at other websites. I do hope you are right, whoever you really are.

    About the article:
    "If you buy a new USB stick, it will not come with any unwanted software."
    So, you never heard of the notorious Sony Rootkit?

    "With some of the world's foremost researchers and hackers on the case, prophylactic and curative measures won't be too far behind."
    Care to elaborate on what exactly these measures are? More to the point, if you don't even know what the measures are or could be, how can you be so sure they are not far behind?
    Again, I do hope you are right. But I see no evidence that the author of this article even has a basic understanding of the claimed exploit vector.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS