You may recall that three months ago, we advised you not to panic over BadUSB, a prominent thumb-drive vulnerability that had no obvious solution and against which there was no easy defense. We still maintain that stance, but you should probably know that the BadUSB situation just got worse: It can affect almost any thumb drive available on the market.
The information comes by way of Berlin-based Security Research Labs. Karsten Nohl, Sascha Krisser and Jakob Lell gave an extensive presentation about BadUSB vulnerabilities during the PacSec 2014 security conference in Tokyo last week. While not every stick is vulnerable to BadUSB, it's almost impossible to tell which ones are, as manufacturers switch part suppliers all the time.
For those who need a refresher, BadUSB is a vulnerability that would not only allow malware infection of PCs, but could "redefine" any class of USB device into any other — a thumb drive could present itself to the PC, and behave, as a keyboard, smartphone or camera, for example. This would obviously be a problem for everyday consumers, but a catastrophe for governmental or financial institutions.
You can check out the Security Research Labs presentation for the technical details, but basically, each thumb drive has two components: a mass-storage memory chip and a controller processor, which runs embedded software, or firmware. The mass storage is where you keep documents and videos and whatnot, but the firmware is what makes the stick compatible with other electronics. BadUSB exists because some controller chips will accept compatible firmware updates from any source.
The good news is that since controller firmware rarely needs to be updated, many manufacturers lock it down by default. The bad news is that some manufacturers don't. The thumb-drive industry is a promiscuous one. Companies that make USB sticks will often purchase the cheapest components, regardless of manufacturer; whether or not the firmware can be updated is irrelevant.
Both component suppliers and everyday users can take proactive measures against BadUSB. Manufacturers can lock down firmware during production, making BadUSB difficult or impossible to implement. Users can also keep their USB drives to themselves and trusted, tech-savvy friends and family members.
One final thing to keep in mind is that exploits of BadUSB have so far been only proof-of-concept attacks, and Nohl and his colleagues have not released enough technical information for others to replicate them. Nonetheless, a separate group of researchers released code last month that demonstrated how to attack a vulnerability that sounds very much like BadUSB.
While it's possible that malicious hackers are trying to recreate BadUSB exploits even as we speak, none have ever been spotted in the wild. (Such attacks would be hard to detect.) Security researchers are still trying to find ways to address the BadUSB flaw before attacks leveraging it ever get out of the gate.
In the meantime, keep your USB sticks close — and your firmware closer.
- Blackphone Review: All-Encompassing Security
- 13 Security and Privacy Tips for the Truly Paranoid
- Malvertising Is Here: How to Protect Yourself