If you haven’t already given up on trying to keep your network secure, you probably will after hearing about BadUSB. BadUSB is a vulnerability on almost all USBs. It allows the firmware within them to be reprogrammed to do malicious deeds. Apparently, US intelligence agents have known about this for some time. According to one source, almost all Chinese made USBs have this vulnerability so these American agents get their USBs from only one American manufacturer.
Since this is in the firmware of the USB itself, there is no fix for it. The only fix can come from the manufacturers themselves. The fact that the firmware can be altered means that all input onto a computer from a USB device can be controlled. The computer can be made to think, for example, that the USB stick is, in fact, a USB keyboard. It can, then, be manipulated as a keyboard, meaning that a malevolent user can enter any commands that one could enter from a keyboard and virtually take control of the computer. Once the malware is inserted into the USB device, it can infect the computer and, since the code is in the firmware, hide itself from antivirus software. It can later infect any new USB devices that are used. Since the malware hides in the code that makes the device operate as a USB device, deleting all files stored on it will not do any good.
The vulnerability was initially revealed by Karsten Nohl at the Black Hat Conference in Las Vegas, but the code was not released to give manufacturers time to respond. Since they appeared to ignore it, researchers Adam Caudill and Brandon Wilson decided it was time to release the code, ostensibly to put pressure on the manufacturers. At the same time, however, they, in effect, gave the code to any hackers willing to take advantage of this exploit, leaving billions of computers around the world potentially vulnerable to attack. The pair rationalized this release by saying that governments or other funded agencies may already be using this exploit (see cottonmouth). “You have to prove to the world that it’s practical, that anyone can do it…That puts pressure on the manufactures to fix the real issue.”
Nohl believes that it may take years for manufacturers to iron out all the bugs in current USBs. Even Caudill and Wilson aren’t convinced they are doing the right thing by releasing the code for one type of exploit, “There’s a tough balance between proving that it’s possible and making it easy for people to actually do it,” Caudill says. “There’s an ethical dilemma there. We want to make sure we’re on the right side of it.” With this dilemma in mind, they did not release other exploits that could be even more dangerous, but you can be sure others will.
Other experts think that the vulnerability is over-hyped. They agree that exploiting this vulnerability is possible, but that certain conditions must exist on the compromised computer for this to occur. In order to protect yourself from such an attack, you can simply stop using USB sticks, especially one that has come in contact with a computer that you don’t know anything about. However, for most people, this will not be a practical solution. If we find that attacks using this vector are, indeed, taking place, the use of USBs will certainly fall into disfavor. Until that time, however, I think it will be USB business as usual.