UPDATED 04:03 EDT / AUGUST 01 2014

BadUSB exploit can hack any device, and there’s no cure in sight

small__4861212604Ready for another security scare? Good, because every single USB device that you plug into your computer could pose a threat that’s worse than any malware.

It really is as bad as it sounds. Security researchers Karsten Nohl and Jakob Lell of SR Labs have stumbled upon a flaw in every single USB device ever made, including thumb drives, mice, keyboards and headphones. The flaw makes it possible for the firmware in USB to be reprogrammed by malicious software to launch just about any kind of attack once plugged in to a computer.

Worse is that it appears that there’s no way to protect against this vulnerability.

“No effective defenses from USB attacks are known,” wrote the researchers on the SR Labs site. “Malware scanners cannot access the firmware running on USB devices.”

This is because traditional anti-virus software is designed to scan only the file contents of attached drives. Most programs can even scan hidden files easily, but this is not where Nohl and Lell’s nasty code resides.

Rather, the pair managed to reverse engineer the fundamental firmware on USB devices, which is where the virus hides out. The firmware is a piece of code that tells the PC what to do when a device is plugged into it, and it can’t be scanned by current anti-virus programs.

The bad news is that a compromised USB device could basically do anything it wants to your PC. Speaking to Wired.com, Nohl said “It can do whatever you do with a keyboard, which is basically everything a computer does.”

Even worse, the BadUSB exploit spreads easily. It can be passed from an infected USB device to a PC, and from there it can infect any other USB device that’s plugged in later. “You can give it to your IT security people, they can scan it, delete some files and give it back to you telling you it’s ‘clean’”, said Nohl. But that isn’t true.

What this means is that you can no longer trust any USB device that’s been plugged into another PC.

Nohl and Lell are expected to describe the exploit in more detail at next month’s Black Hat security conference in Las Vegas. Assuming the threat is as bad as they claim, it could force manufacturers to carry out a massive re-architecting of USB standards to protect against the exploit.

For now, though, Nohl and Lell’s findings have yet to be independently verified, so there’s a chance that it could all be debunked once the experts get a chance to look at their research in more detail. But until then, be careful about what USBs you plug in to your PC, if you care at all about the data that’s on it.

photo credit: ntr23 via photopin cc

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU