- Apr 25, 2013
- 5,355
Everyone knows that USB thumb-drives can spell security trouble, but a German security group has found new and nasty ways to use USB devices to wreak havoc on computers.
It could be worse. USB sticks can also carry malware. Or, as SRLabs security researchers Karsten Nohl and Jakob Lell propose to show at Black Hat, an ordinary USB pen drive can be turned into an automated hacking tool.
The base problem, according to the pair, is "USB has become so commonplace that we rarely worry about its security implications. USB sticks undergo the occasional virus scan, but we consider USB to be otherwise perfectly safe — until now."
Nohl and Lell continue:
USB devices are connected to – and in many cases even built into – virtually all computers. The interface standard conquered the world over the past two decades thanks to its versatility: Almost any computer peripheral, from storage and input gadgets to health-care devices, can connect over the ubiquitous technology. And many more device classes connect over USB to charge their batteries.
This versatility is also USB’s Achilles heel: Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing.
They're right of course. I have a half-dozen USB drives in my laptop bag and, except for an iPhone and iPad Touch, every device in my home office has USB ports. I'm aware that they pose a security risk, but do I worry about it? Not really.
I should and you should too.
Nohl and Lell have discovered that USB controller chips' firmware offer no protection from reprogramming. Using a set of proof-of-concept tools they call BadUSB, they claim that an ordinary USB device, even a thumb drive, can be used to compromise computers in the following ways:
It could be worse. USB sticks can also carry malware. Or, as SRLabs security researchers Karsten Nohl and Jakob Lell propose to show at Black Hat, an ordinary USB pen drive can be turned into an automated hacking tool.
The base problem, according to the pair, is "USB has become so commonplace that we rarely worry about its security implications. USB sticks undergo the occasional virus scan, but we consider USB to be otherwise perfectly safe — until now."
Nohl and Lell continue:
USB devices are connected to – and in many cases even built into – virtually all computers. The interface standard conquered the world over the past two decades thanks to its versatility: Almost any computer peripheral, from storage and input gadgets to health-care devices, can connect over the ubiquitous technology. And many more device classes connect over USB to charge their batteries.
This versatility is also USB’s Achilles heel: Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing.
They're right of course. I have a half-dozen USB drives in my laptop bag and, except for an iPhone and iPad Touch, every device in my home office has USB ports. I'm aware that they pose a security risk, but do I worry about it? Not really.
I should and you should too.
Nohl and Lell have discovered that USB controller chips' firmware offer no protection from reprogramming. Using a set of proof-of-concept tools they call BadUSB, they claim that an ordinary USB device, even a thumb drive, can be used to compromise computers in the following ways:
- A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
- The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
- A modified thumb drive or external hard disk can — when it detects that the computer is starting up — boot a small virus, which infects the computer’s operating system prior to boot.
