Flaw in USB Protocol Allows Malware to Exist in Device Firmware Undetected

Researchers have discovered a flaw in the basic architecture of the USB protocol that allow malware to be programmed into a USB device’s firmware, making it almost undetectable and impossible to patch.

AppleInsider:

To demonstrate the ubiquitous vulnerability, SR Labs security researchers Karsten Nohl and Jakob Lell created a proof-of-concept called “BadUSB” that can be installed on any universal serial bus device, including memory sticks, keyboards, smartphones and more, to take over a victim’s PC, insert or change files, modify DNS settings and otherwise play havoc with host hardware, reports Wired

BadUSB isn’t just a piece of malware that is copied into the flash memory of a USB drive. The two researchers reverse engineered USB standard firmware that takes care of moving files on and off of a device, finding a way to insert and hide malicious code.

“These problems can’t be patched,” Nohl said. “We’re exploiting the very way that USB is designed.”

The bad firmware is hidden from discovery unless the infected firmware itself is reverse engineered. A disk erasure, a common way of removing malicious software from a device, will not remove the “Bad” code.

BadUSB also can be coded to propagate itself by infecting a computers USB firmware, which then will infect another connected USB device, which then infects… You get the idea.

The researchers suggest that users adopt a new way of thinking about USB hardware, connecting only to devices that are user-owned, or otherwise trusted.

“In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” Nohl said. “You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer.”

The findings of Nohl and Lell’s research will be presented at the August Black Hat Conference in Las Vegas.

Chris Hauk

Chris is a Senior Editor at Mactrast. He lives somewhere in the deep Southern part of America, and yes, he has to pump in both sunshine and the Internet.