USB devices are a widely used item in the world of technology. Unfortunately they are notoriously vulnerable to exploitation by hackers and malware. As malware grows more and more sophisticated, you can no longer trust simple antivirus scans to protect your business.

This vulnerability has less to do with what the USB carries than what it is made out of. Security Researchers Karston Nohl and Jakob Lell plan on presenting their findings which indicate that USB software is fundamentally broken. They intend to demonstrate that it’s the software itself that is the problem, not the content of the devices. Nohl and Lell created a proof of concept malware called BadUSB, that when installed on a USB drive can potentially compromise a computer by altering files installed from the USB drive without being detected, and mess with the user’s Internet browsing.

Bad to the Bone                                                                 
BadUSB lives up to its name because once it is introduced it is extremely difficult to locate. BadUSB lies within the firmware that controls the functions of USB devices, not in the flash memory storage of them. This lets the attack code remain undetected even after the device’s storage has been deleted or scanned by antivirus software.

What’s even worse is that this not a fixable problem. The extent to which BadUSB compromises a system is impossible to counter completely (unless USB drives are banned altogether – something that is both inconvenient and frankly, not possible for most PC users). The solution is not as simple as writing a software patch, because the vulnerability lies in the firmware of the device.

Nohl and Lell are not the first researchers to point out these glaring vulnerabilities in USB firmware. While they could have easily copied the code into the USB device’s memory, they spent month’s reverse-engineering the controller chips, which is the part of the device that is responsible for communicating with the PC. Basically, the USB firmware’s code can be reprogrammed to hide malicious code. This prevents even experienced IT technicians from detecting the code and scrubbing it, making it all but impossible to detect without reverse-engineering the code and discovering its presence.

These days, anything that connects with wires is considered a hindrance. The same is true for most technical devices, including wireless keyboards and mice. The fact that they use USB technology makes them vulnerable to being reprogrammed and exploited. Once BadUSB makes its way into the system, it can cause all types of problems. These issues include replacing software with malicious alternatives, impersonating a wireless keyboard, and hijacking Internet traffic. It can even spy on unsuspecting users.

We’re Here to Tell Ya Honey…
The only sure-fire way to keep your computers safe from USB devices is to not use them. In reality for most of us, that isn’t an option. USB drives are too useful for moving data, and forget about not using a wireless mouse. The easiest solution is to not use USB devices that you don’t trust or are unfamiliar with. Regrettably a long-term solution is still not available. As previously mentioned, the problem lies in the gadgetry of USB technology, and in order to “patch” the problem, USB technology would have to change.

This situation isn’t a threat right now (at least as far as we know) since Nohl and Lell didn’t create BadUSB for malicious use. It’s not spreading across the Internet or via USB devices, but instead they are proving that it could be a threat in the future. Eliminating USB devices from your life isn’t feasible, but it does carry into your BYOD policy. You want to control what devices your employees are connecting to your network and workstations.

If you are concerned about the quality of your network’s security, you should contact Quikteks at (973) 882-4644. We’ll take steps to ensure that you are only allowing secure devices to access your network, and we’ll equip you with an enterprise-level security solution to screen any foreign entities.