Researchers have uncovered a fundamental flaw in the design of the USB specification that could have a significant impact on day-to-day computing. At the very least, it should call into question the trustworthiness of many mundane devices we insert into our PCs: mice, keyboards, thumb drives, external hard drives and more.
A pair of researchers, Karsten Nohl and Jakob Lell at security firm Security Research Labs, are presenting their findings at the annual Black Hat USA 2014 in Las Vegas this week. The crux of the issue: Since USB manufacturers do not protect the firmware in their devices, it's possible for malware to overwrite the firmware and take control of everyday devices.
USB peripherals, such as thumb drives, can be reprogrammed to steal the contents of anything written to the drive and to spread the firmware-modifying code to any PCs it touches. The net result could be a self-replicating virus that spreads through sparing thumb drives, much like the rudimentary viruses that spread by floppy disk decades ago.
Nohl and Lell outline at least three ways that "bad" USB devices can act maliciously:
- A device can emulate a keyboard and issue commands its own commands, such as to install malware or steal files.
- A device can pretend to be a network card and change the computer's "domain name system" setting, which lets you type an URL on your keyboard to go to a website, to secretly redirect your traffic.
A thumb drive or external hard disk can infect connected computers at the boot stage before antivirus tools have a chance to intervene.
Moreover, Nohl and Lell warn, this is especially nefarious because it is essentially undetectable. There are no requirements for firmware to be digitally signed, for example, and there's no process in place to check or confirm the authenticity when a device's firmware is flash upgraded. And because these changes are at the firmware level, no malware or antivirus tests can detect it.
That sounds like very bad news, but that's the worst case scenario, and the reality is probably not nearly as worrisome. Many devices (especially inexpensive, thin-margin USB thumb drives, for example) don't have reprogrammable firmware to begin with. So while it's not immediately clear how widespread this problem potentially is, the economies of manufacturing alone have doubtless prevented this vulnerability for many common devices.
Despite the latest findings about this vulnerability, the issue has existed since the earliest days of USB. What can you do to stay safe? Unfortunately, not a lot. After all, it's technically possible for foreign manufacturers or the NSA to inject malicious code in USB firmware at manufacturing. Or malware could hijack a USB device on your desktop, and there's no test that can inspect USB firmware or detect non-standard behavior.
Instead, like many cyber security threats, the only real mitigation right now is how you behave. For instance, it's better not to insert one your USB devices into a computer you don't trust (avoid public computer kiosks, for example), and don't plug a USB device into your own computer unless you are confident you trust it and know everywhere it has been.
Photo courtesy Flickr user Renato Mitra