Recently, Wired and other technology journals have published stories on the newest threat facing digital security: Maliciously programmed USB devices. While the concept of installing malware or viruses via USB devices is not new, the methodology of the appropriately dubbed “BadUSB” is fundamentally different from any existing malware distribution approaches. Researchers at Security Research Labs in Berlin, Germany, have released preliminary information (https://srlabs.de/badusb/) on this new form of infection they have programmed, which targets the firmware of any USB device. While the engineers at SR Labs are doing this work to figure out a way to combat it, the proof of concept shows that cyber criminals could use or already be using USB devices to propagate this new form of malware. Indeed, it’s suspected by some that the NSA is well-aware of this security flaw and has been using it in its own surveillance operations for some time.
So what exactly is so new about it? Everyone knows not to connect an untrusted USB device to his or her PC (or everyone should know that, anyway). The difference is that with previous iterations of USB-based malware, a well-updated anti-virus solution could detect and quarantine the threat. What has changed is that BadUSB is directly programmed into the USB device’s firmware, the basic processing code that is permanently embedded into the controller chips. The firmware for USB devices cannot be scanned by any anti-virus or anti-malware solutions. Formatting the device, where all of the data is cleared and the device is essentially factory-reset, does nothing to help either, as firmware is not meant to be changed and is therefore unaffected by formatting the device. However, by hard-programming these changes into a USB device’s firmware, hackers are able to turn something as innocuous as a keyboard or a webcam into a malicious device. The device, once connected, can install viruses onto the computer silently, can alter system settings by silently inputting commands, and can even pretend to be a new network card, redirecting internet traffic to malicious imitations of intended web locations.
What to do? As stated above, there’s no real protection yet against this new threat. Some USB manufacturers are even refusing to accept that it’s possible. There are some potential solutions being researched, but in the meantime, there’s a few important things to know. First, once a computer has been infected in this way, there’s a very good chance that any USB device that has connected to it since is also infected. Because of this, it’s vital that you are only connecting trusted USB devices to your computer, and knowing that those devices in turn have only been connected to other trusted PCs. While the convenience of bring-your-own-device computing is nice, it’s a double-edged sword in terms of security. If you have PCs or USB devices upon which business continuity is dependent, it’s a good idea to have those devices be used for work-related tasks only. Once a device’s firmware is infected, there is no way, as of yet, to disinfect it. If you or someone in your company has been a victim of such an attack, it’s important to know what devices have touched the infected PC, and to treat all as untrustworthy. Obviously, the ubiquity of USB devices further emphasizes the point: it is always important, as much as having rock-solid hardware and software and support solutions, to have educated staff that can recognize a potential threat. If there’s ever any doubt of where a USB device came from, where it’s been since, or to which computers it’s been connected, don’t trust it. In an age of increased convenience and instantaneous data sharing, there are more and more avenues for intrusion and malicious attacks. Contact us for a consult on your network’s security and the steps your company can take to ensure business continuity.