SR Labs’ Karsten Nohl and Jakob Lell have come up with a collection of proof-of-concept malicious software to show how the security of USB devices is fundamentally broken.
The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC and alter files installed from the memory stick, or even redirect the user’s internet traffic.
BadUSB does not live in the flash memory storage of USB devices, but in the firmware that it. The attack code can remain hidden even if the data has been wiped.
The researchers said that there is no easy fix because it exploits the way that USBs are designed.
They reverse engineered the firmware that runs the basic communication functions of USB devices which is the controller chips that allow the devices to communicate with a PC and let users move files on and off them.
Unless the IT guy has the reverse engineering skills to find and analyse that firmware, “the cleaning process doesn’t even touch the files we’re talking about.”
All USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed in the same way.
Nohl and Lell have tested their attack on an Android handset plugged into a PC.
And once a BadUSB-infected device is connected to a computer, Nohl and Lell could do more or less what they liked.
The malware can hijack internet traffic too, change a computer’s DNS settings to siphon traffic. It can also spy on a computer’s activity.
BadUSB’s ability to spread from USB to PC and back raises makes it impossible to use USB devices securely at all.