USB Software is Bad to the Bone, Literally

USB devices have long been a staple of the technology world, but are notoriously vulnerable to exploitation from hackers and malware. As malware grows more and more sophisticated, you can no longer trust simple antivirus scans to protect your business.

Unfortunately, it has less to do with what the USB carries than what it is made out of. Researchers Karston Nohl and Jakob Lell plan on presenting their findings which dictate that USB software is fundamentally broken; in other words, it’s the software itself that is the problem, not what the devices themselves contain. Nohl and Lell created a type of malware called BadUSB, which when installed on a USB drive and can potentially compromise a computer, alter files installed with the drive without being detected, and mess with the user’s Internet browsing.

Bad to the Bone
BadUSB lives up to its name due to how difficult it is to locate, especially post-exploitation. BadUSB lies within the firmware that controls the functions of USB devices, not in the flash memory storage of them. This lets the attack code remain undetected even after the device’s storage has been deleted or scanned by antivirus software.

What’s even worse is that this isn’t a problem that can be fixed. The total compromise that BadUSB displays is impossible to counter completely (unless USB drives are banned altogether – something that is both inconvenient and frankly, not possible for most PC users). It’s not as simple as patching software, as the vulnerability lies in rewriting the code within the device.

B-b-b-b-b-bad
Nohl and Lell aren’t the first to point out these glaring vulnerabilities in USB firmware. While they could have easily copied the code into the USB device’s memory, they spent month’s reverse-engineering the controller chips, which is the part of the device that is responsible for communicating with the PC. Basically, the USB firmware’s code can be reprogrammed to hide malicious code. This prevents even experienced IT technicians from detecting the code and scrubbing it, making it all but impossible to detect without reverse-engineering the code and discovering its presence.

B-b-b-b-b-bad
These days, anything with wires is considered a hindrance. The same is true for most technical devices, including wireless keyboards and mice. These utilize USB technology, and as such, they are vulnerable to being reprogrammed and exploited. Once BadUSB makes its way into the system, it can do all sorts of unpleasant things, including replacing software with malicious alternatives, impersonating a wireless keyboard, and hijacking Internet traffic. It can even spy on unsuspecting victims, too.

We’re Here to Tell Ya Honey…
The only sure-fire way to keep yourself safe from USB devices is to not use them, but for most of us, that isn’t an option. USB drives are too useful for moving data, and forget about not using a wireless mouse. The easiest solution is to not use USB devices that you don’t trust or are unfamiliar with, but a long-term solution hasn’t made itself available yet. As previously mentioned, the problem lies in the gadgetry of USB technology, and in order to “patch” the problem, USB technology would have to change.

This isn’t a threat right now (at least as far as we know) since Nohl and Lell didn’t create BadUSB maliciously. It’s not spreading across the Internet or via USB devices, but instead they are proving that it could be a threat in the future. Eliminating USB devices from your life isn’t feasible, but it does carry into your BYOD policy. You want to control what devices your employees are connecting to your network and workstations.

If you are concerned about the quality of your network’s security, you should contact Resolve I.T. at (978) 993-8038. We’ll take steps to ensure that you are only allowing secure devices to access your network, and we’ll equip you with an enterprise-level security solution to screen any foreign entities.