What can you tell me about the new USB drive exploit that I’m hearing about?
This question was answered on October 7, 2014. Much of the information contained herein may have changed since posting.
The ubiquitous USB drive has always been a potential threat to any computer that it plugs into, as malware can live on it just as easily as it can on a hard drive.
What makes the most recent news disconcerting is that an attack being called BadUSB is both undetectable and relatively unpatchable, meaning there is no easy way to fix it.
Traditional security scans, such as an anti-virus program are completely useless against this threat because the infection is in the device itself, not the storage area.
The original security researcher that demonstrated the attack at this year’s Black Hat security conference, chose not to release the code to give USB manufacturers some time to come up with a fix.
This fix would require manufacturers to fundamentally change how they create devices, which would likely take a while.
A couple of other researchers felt that without extreme pressure on the manufacturers, most of which focus on creating the cheapest devices possible, nothing would happen.
So they chose to reverse engineer the firmware exploit to reproduce the hack and publish the code for anyone to use.
“If this is going to get fixed, it needs to be more than just a talk at Black Hat” the researchers told WIRED magazine.
They are also working on a method that could allow an infected USB device to infect a computer, which would in-turn infect any future devices that are plugged in which would make this exploit really dangerous.
For anyone that lived in the floppy disk era, this is akin to all of the boot-sector infections, such as the infamous Michelangelo Virus, that spread from machine-to-machine as users went about their normal business.
Most people that use USB flash drives don’t really think about them as anything more than a storage device, but they are completely capable of being programmed to wreak havoc.
This particular exploit would allow a hacker to plant virtually any instructions they wanted on the device itself that would automatically run when it gets plugged in.
Since this is a fluid situation, here are some tips for reducing your chances of unknowingly becoming a victim:
- Avoid plugging any USB drive into your computer that you don’t personally own. This means friends, associates or anyone else that might want to transfer files to your computer via USB drive should be encouraged to use Google Drive, Dropbox or other cloud-based file sharing services.
- If you are a business, you should immediately instruct all employees that no USB drives are to be plugged into any computer without prior approval. This may seem a little over the top, but since the code has now been made public, working with trusted drives only is the only safe procedure.
- DO NOT use any USB flash drive that looks like it was lost by someone else. If you think like a hacker for a minute, the easiest way to start infecting people is drop infected USB drives around college campuses and large businesses. Most people will think that they have found a free storage device and have no way of knowing that it’s infected.
- Stick to using USB devices that you purchased as new and have never left your possession.
This is a fluid situation, so stay tuned for more information as it becomes available.
About the author
Posted by Ken Colburn of Data Doctors on October 7, 2014