The perils of USB

USB has been great.  Connect anything to your system, it’s usually auto recognized, so it fits that useful category of “stuff that just works.”

Now Wired has pointed out that from a security standpoint, USB has some serious, fundamental flaws. In other words, you may be completely and utterly screwed.

It’s not just malware may be lurking on USB memory devices, perhaps even installed at the factory.  A couple of clever lads have figured out how to reprogram the flash that controls just about any USB device.   Which is pretty much like giving them the keys to the Kingdom.  Here are some of the scary highlights from the article.

“Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted.”

I’m waiting for the standalone device that reads and reflashes USB firmware to hit the IT market at an obscene profit margin.

Wait! It gets worse.

The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed—in addition to USB memory sticks, Nohl and Lell say they’ve also tested their attack on an Android handset plugged into a PC. And once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play. It can, for example, replace software being installed with with a corrupted or backdoored version. It can even impersonate a USB keyboard to suddenly start typing commands. “It can do whatever you can do with a keyboard, which is basically everything a computer does,” says Nohl.

The malware can silently hijack internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases. Or if the code is planted on a phone or another device with an internet connection, it can act as a man-in-the-middle, secretly spying on communications as it relays them from the victim’s machine.

So the new mantra is don’t let your keys or any USB device out of your sight.