According to findings by researchers Karsten Nohl and Jakob Lell, USB security may be profoundly broken, with no way around it.
Nohl and Lell have highlighted a flaw in USB devices which potentially offer hackers the ability to sidestep all currently known security measures used by a computer. Called the BadUSB exploit, the vulnerability allows hackers to meddle with the firmware which controls the functions of various USB plug-ins, such as mice, keyboards and thumb drives.
“Once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play. It can, for example, replace software being installed with with a corrupted or backdoored version. It can even impersonate a USB keyboard to suddenly start typing commands. ‘It can do whatever you can do with a keyboard, which is basically everything a computer does,’ says Nohl.”
The solution? According to Nohl and Lell, nothing less than banning the sharing of USB devices, or filling your USB port with superglue will do. According to the “new way of thinking” about USB security, users should consider a USB infected and throw it away as soon as it touches a non-trusted computer.
“These problems can’t be patched,” says Nohl. “We’re exploiting the very way that USB is designed.”
The pair will be presenting their research at the Black Hat security conference in Las Vegas later this week.
We guess a whole lot of computer scientists need to get back to the drawing board right about now…