USB security is fundamentally broken, claim security experts


USB Mavericks

According to findings by researchers Karsten Nohl and Jakob Lell, USB security may be profoundly broken, with no way around it.

Nohl and Lell have highlighted a flaw in USB devices which potentially offer hackers the ability to sidestep all currently known security measures used by a computer. Called the BadUSB exploit, the vulnerability allows hackers to meddle with the firmware which controls the functions of various USB plug-ins, such as mice, keyboards and thumb drives.

Wired notes:

“Once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play. It can, for example, replace software being installed with with a corrupted or backdoored version. It can even impersonate a USB keyboard to suddenly start typing commands. ‘It can do whatever you can do with a keyboard, which is basically everything a computer does,’ says Nohl.”

The solution? According to Nohl and Lell, nothing less than banning the sharing of USB devices, or filling your USB port with superglue will do. According to the “new way of thinking” about USB security, users should consider a USB infected and throw it away as soon as it touches a non-trusted computer.

“These problems can’t be patched,” says Nohl. “We’re exploiting the very way that USB is designed.”

The pair will be presenting their research at the Black Hat security conference in Las Vegas later this week.

We guess a whole lot of computer scientists need to get back to the drawing board right about now…

Source: Wired

  • Makes me wonder is any of these ‘wireless’ keyboards, mice, and Wi-Fi devices working off USB ports are a problem. It appears that the thumb drives and external hard drives for data storage are for sure.

    It seems that the NET as a rule is becoming a problem. There is absolutely no privacy or security.

    The use of firewalls and anti virus programs don’t seem to stop anything. Many act like virus’s themselves especially when it get near time to PAY again. they ALL allow their affiliates and associates access to the back doors.

    Eighteen years ago the net was sort of fun, that seems to not be the case today. Between the NSA, State and Local Authorities, and then every site you go to tracking your (With your ‘implied consent’ via use of their page.) every move in order to ‘create a profile of you’ to bombard you with ADDS there is no privacy or security.

    I suspect that my days of internet use are limited. Having to keep buying more band width, faster processors, new soft ware, and bigger machines in order to have the privilege of being treated as a sucker for merchants and trolls stealing my identity is not my cup of tea.

    It used to be a useful tool (for study) but today it is a threat to my privacy and personal security.

  • Everyone posting an article on this is claiming this is a vulnerability of
    USB. Wrong. This is a vulnerability of Plug and Play. This can be done
    with Firewire and Thunderbolt. It could even be done with a video card
    in a PCI slot. I am amazed that it has taken the bad guys almost 20
    years to figure this out. I saw this coming when the first Plug and Play
    devices came out with Windows 95. Luckily none of the hardware
    manufacturers allowed their techs to pull off something like this.