Think Twice before Docking: A BadUSB advisory from your pals at Newmind Group.

Be careful what you put in those USB ports! A new security threat was born recently at the Derbycon hacking conference in Kentucky, when developers released the framework for a USB hack capable of turning a USB device into what Mashable considers a “system-lethal weapon.”

Yikes.

What is it?

This hack, deemed “BadUSB” by its creators, is a new security flaw taking advantage of the “universal” part of the term “Universal Serial Bus (USB).” Rather than conventional security issues like malware and viruses that infect your computer or network from within, BadUSB enables an ordinarily nonthreatening USB device to discreetly interact with your computer (steal information, or worse) straight through the USB port.

Because the threatening component exists in the USB device’s firmware, instead of on the drive’s storage, it’s out of reach for normal precautions—like antivirus software—which cannot detect the invisible behavior of this exploit.

Who could it be targeting?

BadUSB can be targeted towards anyone. Anyone.

A vast quantity of modern tech devices support (and depend on) USB technology, which is convenient in that it produces some standards between different types of technology. This is also an enormous vulnerability, however—because this exploit is now available to the public, every interaction you have with an unfamiliar USB device needs to be taken with caution.

While this has the potential to be a widespread issue, right now this specific vulnerability isn’t prevalent in the wild. What this draws attention to is the fundamentally insecure nature of USB peripheral devices.

That said, the number of people who could perform the steps necessary to reprogram a USB drive with this exploit is very small. A rudimentary explanation of how the BadUSB firmware works can be found on the developer’s own website.

What solutions are there?

While there aren’t yet any documented solutions to this hazard, you can be sure that Newmind will broadcast these details as soon as they become public. This flaw hits the design of the USB at such a fundamental level that we’re going to see this rippling through the industry for some time before a true fix is discovered and available. Until then, the most that we can offer are the common-sense precautions given by security powerhouse Symantec

  • Only insert trusted USB devices into computers
  • Do not use or purchase pre-owned USB devices (they could potentially contain malicious software).
  • Never leave your computer or mobile devices unlocked or unattended.

And here are a few more tips from our Managed Services Team:

  • Don’t trust USB drives from trade-shows or from free give aways. If you aren’t sure where it came from, don’t plug it in.
  • Scanning a BadUSB drive with antivirus tools probably won’t detect BadUSB. At this time, there isn’t a way to detect a bad drive until it’s too late. For now, being careful is the only option.
  • Formatting or erasing a USB drive will not remove the BadUSB exploit, since it resides in the firmware and not in the file storage. This means refer to the first precaution: Only use trusted drives.

Why would the developers even release this?

It was only a matter of time before this technology was produced by a more dangerous source, so if they could create it first and softly publicize it, it might show the industry how urgently this must be addressed, and kickstart the actions needed to douse the issue before it becomes a widespread problem.

So is it a noble cause? That’s for the individual to decide. Regardless, it’s already making a serious impact on the technology industry.

Do you think this framework should have been publically released? Or should they have only shared it with security companies?

Posted in Security and tagged , , .