Researchers have identified a new security threat that, if exploited, could affect billions of devices, and which they claim is essentially impossible to detect or prevent with current technologies. The threat stems from a fundamental flaw in the way USB devices and current anti-virus systems are designed. They’re calling it BadUSB.
BadUSB in terms you’ll understand
For a simplified explanation, think of a USB flash drive. The device has 2 types of storage: The main storage area, where you keep your files and videos, and the “controller chip,” which stores the “firmware” that actually controls the device and what it does. Generally, viruses are programs stored in the main area, and this is what anti-virus systems check for. But researchers at German-based firm SR Labs now claim they have successfully infected the controller chip of some USB devices, so that the devices send commands directly to the computer – commands which the computer obeys, and which no existing anti-virus systems can detect. Even more concerning, they have been able to do this not only to USB flash drives, but to simpler USB devices like keyboards.
Nowhere to run to, nowhere to hide
Think of it this way: If exploited, literally any keyboard you connected to your computer could issue commands which your computer would think you were typing. These commands could download a virus, change your computer settings, or infect other attached devices, spreading the virus. And because our anti-virus systems have not been designed to scan peripherals like keyboards and printers, there’s currently no protection against such exploits.
“You cannot tell where the virus came from. It is almost like a magic trick,” said Nohl, whose research firm is known for uncovering major flaws in mobile phone technology.
So far, there is little more known about the exploit. Karsten Nohl and Jakob Lell, the SR Labs researchers who discovered it, will be presenting BadUSB this week at BlackHat 2014, a hackers conference. Their presentation will include evidence and more information. We’ll keep you updated with further developments. Protections could be established, but this won’t be a matter of a quick patch or update; it could be months or years before anti-virus and anti-malware packages are rewritten to monitor USB controllers.