Why You Should Never Want to Use Another Person’s USB Drive Ever Again

In today’s business world, people hand out USB drives as easily as they hand out pieces of gum. Co-workers stop by other people’s desks, plug their USB drives into the machines and start working. Blank USB drives are included in almost every trade show door prize pack. Although perceptions of USB security took a slight hit after the Stuxnet virus, most people didn’t ramp up precautions before they inserted their thumb drives into someone else’s computer.

Security researchers Karsten Nohl and Jokob Lell have shown everyone the dark side of USB with their proof-of-concept malware, BadUSB. Now, security experts are warning that you should treat USB drives like hypodermic needles. You should never plug an untrusted drive into your computer, and you should never connect your USB drive into a computer that isn’t yours. USB drives aren’t the only potential threats, either. Any device that connects to a computer via USB could be dangerous.

How BadUSB Works

Firmware is the software that is imprinted on a device’s chips or in the device’s flash memory, and it tells a device how to perform its basic functions. To create BadUSB, Nohl and Lell reverse engineered the firmware that lives on a USB drive’s controller chips. They demonstrated that anyone could reprogram USB firmware to conceal attack code.

Once the firmware has become corrupted, it can perform the following malicious acts and more:

• Install corrupted software. Instead of installing the software saved on the device, it could install a version of software that contains malicious code or a backdoor for remote control of the device. If the device connects to a network that doesn’t use network security software and scanning solutions, then the corrupted software could be transmitted to other devices on the network.
• Become a man-in-the-middle. Malware that lives on a device with an Internet connection could spy on communications and steal vital information, such as credit card numbers.
• Divert Internet communications. A corrupted machine could siphon traffic to attacker-controlled servers by changing the computer’s DNS settings.
• Operate a zombie keyboard. Malicious code in USB firmware can hijack a keyboard, enabling it to perform whatever computer functions a keyboard would perform.

Why BadUSB Is So Very Bad

Security experts have known for a long time that a corrupted USB device can infect a computer, but the scariest thing about BadUSB is that an infected computer can spread malware to a plugged-in USB device. For example, a smartphone plugged into an infected computer can have malware written into its firmware. Also, keyboards, mice and any other devices that plug in to a corrupted computer via USB also become vulnerable.

Usually, when a USB device becomes corrupted by malware, people assume that they clean it by wiping the device’s memory. Unfortunately, most users don’t know how to reverse engineer and analyze a USB device’s firmware. When they erase the device’s memory, the malware remains in the firmware. For this reason, users should feel scared not only to share their USB drives but also to grab a spare keyboard and plug it into their desktop computer.

Preventing USB Infection Transmission

Until security companies come up with a way to eliminate malware from USB firmware, you should take these precautions when using USB devices:

• Keep USB devices under control at all times. Ideally, you should know where your USB devices and cords are at all times from the moment you remove them from the package.
• Stop accepting free USB drives. You should also never take a used USB drive from someone, even if it’s been wiped, and put it into your USB port. Also, stop using the free USB drives that you get at industry events and conferences.
• Plug only your USB devices into only your machines. Avoid accepting a USB drive from a co-worker and plugging it into your machine. Similarly, avoid sharing a USB drive with your co-workers after it’s been plugged into your machine.

What’s Next for BadUSB

Until security researchers find a solution, BadUSB should fundamentally change the way that everyone uses USB-connected devices. For now, Nohl and Lell haven’t released their BadUSB code because they fear it would fall into the wrong hands.