Stop! Before you load that USB memory stick or memory card, do you know where it came from? There’s a dangerous new virus carried by USB gadgets that, for now, can’t be stopped.
Last month, security researcher Karsten Nohl unveiled a scary unstoppable virus called BadUSB at a security conference. However, he said that until there was a fix, he wouldn't make the virus public.
Well, two other security researchers, Adam Caudill and Brandon Wilson, decided not to wait and have put their version of the superbug online for anyone to use.
The two independent security researchers, who declined to name their employer, say that publicly releasing the USB attack code will allow penetration testers to use the technique, all the better to prove to their clients that USBs are nearly impossible to secure in their current form. And they also argue that making a working exploit available is the only way to pressure USB makers to change the tiny devices’ fundamentally broken security scheme.
Unfortunately, making it public also makes it available to any hacker in the world. That's a very, very bad thing.
Here's what a flash drive infected with BadUSB can do after being plugged into a PC:
- Take over a PC
- Alter files invisibly
- Redirect a user's Internet traffic
- Install new malware to a PC
The worst part is that because it hides in USB firmware - that's the operating system of USB hardware - security software can't detect or stop it.
Because it affects the firmware of the USB’s microcontroller, that attack program would be stored in the rewritable code that controls the USB’s basic functions, not in its flash memory—even deleting the entire contents of its storage wouldn’t catch the malware. Other firmware tricks demonstrated by Caudill and Wilson would hide files in that invisible portion of the code, or silently disable a USB’s security feature that password-protects a certain portion of its memory.
Caudill and Wilson even came up with a tweak that would allow an infected USB drive to infect a computer with BadUSB, which would then infect any other USB drive that was plugged in.
In short, millions of flash drives could eventually have an undetectable virus. Fortunately, the researchers are still debating releasing that tweak - although I don't doubt a hacker could eventually come up with the same wrinkle.
So, what can you do to stay safe? The unfortunate answer is not much.
USB manufacturers will have to completely change how USB drives work to stop this virus. Nohl predicts it will take 10 years to completely fix the problem even if manufacturers started tomorrow.
The best thing to do is never let anyone plug a flash drive in to your computer, and never use your flash drives on computers you don't own. That does kind of defeat the purpose of flash drives though.