News Categories

USB security is "fundamentally broken", according to two researchers

By Michael Low & Kenny Yeo - on 1 Aug 2014, 10:15am

USB security is "fundamentally broken", according to two researchers

The USB port is ubiquitous.

The humble USB port has come a long way and has just about become the default interface for, well, everything really. External storage devices, input devices such as mice and keyboards, all rely on the USB interface to communicate with the system. However, two security researchers are adamant that the security of USB is "fundamentally broken" and are going to present their findings next week.

Karsten Nohl and Jakob Lell have a collection of proof-of-concept software that highlights why the USB interface has been compromised from the start. The pair have also created a malware called BadUSB, that can be installed to completely takeover a PC. And because BadUSB is implanted in the firmware that controls a USB device's basic functions, this malware could feasibly go undetected even if the drive is formatted. In other words, there is no easy fix for this.

Nohl said, "These problems can't be patched. We are exploiting the very way that USB is designed." He also added that this malware was not simply copied, and that they spent months to reverse engineer the firmware to implement and hide the attack code. Hence, the malware cannot be cleaned using off-the-shelf software and tools and requires someone with similar reverse engineering skills to look at the altered firmware to find the malicious codes.

Worse, this form of attack is not limited to just USB storage devices, but any USB device. The pair also managed to implant the code into a USB headset.

Since there is no quick fix to this, the two researchers are calling for a change in the way we use and view USB device, but they admit that this could be difficult.

Nohl said, "In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it. You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer. And that’s incompatible with how we use USB devices right now.”

Source: Wired.