BadUSB: Karsten Nohl and friends set up us the bomb.
USB gadgets are totally unsafe. That's the stark warning from Security Research Labs, to be given at Black Hat in Lost Wages. Basically, any USB device can do anything it wants to your PC or Mac, and there's nothing you can do to stop it, detect it, or remediate it.
tl;dr: We're screwed.
In IT Blogwatch, bloggers panic like it's 2038.
Your humble blogwatcher curated these bloggy bits for your entertainment.
Lucian Constantin reports:
Most USB devices [can] infect computers with malware in a way that cannot easily be prevented or detected. ... A malware program can replace the firmware on a USB device like a thumb drive...and make it act like some other type of device, for example, a keyboard [which] could then be used to emulate key presses and send commands to download and execute a malware program.
…Researchers from Security Research Labs have developed several proof-of-concept attacks that they plan to present at the Black Hat security conference. MORE
And Andy Greenberg adds:
The security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work. That’s the takeaway from findings [of] security researchers Karsten Nohl and Jakob Lell.
…The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. ... And the two researchers say there’s no easy fix. ... They spent months reverse engineering the firmware that runs the basic communication functions of USB devices.
…University of Pennsylvania computer science professor Matt Blaze...speculates that the USB attack may in fact already be common practice for the NSA. He points to a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden. MORE
So here's Karsten Nohl, via Dan Goodin:
If you put anything into your USB [slot], it extends a lot of trust. ... Whatever it is, there could always be some code...in that device that runs maliciously. Every time anybody connects a USB device to your computer, you fully trust them. ... It's the equivalent of [saying] 'here's my computer; I'm going to walk away for 10 minutes. Please don't do anything evil.
…There's no way to get the firmware without the help of the firmware, and if you ask the infected firmware, it will just lie to you. ... The next time you have a virus on your computer, you pretty much have to assume your peripherals are infected, and computers of other people who connected to those peripherals are infected.
…It's the endless struggle between do you anticipate security versus making it so complex nobody will use it. ... The power of USB is that you plug it in and it just works. This simplicity is exactly what's enabling these attacks. MORE
Oh hay, Lily Hay Newman: [You're fired -Ed.]
USB technology has a fundamental security vulnerability. ... Oh, great.
…Wiping a flash drive or scanning it with anti-virus software won’t detect the malware. Only reverse-engineering the firmware...can expose the foreign code lurking in it.
…There’s no patch for this problem, so the best way to defend yourself [is] don’t share your thumb drives, don’t plug them into a public or untrusted computer, and don’t plug a USB peripheral or thumb drive that isn’t yours into your computer. MORE
Subscribe now to the Blogs Newsletter for a daily summary of the most recent and relevant blog posts at Computerworld.