'BadUSB' malware highlights the danger of plugging random mystery drives into your computer

Another day, another apocalyptic prognostication of computer security doom, this time focusing on the omnipresent USB connection. It's called 'BadUSB', and it's a malware proof-of-concept created by security researchers Karsten Nohl and Jakob Lell that exploits a flaw in and resides in the firmware that controls the basic function of USB devices. The researchers claim that it's not a problem that can be patched, saying that they're "exploiting the very way that USB is designed," but in the end all they've done is highlight that you shouldn't go around plugging USB drives, devices, or whatnot that you don't trust into your computer.

There are a lot easier ways to hack most any computer, especially when this method requires achieving physical access. As we've said many times before, once you've lost physical control of your device, all bets are off. This is just one more way, although it's exploiting something that we take for granted these days.

Because the BadUSB code lives in the USB firmware of the device, it's not something that can be easily purged from a device. Wiping or reformatting a USB drive doesn't touch the USB firmware, so the malware would still be present. BadUSB could allow any connected computer to be exploited over that connection, with Nohl and Lell offering more traditional exploits from there such as replacing files on the computer with additional malware, acting as a virtual keyboard to execute commands on the computer, or hijacking and spying on internet traffic.

BadUSB is also self-propagating: it can copy itself onto a computer and reprogram the USB firmware of other attached USB devices. It can even reside in non-storage devices, such as smartphones and mice.

While we doubt that this is in fact an impossible-to-patch exploit — certainly, patching the USB firmware on computers to prevent such access seems like a possibility, and very few would likely go through the effort of patching their flash drives — in the meantime it poses a theoretical challenge for users.

But it all boils down to this: Don't plug anything you don't trust into your computer, your smartphone, or your tablet. That's pretty much common sense, though, so just think before you plug your phone into a random computer to charge, or you accept a USB drive from a stranger. Be smart about what you plug into your computer, and (far more importantly) keep your eyes open for the online threats that are coming at you every day in the real world.

Source: Wired

Derek Kessler

Derek Kessler is Special Projects Manager for Mobile Nations. He's been writing about tech since 2009, has far more phones than is considered humane, still carries a torch for Palm, and got a Tesla because it was the biggest gadget he could find. You can follow him on Twitter at @derekakessler.

  • If it requires x86 my Surface might be okay?
  • It doesn't require x86. It's the firmware of USB itself.
  • Since WP is sandboxed, COULD viruses still be harbored on the WPos?
  • If WP supports USB on the go one day, I'd say yes. Drivers are not sandboxed and this is not a software exploit, it's an exploit on a USB protocol level (at least it seems so, there seem to be no details so far and rightfully so).
  • so is this the reason why we have no usb on the go? and we will never get it?
  • Since I'm not MS I honestly don't know. But the USB protocol is pretty old by now (15 years or so) and it's long known for not having any security measures. So maybe it is one of the reason MS didn't implement USB OtG yet.
    Second reason may be (and that would be the worse case) is that the USB chipset used doesn't support it. But this is pure speculation on my side because I don't know the HW specs and now I don't really have much need to search it.
  • ok then . i thought you're microsoft coz you know, mikosoft xD
  • Lol, yes, it's a close call :D
  • Derek Kessler with the photographic throwback of the Palm Pre USB charging cord! Loving it!
  • I wonder, any confirmation on arm device susceptibility vs x86?
  • It's architecture agnostic - if it's in the firmware then it's irrelevant what the processor is.  The device is accessed by that architecture's USB stack. Soon as that happens, you're screwed.  x86, x64, ARM, MIPS, PowerPC, Alpha - if they have a USB stack on their OS, they are vulnerable.
  • Bugger
  • We lock out USB ports in our enterprise by default for information security reasons.
  • Is USB disabled entirely?  How do you connect printers, scanners, mice, keyboards, barcode scanners, etc?    Is USB disabled at the hardware level, the OS, or via software?  If it's at the software level then this type of exploit may still be a problem since the hardware and OS would still go through the normal initialization steps when a device is connected to a USB port.   My company disables USB storage devices for security, but it's done at the software level by our enterprise malware protection.
  • And probably things off eBay that we don't think much about, like USB replacements or bulk USB for cheap.
  • Photo printing kiosks, oh my...
  • Cash machines with easy access to the USB ports... they do run XP these days, don't-cha-know.
  • Yup! Photo printing kiosks is much bigger threat. I wonder if there is any chance a new unopened USB devices are also affected. Hope not but cannot trust some of the resellers who sell the product dead cheap.
  • So we need to use protection before plugging in?!
  • Yes
  • Was waiting for the first to translate this into innuendo
  • Holy F, that really blows my mind! I applaud to you, kind sir for that pun!
  • High-volume ports may also cause significant headaches, even with required protection worn.
  • Ha
  • Now we know what this headline was about: http://wmpoweruser.com/wp8-1-update-brings-usb-condom-feature/
  • Yeah, I was thinking about cheap eBay devices also.
  • That's cray cray!
  • Actually sounds like an NSA invention.
  • There was a malware created by NSA but I doubt this has anything to do with that.
  • Not really how the NSA works. They get with hardware OEMs and hardwire methods for their own tools to exploit.
  •             Look at the NSA ANT catalogue published in the MSM about a year ago.  The USB device the NSA sells to spooks in other countries ( read the fine print for ordering) cost over 20K with only one "infusion" for one exploit.  You can buy a USB device preloaded with over 60 FREE payloads for $20 on line.  There are hundreds of thousands of them out there in the wild for at least 10 years. There are even directions for building your own from any USB stick.  The new USB 3.1 version atill suppports HID standards to make it backward compatible.  If you don't know- DON'T PLUG IT IN..   .1    look
  • Actually I was thinking it sounds like an apple invention to get more people to use Thunderbolt.
  • Lol that in the picture a palm cable???
  • hahaha! YES! That was the first thing I though
  • Haha
  • That was the whole reason I came to the comments section! I have about 6 of those silver circle palm USB cables and I love them. Former Pre- and Pre 2 owner and proud of it.
  • Oh yes. These are really cool phones. So sad web os is gone, but luckily I got wp xD
  • Got a half dozen myself. RIP Palm and webOS. I love the "no guessing here" nature of those cables as the dot always shows you which way to plug.  
  • What's funny is that I knew just from the picture that this was written by Derek.
  • i was gunna say the same thing lol
  • Thats why I always wear protection, AT ALL TIMES !! Ribbed for her pleasure !!!
  • Do we need condoms for USB ports? ;-)
  • You can get keyboard condoms.... aka dust covers lol
  • Palm Charging cable lol
  • I am litterally using that cable to charge/sync my Icon right now lol
  • Apocalyptic prognostication. Great name for a band.
  • It's awful, too many syllables
  • Then try saying it after a few dozen shots of tequila and a few spliffs.
  • A simple USB cable (which is a wire actually) don't have a firmware it's the USB device which have one. I think?
  • Unless you have an iPhone cable. Does it have a microchip?
  • I think it does but not for USB protocol itself. That's where the vulnerability is. On the other hand there is literally no obstacle for cable manufacturer to put a chip inside the cable and intercept USB traffic. The user won't notice (until he cuts the cable open) and there you have it.
  • It would be the device itself.  Unless you want to go all conspiracy theory and suggest they are putting them in the actual plugs...
  • Well, since you brought it up...   "...the NSA has built and deployed its own USB cables at target locations—complete with spy hardware and radio transceiver packed inside."
      http://arstechnica.com/information-technology/2013/12/inside-the-nsas-leaked-catalog-of-surveillance-magic/   I know it's not the same as this exploit and it is aimed at specific targets, but it popped into my head when I read your post.
  • Yes everything is possible
  • Don't worry be happy. We will overcome, one day.
  • That HP Touchpad charging cord...
  • Sure does look like it...my HP is still going strong :)
  • I don't know if my WP has affected with this malware. It detects on my computer running Win8.1 but I can't access the phone folders, it doesn't show up under my computer. Tried uninstalling drivers but still the same problem. But my Symbian phone can be accessed, so temporarily I'm swapping the memory card and copying data.
  • did you try it on another PC
  • If your mobile is password protected try unlocking the phone while connecting to pc
  • I've not tried it on a different PC yet. And to answer @asik5, its not password protected and I'm running WP8.0. It will show up sometimes but have to uninstall the drivers and reconnect the phone. But now that also not working. Should try it on a different PC.
  • Not sure how this is news as this is know for about as long we've had USB drives.
  • You missed the gist of the article
  • I assume you are not reading fully. Meh
  • I think what paulheu is saying is echoed in the last paragraph. "But it all boils down to this: Don't plug anything you don't trust into your computer, your smartphone, or your tablet." Which should be a big "duh" for anyone with any computer sense.
  • Is that a Palm Pre charging USB?
  • Public chargers? Someone could place an intermediary device to infect plugging devices, like they do with the atm swipers
  • So please dont charge your phone using USB, the power socket might be infected .. Hahaha ..
  • Off topic. Has anyone asked cortana Do you like google? Do you like apple?
  • Tried Do you like IBM...
  • Yes, its said something about impressive achievement about google.
  • Xbox video gets new update
  • Another plus for wireless charging
  • Don't you think they (hackers) will think of a possibility to exploit this too?
  • So there's basically nothing to do to fix this issue?
  • Lies
  • Derek, LOVE the Palm USB cable image, I have tons of them around my house and car...oh webOS - how I miss thee...
    Now if we could just use those TouchStones I have lying around...
  • you have to be kidding me yesterday my lumia started getting the bad usb notification when i plug it in my pc and apparently only when my usb drivers are installed it refuses to charge or transfer data i was thinking it may be something wrong with the micro port but i will test the device on another PC and if it gets recognized im getting the stone age discs out of my closet a throwing my laptop through a complete flash of the firmware and OS
  • I remember a simpler time when it was only sweets we werent allowed to take from strangers :)
  • Even though the malware is invisible on the flash drive (USB STICK) as soon as it bridges over to your computer windows 8 will see it and neutralise it. This is a no worries story for everyone who uses Windows Defender. I cant speak for other programs, but I would guess that they perform just as well.
  • Windows defender and other similar programs can not stop this as it is not a virus. Consider this. By entering certain keypresses and mouse movements it is possible to disable windows defender (and stop alerts saying it is disabled). If you plug in a usb stick with a type of  bad usb malware on it, it can appar as a mouse, keyboard, network card and a usb drive to the operating system. It can then send the keypresses and mouse movements needed to disable any anti virus programs you have running as it appears to the operating system as just another keyboard and mouse. No anti virus program can stop this happening. Further to this as it also appears as a network interface, it can intercept any network requests and so when you can go to a website, it can redirect you without you noticing to a website that downloads a virus that gets installed as your anti virus has been disabled. On the plus side, to do all of this is quite complex so it is unlikely to be used to target home users currently as the return on investment on targeting one user will be low. However it could be used to target business (which could then lead to your details being stolen from there) and goverments.
  • C,mon guys and girls, we already knew (or should) that you should be careful with drives,usbs,etc what you connect to your device,this isnt new news realy,be careful where you put your dongle!!!, or you might catch something nasty!!!  Prom 99.
  • STUXNET it was called and was used to attack Iranian nuclear facilities.
  • I don't think people realize just how nasty this could be. Theoretically every USB device out there could already be infected and we would never know. And the way something like this could spread? I don't see how you could fight it once it has gotten out there. None of the current security tools on the market could detect, let alone fix this. Add to that the fact that USB is now so ubiquitous that the EU even forces its use on all mobile devices. It took me reading this a couple times to wrap my head around it, but if its true, this could be one of the worst security issues in IT in a very long time. It's not like you can stop using USB, and its not like MSFT, Intel, Apple, or anyone else can just send out a patch to fix this on all USB devices.
  • I disagree. If the malware has the ability to replicate by writing new firmware to other USB devices, then the host can do the same to fix the infection. I imagine detection would not be too difficult to do either by reading & checking the firmware from the drive before acgtivating the device. In addition, an OS patch should be able to provide some further security by, for trivial example, issuing a prompt if a plugged in device claims to be a keyboard and a flash drive at the same time. Like most security problems, once it is known about, then it should be relatively straightforward to provide safeguards.
  • I dealt with a number of these usb thumbdrive 'autorun' viruses at my last job at a call center. A ton of the service phone reps played games while taking calls (50+ people), which was like half of the call center. Plus on a regular basis, they moved from cube to cube for different departments, and of course they had their own usb drives that would be infected. Moving from fcube to cube, I came across literally 30 computers at one point that were infected in like a week. That was ridiculous....but it kept me busy. lol
  • >scrolling through articles >see Palm Pre usb cable >get excited >it's not about WebOS or the Pre I'll brb, need to cry in the corner for a bit
  • It's just good practice not to go around plugging your stuff into random ports, whether they be USB ports or not lol.