USB storage flash drive secret lock key © luchschen Shutterstock

USB Devices Wide Open To Hack, Warn Researchers

The security of USB devices is fundamental broken by a hack that cannot be detected, warns researchers

On by Tom Jowitt 3

Commonly used USB devices such as a keyboard, mouse, or thumb drive, are completely vulnerable to hacking, security researchers have warned.

Indeed, the flaw with the humble Universal Serial Bus is so serious, it could be used to create havoc on any computer.

Hidden BadUSB

The warning came from security researchers Karsten Nohl and Jakob Lell. According to Wired.com, the two reverse engineered (i.e. reprogrammed) the firmware that controls the basic communication functions of USB devices. They then created a piece of malware, dubbed ‘BadUSB’, and loaded it into the firmware of the USB device.

usbdrive2What makes this development so alarming, is that once BadUSB is surreptitiously installed on a USB device, it can “completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic.”

Even worse, because the BadUSB malware resides in the firmware of the USB device, and not in its flash memory storage part, it can remain hidden and undetected, even if the actual content of the USB device is wiped clean.

“You cannot tell where the virus came from. It is almost like a magic trick,” Nohl was quoted as saying by Reuters.

Both Nohl and Lell will revealed their research at the upcoming Black Hat security conference in Las Vegas. And it seems as though there is no easy fix to the problem, because the flaw exploits the main design principle of all USB plug-and-play devices.

“You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’” Nohl was quoted by Wired as stating. He said that unless the IT department  has the reverse engineering skills to find and analyse that firmware, “the cleaning process doesn’t even touch the files we’re talking about.”

USB Vulnerability

“We’ve all known if that you give me access to your USB port, I can do bad things to your computer,” University of Pennsylvania computer science professor Matt Blaze was quoted as saying. “What this appears to demonstrate is that it’s also possible to go the other direction, which suggests the threat of compromised USB devices is a very serious practical problem.”

Back in 2010, Memory giant Kingston Technology admitted that some of its supposedly secure USB sticks could be hacked because of a password flaw, and asked customers to return the devices for an update.

Are you a security pro? Try our quiz!

Tom Jowitt
Author: Tom Jowitt
Freelance TechWeek Reporter
Tom Jowitt Tom Jowitt Tom Jowitt
Techweekeurope for mobile devices
Android-App Google Currents App for iOS

Last comment




3 replies to USB Devices Wide Open To Hack, Warn Researchers

  • On August 2, 2014 at 6:12 pm by Heimdall

    I’m sure you mean surreptitiously, not superstitiously. Unless, that is, your definition of hex in a computing context has nothing to do with base 16 counting….

  • On August 4, 2014 at 11:18 am by Stephen

    Are rational people safe from BadUSB, seeing as it needs to be installed superstitiously?

  • On August 6, 2014 at 2:52 pm by Max Smolaks

    Alright alright, we fixed it. Thanks for approaching this with humour. :)

Leave a Reply

  • Required fields are marked *,
    Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>