USB drives aren’t secure, researchers say

It’s no big surprise USB drives can carry malware, or that they can infect our computers if we don’t use antivirus software and reformatting to keep them malware-free.

But those aren’t the only reasons USB drives are not secure, say researchers at SR Labs. By creating their own malware, named “BadUSB,” they’ve found USB devices have deeper, more fundamental problems in terms of their security. A USB drive carrying BadUSB can take over a PC, change files on a memory stick without a user noticing, and redirect that user’s Internet traffic – and as the malware is housed inside a USB drive’s firmware, rather than in the flash memory storage, its code can’t be deleted even after all the other files on the drive have been wiped, according to a story by Wired.

The worst part of all this is the USB drive can’t be patched, say the two researchers who made the discovery. Karsten Nohl and Jakob Lell spent months reverse-engineering a USB drive’s basic firmware, altering the controller chips allowing USB drives to communicate with a PC through a USB port and to transfer files between the PC and USB drive. That means cleaning a USB through scanning and deleting files doesn’t deal with the firmware itself. They’ll be presenting their findings next week during Black Hat, a security conference in Las Vegas.

Nor is this discovery limited to just USB drives – any USB device can have its firmware reprogrammed, and that includes keyboards, mice, and smartphones. That means the list of possibilities is endless, with a hacker using this technique being able to replace software with corrupted versions, to type commands, to siphon traffic off to other servers, or to spy on communications from one machine to another.

Given what Nohl and Lell have found, what does this mean for consumers using USB drives? Essentially, we’ll have to approach their use in a whole different way – almost like hypodermic needles, Nohl told Wired. Any time users connect a USB drive to their desktops, they’ll need to be mindful of who gave it to them, and whether that person is trustworthy, which takes away from the convenience of using the drive.

The alternative would be to convince USB device makers the threat is real – but in the meantime, USB drive users will just have to pay attention to how they’re using them.

Candice So
Candice So
Candice is a graduate of Carleton University and has worked in several newsrooms as a freelance reporter and intern, including the Edmonton Journal, the Ottawa Citizen, the Globe and Mail, and the Windsor Star. Candice is a dog lover and a coffee drinker.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web