New Undetectable Malware on USB Devices Can Hijack Your Computer, Be Warned!
USB drives are the most widely used plug-and-play storage devices that interconnect our digital lives, and although we’re well-aware that they often carry malware infections, we rely on antivirus scans and the occasional formatting to be on a safer side. But new research reveals that the security problem with the Universal Serial Bus is built in the very way it functions – the threat is unfixable, and it could be exploited to wreak havoc on a user’s PC.
Wired reports that a pair of security researchers Karsten Nohl and Jakob Lell have written a piece of malware, dubbed BadUSB, that can be installed on a USB device to completely take over a PC to which it connects.
The malware they created can add infected software into installations, hijack the DNS settings for your browser and redirect the user’s traffic to any server it wants, or if it’s installed on a mobile device it can eavesdrop on your communication and send them to a remote location.
The nightmare scenario is that it’s virtually impossible to detect the malware; BadUSB doesn’t reside in the flash memory storage, but rather it is hidden in the firmware, thus apparently becoming undeletable by an average user. This, in turn, makes the security of USB devices fundamentally broken, and there’s no easy fix to it, the two researchers claim.
“These problems can’t be patched,” Nohl explained to Wired. “We’re exploiting the very way that USB is designed… You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean’ but the cleaning process doesn’t even touch the files we’re talking about.”
So literally speaking, we can’t trust a USB even if it doesn’t contain any virus in its storage. The kicker is that the malicious software can send code both ways: it could travel from the infected USB device to the PC, and the PC could infect any USB plugged into it.
So what can be done to fix this security issue? Technically speaking, there’s currently no patch of code for BadUSB, but the more immediate answer to this problem, is to change the way we use the drives. With no solutions on the horizon, the duo suggests to treat USB devices like hypodermic needles and argues we should “consider a USB infected and throw it away as soon as it touches a non-trusted computer.”
So until the researchers and the major USB device manufacturers do come up with a permanent solution, all you can do is not to plug a USB device into any computer you don’t 100 percent trust. That may prove inconvenient, but it may save you from something that Nohl refers to as “a terrible kind of paranoia.”
Gohar is the lead editor at TechFrag. He has a wide range of interests when it comes to tech but he's currently spending a big chunk of his time writing about privacy, cyber security, and anything policy related.