USB Technology Has a Fundamental Security Vulnerability

The Citizen's Guide to the Future
July 31 2014 4:07 PM

USB Technology Has a Fundamental Security Vulnerability

usb
Wipe the flash memory all you want, it won't help with the real problem.

Image from Shutterstock/Ensuper.

Flash drives and USB peripherals—that is, basically every gadget—could be carrying malware without any evidence in their flash memory. According to new research that will be presented next week at the Black Hat security conference, it is possible to hide malware deep within USB technology at the firmware level. Oh, great.

Wired, which first reported on the findings, says that researchers Karsten Nohl and Jakob Lell from the security firm SR Labs can take over and control a PC with the BadUSB malware they developed to lurk in the base-level software that mediates between hardware and higher-level software like an operating system. They’re white hat hackers, trying to find and exploit security flaws as a proof of concept and a way of motivating the tech community to develop fixes.

Advertisement

Wiping a flash drive or scanning it with anti-virus software won’t detect the malware. Only reverse-engineering the firmware the way Nohl and Lell did can expose the foreign code lurking in it, and few consumers have the know-how to do that. Plus, even if you could do that, it might be hard to identify the malware code as malicious, because USB firmware varies and there isn’t a single standard to compare to.

So with BadUSB, or something like it, safely in place, the malware can do pretty much anything, like controlling a keyboard to type commands, leaving backdoors in software, or surveiling Internet use on a device. University of Pennsylvania computer science professor Matt Blaze also told Wired that he suspects the NSA has already developed attacks like this. “I wouldn’t be surprised if some of the things [Nohl and Lell] discovered are what we heard about in the NSA catalogue,” he said referring to Cottonmouth, an NSA malware distribution program that uses USB drives.

There’s no patch for this problem, so the best way to defend yourself for now is to think about how you protect yourself from getting sick and apply the same approach to your computer. Don’t share your thumb drives, don’t plug them into a public or untrusted computer, and don’t plug a USB peripheral or thumb drive that isn’t yours into your computer. It’s difficult to do, because we all use USB technology for easy sharing, but hopefully it’ll just be a stopgap measure while researchers work on long-term fixes. For example, USB firmware could have a signature that indicates if the original code has been tampered with or changed. And companies working on anti-virus for peripherals—like Red Balloon Security, which Slate reported on earlier this year—should be able to detect the changes.

Or what about USB condoms?! For now, you’ll have to practice safe sharing.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.

TODAY IN SLATE

Politics

Talking White

Black people’s disdain for “proper English” and academic achievement is a myth.

Alabama’s Insane New Abortion Law Gives Fetuses Lawyers and Puts Teenage Girls on Trial

Tattoo Parlors Have Become a Great Investment

A Jaw-Dropping Political Ad Aimed at Young Women, Apparently

The XX Factor
Oct. 1 2014 4:05 PM Today in GOP Outreach to Women: You Broads Like Wedding Dresses, Right?

Big Problems With the Secret Service Were Reported Last Year. Nobody Cared.

Crime

Operation Backbone

How White Boy Rick, a legendary Detroit cocaine dealer, helped the FBI uncover brazen police corruption.

Hong Kong’s Protesters Are Ridiculously Polite. That’s What Scares Beijing So Much.

This Gargantuan Wind Farm in Wyoming Would Be the Hoover Dam of the 21st Century

Moneybox
Oct. 1 2014 8:34 AM This Gargantuan Wind Farm in Wyoming Would Be the Hoover Dam of the 21st Century To undertake a massively ambitious energy project, you don’t need the government anymore.
  News & Politics
Politics
Oct. 2 2014 11:01 AM It Wasn’t a Secret A 2013 inspector general report detailed all of the Secret Service’s problems. Nobody cared.
  Business
Moneybox
Oct. 2 2014 12:10 PM Women of America, Here Are the Cities Where You Can Find Marriageable Men
  Life
The Vault
Oct. 2 2014 11:07 AM Mapping 1890 Manhattan's Crazy-Quilt of Immigrant Neighborhoods
  Double X
The XX Factor
Oct. 2 2014 12:37 PM St. Louis Study Confirms That IUDs Are the Key to Lowering Teen Pregnancy Rates
  Slate Plus
Behind the Scenes
Oct. 1 2014 3:24 PM Revelry (and Business) at Mohonk Photos and highlights from Slate’s annual retreat.
  Arts
Brow Beat
Oct. 2 2014 12:04 PM The Audio Book Club Debates Gone Girl, the Novel
  Technology
Future Tense
Oct. 2 2014 11:41 AM Dropbox Recruiting Video Features Puppets and Data Privacy
  Health & Science
Medical Examiner
Oct. 2 2014 9:49 AM In Medicine We Trust Should we worry that so many of the doctors treating Ebola in Africa are missionaries?
  Sports
Sports Nut
Oct. 1 2014 5:19 PM Bunt-a-Palooza! How bad was the Kansas City Royals’ bunt-all-the-time strategy in the American League wild-card game?