What if I told you…that I could plug a brand name, ordinary USB drive into your computer (Mac, Linux, Windows doesn’t matter) and fool your machine into thinking that my USB drive is actually a network adapter?
You might say “so what”.
But then what I told you that this bad adapter uses a malicious DNS server which surreptitiously intercepts web traffic, exposes logins and capture credit card numbers?
But that’s not all.
What if I told you that I could make your computer think my innocuous USB drive is actually a keyboard. And under the disguise of a keyboard I covertly send commands to install malware? All this happens silently in the background without your knowledge. There’s no visual indication that your USB drive has an egregious case of multiple-personality disorder.
And what if I told you that your hijacked USB drive appears as a normal USB drive in the Windows Device Manager and the Finder on your Mac?
What if I told you that installing antivirus can’t fix the problem because antivirus can’t detect the problem?
Oh, and what if I told you that reformatting the USB drive, and even your Operating System for that matter, wouldn’t destroy the threat?
You would say:
Vonnie, you lie.
Unfortunately – I’m being dead honest.
According to well known cryptographer and security researcher Karsten Nohl and Linux savant Jakob Lell, my hypothetical questions aren’t fiction. In fact, Nohl and Lell plan to demonstrate the proof-of-concept at the BlackHat conference on August 6th and 7th.
There’s a new form of malware on the block that injects itself into the firmware and completely transforms the identity of the device.
Think of it like demon possession… but for devices.
Nohl and Lell posit that a nefarious hacker can reprogram the embedded software in the USB drive to make it masquerade as another device. Once the poor USB stick takes on it’s new purpose it can be used to spy on the you, steal data and wreak havok on the system.
At the conference they will “demonstrate a full system compromise from USB and a self-replicating USB virus not detectable with current defenses.”
The problem is that almost all the USB drives out there will happily take any firmware update you throw at them. Since most USB drives don’t have cryptographic signing criteria for upgrading firmware, they will blithely take on your update and become virtual zombies in the hands of an odious hacker.
Unless you can physically guard your USB ports at all times, there’s no real way to stymie this threat. Thus, in one sense, the ubiquity of the USB standard is both a boon and a bane. On the one hand, USB let’s us plug not only our smartphones and tablets into our computers, but also our webcams, microphones and even desk fans! But on the other hand, the USB exploit discovered by Nohl and Lell, called BadUSB, means that your plug-in desk fan could become a keyboard that furtively sends commands to delete your files, infect other devices or log your keystrokes.
But if that wasn’t bad enough, there’s something else really insidious about this threat that bothers me.
If you looked in the Windows Device Manager, the compromised USB drive would still appear as a normal USB drive. In other words, you could presumably still use it to copy and transport files. If the firmware was hacked in a such a way to allow it to take on both roles concurrently, then there’s nothing stopping that drive from functioning like an authentic storage medium and a duplicitous keyboard.
Also, since the exploit occurs at a low software level: firmware, turning off auto-play probably wouldn’t avert the threat. That’s why reformatting the drive doesn’t fix the problem because the issue lurks in embedded software.
Have you ever walked into a Delta terminal and seen all those people charging their smartphones and tablets while they wait to board the plane?
You see where I’m going with this right?
What would happen if someone installed a BadUSB charging pod that effectively charged connected devices but also siphoned your files, photos and privacy settings?
Most people would say that I’m being silly because nobody is going to implement BadUSB in the way I’ve imagined; but, it’s still a possibility isn’t it? I mean, what’s to stop something like that from happening?
What do you think of BadUSB? Please share your thoughts in the comments.