With over 3 billion USB devices shipped a year (a large proportion of them USB flash drives), there is no doubt that the majority of us are familiar with this technology.
Indeed, with USB flash drives in particular, most if not all of us have owned one or many in the past.
With how often we all mindlessly insert our flash drives into computers, you would think that these nifty little devices are immune to security breaches. The truth of the matter however is that all USB products, including flash drives, are vulnerable to several incredibly destructive forms of malware.
To understand why they are vulnerable, you first need to understand that all USB devices include a firmware chip, which controls its basic bare-bones functions.
Think of firmware as being akin to your brain stem, in that it unconsciously regulates some basic (but vital) functions in USB devices, like how they communicate with computers.
Why is this significant? Well, one form of malware, dubbed “BadUSB,” infects USB products by latching onto their firmware. But that’s not all you have to look out for. “USBdriveby” remotely attacks your computer’s USB ports, and is equally difficult to detect.
What is BadUSB and how does it work? As I hinted at above, BadUSB is a kind of malware that basically exists within the code of a USB device’s firmware.
When you plug in a USB device infected with BadUSB, the malware has the capability to “completely take over a PC, invisibly alter files installed from the memory stick, [and] even redirect [your] internet traffic.”
BadUSB and malware like it are dangerous because they’re incredibly hard to defend against. Standard virus and malware scanners won’t detect them, because they are unable to check a device’s firmware.
The only way to really know if a USB device has BadUSB would be to analyze its firmware code line by line and see where the malware was inserted. Obviously, that’s no small task for the average user or even most experts.
If BadUSB doesn’t scare you, then USBdriveby might. USBdriveby is essentially a remote that interacts with your computer’s USB ports, gains access, and proceeds to wreak havoc.
Like BadUSB, USBdriveby takes advantage of the inherent flaws within USB protocols. What it does first is pretend it’s a USB mouse or keyboard. Then, it shuts down your computer’s security, opens up a backdoor so that a hacker can later gain access, and exits your system without leaving a trace.
Unless you’re really good at rummaging through your computer’s operating system, you won’t find the backdoor until it’s too late.
Can USBdriveby be stopped? Not really, since the problem lies in USB architecture itself, meaning you’d need to strip your devices of USB ports to keep them completely safe.
All you can really do to stop something like USBdriveby is to keep your electronics away from anything resembling the remote/microcontroller device pictured here.
What about something like BadUSB? Can anything be done about that? Well, again, not really, but you can take steps to defend yourself. Basically, you just need to be more cautious when you’re using USB devices.
For instance, don’t plug your flash drive into a suspicious computer, and don’t plug a suspicious flash drive into your computer.
Yes, in some sense, researchers are asking that we treat USB devices like “hypodermic needles.”
Beyond getting us to be more wary around USB products, researchers are making an effort to get companies and USB manufacturers to acknowledge that these kinds of malware are a major issue. They hope this will lead to changes not only in the way we use these devices, but in the way they are designed.
It was only a matter of time before people started to try and take advantage of an ubiquitous technology like USB. Might it be time to move on to other, more secure forms of data distribution? With the rise of cloud services like Dropbox, perhaps (though these have their own issues).
Still, I don’t think we’ll be giving up USB any time soon, if only for the sake of convenience. Let’s hope that somebody develops a fix that removes the enormous vulnerabilities inherent to the USB architecture, else we could all be facing malware-related problems in the future.
Featured photo credit: Custom USB Pencil/ Custom USB via flickr.com