Security research firm SR Labs has discovered a flaw in USB devices that could be exploited by attackers to inject their own code into firmware. There currently isn't any way to detect a USB-based hack, and so far no one has found any way to patch the flaw.
BadUSB makes any USB device a potential security risk
Karsten Nohl from SR Labs will be discussing the issue during the Black Hat Conference next week in Las Vegas. He said,
These problems can't be patched. We're exploiting the very way that USB is designed.
The flaw, dubbed BadUSB, works by adding malicious code to the device's firmware controller instead of simply storing a virus, say, in the flash memory on a USB thumb drive. Mr. Nohl said most any USB device -- from keyboards to mice to computers to smartphones -- include firmware that can be reprogrammed, and that's what BadUSB exploits.
A compromised USB device will load its malicious payload into the firmware of any other USB device it is connected to, and there isn't any way of knowing that's happened. The result is that no USB devices can be trusted to be safe unless they have never been out of your physical control and have never been connected to anyone else's gear.
The convenience of USB, and especially thumb drives, means they often get handed off to share files and if any device is infected it'll quickly spread to other USB gear connected to your computer. That essentially makes all USB devices disposable because once they pass out of your trusted closed environment you have to assume they've been infected, including your own computer.
There aren't any official reports of BadUSB in the wild, but that doesn't mean the flaw isn't already being exploited. University of Pennsylvania computer science professor Matt Blaze said it's possible agencies such as the NSA have been exploiting the flaw for some time without detection. He cited the NSA's USB surveillance tech known as Cottonmouth as a potential example of BadUSB in action, adding, "I wouldn't be surprised if some of the things [Mr. Nohl] discovered are what we heard about in the NSA catalogue."
The only workaround for now is to keep all of your USB-equipped devices isolated, including your computer, and never connect anything to your computer that comes from a source you can't personally verify as safe. Sharing files via USB hard drives or thumb drives isn't safe, either, unless you're completely certain very other device they've been connected to can be trusted.
That mindset goes against the way we currently use USB devices and completely kills their convenience, too. Until a way to detect and overcome BadUSB is discovered and implemented, it's on end users to practice safe tech and do what they can to keep their own gear away from untrusted devices.
Since there aren't any reported incidents of BadUSB in the wild, it's possible no devices have been infected, and that manufacturers will have a way to protect from the exploit before it becomes a widespread issue. Without a reliable way to detect BadUSB, however, we're all in the dark right now wondering if our mice, keyboards, USB drives, and even computers, have been compromised.
[Thanks to Wired for the heads up]