Security researchers, Karsten Nohl and Jakob Lell, have unearthed a fundamental security flaw in USB devices, which makes use of an undetectable and unpatchable exploit called "BadUSB" that alters or reverse engineers the USB firmware to wreak havoc on any connected devices including a computer.
How the BadUSB Infection Spreads
The report suggests that unlike any USB malware infection or Trojan attack, this exploit leaves no trace of detection in the system memory or flash memory and instead stays hidden inside the firmware.
The catch here is that it is impossible to verify if there is a firmware breach or hack without actually verifying the device firmware with an authenticated or code-signed version from the USB maker, according to Nohl and Lell's explanation to Wired.
The element of risk and surprise with Nohl and Lell's BadUSB exploit surpasses all the average USB infections we have seen till date, given its potential to travel dual ways between the computer and USB device as the malware transforms itself into a firmware reprogramming and system manipulating tool.
Consequences of BadUSB Infections
Nohl and Lell have reportedly confirmed their hack test to be successful on an Android handset plugged into a PC as the exploit starts its dirty tricks once it infects the USB firmware.
For instance, the exploit is capable of replacing the original software on the system with a corrupted or back-doored or hacked version. It can even imitate a USB keyboard function and start typing strange commands.
"It can do whatever you can do with a keyboard, which is basically everything a computer does," asserts Nohl.
Changing the computer's DNS settings to hijack internet traffic or transmit unauthorised confidential data from the infected system to its destination are also a few special capabilities of the BadUSB exploit.
The exploit can even perform a man-in-the-middle attack for spying and redirecting information from victim's machine. In other words, it can impersonate a spying device known as Cottonmouth, which made waves in the tech industry amid Edward Snowden leaks.
Solution to Prevent BadUSB Infections
Wired has confirmed that the only way to avert a disaster with BadUSB infection is to ensure that you prevent the infection in the first place by following a few simple rules:
- Do not connect your USB drive to any untrusted device or computer.
- Always ensure that you are using a trusted USB drive or USB devices with your own computer.
- As an alternative, private companies could change their formal USB usage policies by restricting employees to use only company accredited USB devices or USB drives with strict code-signing protections.
Black Hat Security Conference and NSA
The researchers have confirmed that they will showcase their creation at the upcoming Black Hat security conference in Las Vegas and demonstrate how the exploit works on thumb drives, mice, keyboards, Android smartphones and PC.
Meanwhile, speculation is rife that the NSA is already employing the hack tool in its routine work.