New covert malware uses USB drives to jump airgaps and works on almost every storage device
The malware was named USBee because it behaves like a bee, flitting from one place to another, while gathering data Reuters

Researchers have developed a new malware, which is capable of bypassing airgaps to access information from systems. Dubbed USBee, the malware uses USB devices, converting them into data transmitters with no hardware modifications.

USBee is designed to create electromagnetic emissions from a connected USB drive in efforts to transmit data from an air-gapped computer to an unmodified USB dongle, acting as a receiver, located a short distance from the targeted system. The malware is believed to be a marked improvement over the NSA-developed USB data retriever called CottonMouth, which first came to light after whistleblower Edward Snowden released classified NSA documents.

The malware is the creation of a research team led by Mordechai Guri, who serves as the head of research and development at Ben-Gurion's Cyber Security Center and is also the chief scientific officer at Morphisec Endpoint Security Solutions. "We introduce USBee, a malware which utilises the USB data bus in order to create electromagnetic emissions from a connected USB device. USBee can modulate any binary data over the electromagnetic waves and transmit it to a nearby receiver," the researchers said in their paper.

The malware was named USBee because it behaves like a bee, flitting from one place to another, while gathering data, Ars Technica reported. The malware is capable of operating on almost any storage device that is compatible with USB 2.0 specifications. USBee also offers a range of nine feet when transmitting data over a small thumb drive. However, when using a USB device with a cable, which can act as an antenna to extend the signal, the malware offers a range of around 26 feet.

In their paper, the researchers explain the USBee is "a new (software-only) method that turns virtually any USB connector into a short-range RF transmitter. Our method utilises the data bus in a USB connector to generate electromagnetic radiation of a specific frequency. Code on a contaminated computer can modulate data and transmit it to a nearby receiver, thus creating a type of covert communication channel. Unlike previous covert channels based on USB, our method doesn't require firmware or modification of the USB's hardware."

Air-gapping is considered to be an isolation-based security technique, which involves confidential and sensitive data stored within computers and networks that are isolated from the internet to ensure prevention of data loss. However, thanks to USBee using electromagnetic signals, an already compromised system can be manipulated to leak data, even when it is has no connectivity to the internet, Bluetooth or WiFi.

The only hitch in application would be that the computers targeted by USBee must already be infected with malware. Uninfected systems not connected to the internet would be extremely difficult to penetrate and would likely require the assistance of an insider, who could possibly gain access to sensitive data via other means. Given USBee's low cost and its ability to operate on almost any USB storage device, the malware may prove to be highly attractive to intelligence agencies and cybercrime syndicates alike.