German security researchers have found a serious flaw in the software running on USB drives that would enable hackers to easily reprogram them so that they can then infect a PC with malware or redirect network traffic without the user's knowledge.
In every USB device, be it a memory stick, PC, smartphone or external hard drive, there is a USB micro-controller chip which controls the USB connection between your device to other devices. The micro-controller chip has its own tiny operating system to tell it what to do.
SR Labs' Karsten Nohl and Jakob Lell have discovered that it is possible to hide malware in the flash memory of USB devices that can reprogram the micro-controller chip to infect a host PC, which can then infect all the USB devices plugged into it.
Nohl and Lell say the problem is that "USB has become so commonplace that we rarely worry about its security implications. USB sticks undergo the occasional virus scan, but we consider USB to be otherwise perfectly safe — until now."
Security researchers have theorised for several years that it is possible for USB devices to be compromised, and some in the industry think that the NSA might already be making use of this vulnerability, but this is the first time that it has been demonstrated in reality.
The researchers designed a malware called "BadUSB" which can pretend to be a computer keyboard and issue commands on behalf of the logged-in user, such as opening an internet browser and surfing to a malicious website that installs malware, or to open a Windows Command Prompt (cmd.exe) to install more malware.
It could also make the USB device pretend to be a network card, thereby changing the computer's DNS settings so that network traffic is redirected to the hacker's server.
The USB Implementers Forum, the offical USB standards body, told Wired that in light of this flaw, you should only use USB devices that you completely trust.
You can't remove the malware unless you reprogram the chip in all of your USB devices, and the malware hidden in the device is impossible to detect.
SR Labs writes in a blog post: "No effective defences from USB attacks are known. Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioural detection is difficult, since a BadUSB device's behaviour when it changes its persona looks as though a user has simply plugged in a new device."
Trying to reinstall the operating system on a PC won't help either, as the malware can hide in the USB components in a PC such as a hardwired webcam and won't be affected.
Nohl and Lell have prepared a full demonstration of the attack for the Black Hat ethical hackers conference on 7 August in Las Vegas, where they will discuss solutions to how USB can be better secured from malware.