The bad side of USB
Oh great, as if it wasn’t bothersome enough knowing that all our online communications are susceptible to government spying with very little we can do about it, now we’ve come to find out that just by having a USB port, there exists a pretty serious security risk every time we plug in a compatible peripheral. The problem is that virtually any of the millions of USB devices out there can be reprogrammed for malicious purposes, and there doesn’t appear to be much we can do about it.
Security Research Labs in Berlin has given a name to the fundamental flaw in USB — “BadUSB.” At issue is that every USB device has a controller chip that controls the USB connection to other devices. Those controllers have firmware, and if reprogrammed — which is easy to do since the USB-IF focused more on compatibility than security — a benign device like a keyboard or mouse can suddenly turn evil.
“A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer,” SRLabs explains.
The device can also spoof a network card and change the computer’s DNS setting to redirect traffic. Unfortunately, there are no known defenses against this other than not using your USB devices. Malware scanners can’t access the firmware running USB devices, and behavioral detection isn’t reliable since a BadUSB device’s behavior simply looks like a user plugged in a new device.
“Once infected, comptuers and their USB peripherals can never be trusted again,” SRLabs added.
The best analogy so far comes from ExtremeTech, which likens the situation to having unprotected sex. In other words, if you plug your USB device into another PC, you can assume it’s been compromised.