'BadUSB' malware highlights the danger of plugging random mystery drives into your computer

New malware exploits USB, but isn't really that scary
By Derek Kessler on 31 Jul 2014 05:17 pm EDT

Another day, another apocalyptic prognostication of computer security doom, this time focusing on the omnipresent USB connection. It's called 'BadUSB', and it's a malware proof-of-concept created by security researchers Karsten Nohl and Jakob Lell that exploits a flaw in and resides in the firmware that controls the basic function of USB devices. The researchers claim that it's not a problem that can be patched, saying that they're "exploiting the very way that USB is designed," but in the end all they've done is highlight that you shouldn't go around plugging USB drives, devices, or whatnot that you don't trust into your computer.

There are a lot easier ways to hack most any computer, especially when this method requires achieving physical access. As we've said many times before, once you've lost physical control of your device, all bets are off. This is just one more way, although it's exploiting something that we take for granted these days.

Because the BadUSB code lives in the USB firmware of the device, it's not something that can be easily purged from a device. Wiping or reformatting a USB drive doesn't touch the USB firmware, so the malware would still be present. BadUSB could allow any connected computer to be exploited over that connection, with Nohl and Lell offering more traditional exploits from there such as replacing files on the computer with additional malware, acting as a virtual keyboard to execute commands on the computer, or hijacking and spying on internet traffic.

BadUSB is also self-propagating: it can copy itself onto a computer and reprogram the USB firmware of other attached USB devices. It can even reside in non-storage devices, such as smartphones and mice.

While we doubt that this is in fact an impossible-to-patch exploit — certainly, patching the USB firmware on computers to prevent such access seems like a possibility, and very few would likely go through the effort of patching their flash drives — in the meantime it poses a theoretical challenge for users.

But it all boils down to this: Don't plug anything you don't trust into your computer, your smartphone, or your tablet. That's pretty much common sense, though, so just think before you plug your phone into a random computer to charge, or you accept a USB drive from a stranger. Be smart about what you plug into your computer, and (far more importantly) keep your eyes open for the online threats that are coming at you every day in the real world.

Source: Wired

Derek Kessler Derek Kessler "Managing Editor of Mobile Nations" 88 (articles) 5 (forum posts)

Reader comments

'BadUSB' malware highlights the danger of plugging random mystery drives into your computer


There is need for a safety housing that cover the USB stick before insert it into a USB port.

Using Z10, wanting Z30, eyeing Windermere

You're right - I'm surprised that the LRC haven't already seen this as a business opportunity

(LRC = London Rubber Company - their most famous trademark is Durex.....)

Haha! Wrap that up B!!

Swiped via CB10 with my T-Mobile USA (Only T-Mo rep still pushing  ) new  BlackBerry Z30 (STA100-5), son! The Thor's Hammer of phones! Member of "Club Z30 "..... the most exclusive club in mobile. Once you go BlackBerry, everything else is wack-berry! #longestsignatureeverthatishortenedabit

The impact of this is somewhat staggering considering all those cheap USB keys from China or anywhere else for that matter. What a perfect way to infect the world.

Tapped and flicked from my BlackBerry Z30!

I believe there was a test a few years ago where they left random USB sticks on the street and measured how many people actually picked them up and used them, if I recall correctly the results of people who did were pretty high so to answer your question..... a lot of people.


Edit: Found the link - http://thenextweb.com/insider/2011/06/28/us-govt-plant-usb-sticks-in-security-study-60-of-subjects-take-the-bait/


“Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers. And if the drive or CD had an official logo on it, 90% were installed.”

@bla1ze... that's incredible how many people are dumber than me because I would never do such a thing and I'm pretty short on smarts,HAHA

They should have turned around and sale the USB for cheap. Pocket some money and forget about it.

Using Z10, wanting Z30, eyeing Windermere

So just go around and ask other total strangers to buy a random USB stick??? that's even more sketch lol Good luck!!

Posted via the Android CrackBerry App!

Police do it all the time......stores often copy security videos to usb drives then the cops plug those into their work computers.

Posted via CB10

It is actually very common. Consider how many times you or someone you know said "hey give me a copy" or "let me print this off" and then we go for the trusty USB stick. Stick to NFC, Bluetooth and other wireless transfers....its like how they "transfer biological liquids" on Demolition Man (2 points for anyone who remembers that scene).

Blackberry keeps Johnson National LLC moving

Quick, someone design a USB condom so we can keep plugging away and indiscriminately sticking our drives everywhere.

Can't imagine having to scan a drive before inserting it into a pc or the like, then again, I never thought Orlando Bloom would be the man to try and smack Bieber so I guess anythings possible.

From my Vader Zed

What is missed here is that not all usb devices have firmwares you can.update.

So a logitech mouse is affected since you can upgrade the firmware.

But on other devices the firmware is read only so unless they drop some malware on it at the factory I don't see how this will work.

The article picture... isn't that a palm/hp pre USB cable. hehe oh I miss my pre

Posted via CB10

How is this different than the multiple USB.sys or autorun infections I've been cleaning from jump drives for years now?

Posted via CB10

"Because the BadUSB code lives in the USB firmware of the device, it's not something that can be easily purged from a device. Wiping or reformatting a USB drive doesn't touch the USB firmware, so the malware would still be present. "

So the difference is that it's harder to rid the malware from the USB drive. I'm sure it's possible, but I sure don't know how to.

Posted via CB10

That's the main reason my company has physical blocks on all of its workstations you can't even plug in your phone to charge it.

Z30 and loving it!

I am sorry but I thought this was common knowledge...why would you out any random device in your computer that you do not know the origin. It is like letting a stranger in your house when you aren't there...

Posted via CB10

Does this not also imply that if your phone were targeted with a very specific malicious software that affects its USB connection, anything you plug your phone into could potentially also be at risk. More specifically if, for instance, your phone was not manufactured by the best in the biz when it comes to mobile security.

Posted via CB10

Nowadays so many documents come with a jump drive. Our mortgage company plopped one down along with the the hard copy of our mortgage. I just attended a professional conference where we each got a jump drive with all the presentation materials. Our landscaper gave us one with the plans on it, etc, etc, etc.

Posted via CB from "Z" best

Always targeting microsoft windows. But never linux. Lol.

Posted via CrackBerry 10 (CB10) application using my BlackBerry Q10.

I was wondering. Can you infect a system with this firmware bug?

Automount is disabled on my system, and silly autorun.inf and dodgy EXEs won't do much in Linux. You can always "mount -o ro" or sandbox it...

Zzzzwiped from a Zedevice....

This is old news the USBRubberDucky has been around for ages the only thing that is new here is using the idea for spoofing network cards.

My computer antivirus scans all my drives...good or not?...Are you saying that the scan by Kaspersky won't catch it???

is it Linux OS conputer or Blackberry 10 device safe? are they easily infected by malvare or spyware by this method?

Posted via CB10

I work in a camp environment. We all trade disks and hard drives. For music and flicks. 150 people at any given time

Posted via CB10

It is OS independent since it is firmware. However, I am pretty sur the exploit is OS dependent, however, real crackers detect the OS, so.... then again, would they go through the hassle of writing OS independent exploit when 90+% of computers are windows?

BTW, the physical access story is BS.... how long does it take to plug a USB key into a socket, walk away for three minutes, come back, and unplug it compared to plugging a USB key in and grabbing the keyboard to launch your attack?

I am thinking of all shops, banks etc that have USB ports staring at you.

If Windows blocks the USB port, you are out of luck, it is firmware, you need to disable the ports in the bios/firmware of your device.

Just my 2 cents

Posted via CB10