'BadUSB' malware highlights the danger of plugging random mystery drives into your computer

Another day, another apocalyptic prognostication of computer security doom, this time focusing on the omnipresent USB connection. It's called 'BadUSB', and it's a malware proof-of-concept created by security researchers Karsten Nohl and Jakob Lell that exploits a flaw in and resides in the firmware that controls the basic function of USB devices. The researchers claim that it's not a problem that can be patched, saying that they're "exploiting the very way that USB is designed," but in the end all they've done is highlight that you shouldn't go around plugging USB drives, devices, or whatnot that you don't trust into your computer.

There are a lot easier ways to hack most any computer, especially when this method requires achieving physical access. As we've said many times before, once you've lost physical control of your device, all bets are off. This is just one more way, although it's exploiting something that we take for granted these days.

Because the BadUSB code lives in the USB firmware of the device, it's not something that can be easily purged from a device. Wiping or reformatting a USB drive doesn't touch the USB firmware, so the malware would still be present. BadUSB could allow any connected computer to be exploited over that connection, with Nohl and Lell offering more traditional exploits from there such as replacing files on the computer with additional malware, acting as a virtual keyboard to execute commands on the computer, or hijacking and spying on internet traffic.

BadUSB is also self-propagating: it can copy itself onto a computer and reprogram the USB firmware of other attached USB devices. It can even reside in non-storage devices, such as smartphones and mice.

While we doubt that this is in fact an impossible-to-patch exploit — certainly, patching the USB firmware on computers to prevent such access seems like a possibility, and very few would likely go through the effort of patching their flash drives — in the meantime it poses a theoretical challenge for users.

But it all boils down to this: Don't plug anything you don't trust into your computer, your smartphone, or your tablet. That's pretty much common sense, though, so just think before you plug your phone into a random computer to charge, or you accept a USB drive from a stranger. Be smart about what you plug into your computer, and (far more importantly) keep your eyes open for the online threats that are coming at you every day in the real world.

Source: Wired

Derek Kessler is Special Projects Manager for Mobile Nations. He's been writing about tech since 2009, has far more phones than is considered humane, still carries a torch for Palm, and got a Tesla because it was the biggest gadget he could find. You can follow him on Twitter at @derekakessler.

4 Comments
  • I'm a little confused about the comment "this method requires achieving physical access". Am I not correct in understanding that the virus can transmit both to and from USB devices? If so, this worries me a lot. My daughter uses computers at her school to do her work, and often brings home her work on a USB drive to continue to work on at home. Is this scenario possible: 1) Someone on the school network does something they shouldn't, and a virus makes its way onto the school computers.
    2) My daughter does her homework, uses a USB drive to save it, and in the process, the virus on the computer injects BadUSB onto her flash drive
    3) She brings the flash drive home, plugs it into my computer, and it uploads itself onto my computer and infects all of my USB devices. If the above scenario is possible, it really scares me and I don't really know how to protect out computers. Or am I missing something?
  • Why not just go hide under the bed for the rest of your life? I mean really, a meteorite can crash through your roof at any moment and kill you and your family. There’s probably more chance of that happening than this “proof-of-concept” getting any traction in the world. And if the researchers’ claims that this is not patchable are true then the only way you can protect your self is to STOP USING USB, period. Life would get pretty difficult pretty quickly in terms of computer use. Sorry to pick on you, it’s not personal, you were just the first poster. Life is too precious to be ‘worried a lot’ all the time.
  • Why do people on comment boards need to be such a$$holes? You are a complete idiot. I think my question is legitimate. I'm not saying I'm going to do anything differently, but unlike yourself, I try to educate myself and I would like to understand what the problem really is.
  • I believe BadUSB is put on flash-drives via modification. Just plugging it in an active computer will load it, the virus/worm will just do its own thing.