Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Mobile
    • PC Hardware

    New Flaws in USB Devices Let Attackers Install Malware: Black Hat

    By
    Sean Michael Kerner
    -
    August 1, 2014
    Share
    Facebook
    Twitter
    Linkedin
      USB security flaws

      Simply plugging a USB device into a computer could lead to exploitation. That’s a fact that shouldn’t be news, and yet it is this week. A presentation scheduled for the Black Hat USA security conference in Las Vegas next week is set to reveal new flaws in USB devices that will enable attackers to install malware on user devices.

      Karsten Nohl and Jakob Lell, two researchers with the Security Research Labs, are scheduled to deliver a talk at Black Hat titled, “BadUSB—On Accessories that Turn Evil” that will provide full details on the new flaws.

      “We demonstrate a full-system compromise from USB and a self-replicating USB virus not detectable with current defenses,” the Black Hat session abstract states. “We then dive into the USB stack and assess where protection from USB malware can and should be anchored.”

      In a blog post providing more insight into the talk, Nohl and Lell reveal that the root trigger for their USB exploitation technique is by abusing and reprogramming the USB controller chips, which are used to define the device type. USB is widely used for all manner of computer peripherals as well as in storage devices. The researchers alleged that the USB controller chips in most common flash drives have no protection against reprogramming.

      “Once reprogrammed, benign devices can turn malicious in many ways,” the researchers stated.

      Some examples they provide include having an arbitrary USB device pretend to be a keyboard and then issue commands with the same privileges as the logged-in user. The researchers contend that detecting the malicious USB is hard and malware scanner similarly won’t detect the issue.

      I’m not surprised, and no one else should be, either. After all, this isn’t the first time researchers at a Black Hat USA security conference demonstrated how USB can be used to exploit users.

      Last year, at the Black Hat USA 2013 event, security researchers demonstrated the MACTANS attack against iOS devices. With MACTANS, an Apple iOS user simply plugs in a USB plug in order to infect Apple devices. Apple has since patched that flaw.

      In the MACTANS case, USB was simply used as the transport cable for the malware, but the point is the same. Anything you plug into a device, whether it’s a USB charger, keyboard or thumb drive has the potential to do something malicious. A USB thumb drive is widely speculated to be the way that the Stuxnet virus attacked Iran’s nuclear centrifuges back in 2010. The U.S. National Security Agency (NSA) allegedly has similar USB exploitation capabilities in its catalog of exploits, leaked by whistleblower Edward Snowden.

      While the Security Research Labs researchers claim there are few defenses, the truth is somewhat different.

      A reprogrammed USB device can have certain privileges that give it access to do things it should not be able to do, but the bottom line is about trust. On a typical Windows system, USB devices are driven by drivers that are more often than not signed by software vendors. If a warning pops up on a user’s screen to install a driver, or that an unsigned driver is present, that should be a cause for concern.

      As a matter of best practice, don’t plug unknown USB devices into your computing equipment. It’s just common sense, much like users should not open attachments that look suspicious or click on unknown links. The BadUSB research at this year’s Black Hat USA conference is not as much a wake-up call for USB security as it is a reminder of risks that have been known for years.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×