It’s tiny and portable, yet perfect for storing large items. I’m talking about the good ol’ Universal Serial Bus (a.k.a USB) drive, the giveaway of choice at tradeshows across the world, and perfect for the easy storage and transfer of photos, documents, music and more. But you might want to think twice before plugging a free USB into your machine. The reason: USBs can now contract an undetectable—and unfixable—virus that can be spread quite easily.
News of this potent malicious software (often referred to as malware) has circled around the information security industry since researchers Karsten Noh and Jakob Lell described their new attack to a packed room at this year’s Black Hat security conference in early August.
The malware, dubbed BadUSB, can take over a computer, as well as redirect Internet-bound traffic to different site. But BadUSB’s danger doesn’t lie with its ability to execute code—this type of malware, called auto-run (because it runs automatically when the USB drive is inserted into your device), has been around for some time now. The danger lies with its ability to never be detected. BadUSB exploits how the USB standard was built and coded, and mixes malware with the device’s firmware—the code that tells the USB stick how to work. This intermingling of code makes the malware indistinguishable from normal, safe firmware.
Because of the danger this particular form of malware posed to the public at large, the pair refrained from releasing the code to attendees. That reasoning, however, didn’t sit well with another pair of researchers, who did publish the infectious malware after reverse engineering it. The malware that freaked out two security researchers enough to make them refrain from publishing their work is now out in the open.
USBs, long considered secure (perhaps incorrectly), are now major liabilities to consumers everywhere. So the question now is, should you be worried?
The answer is yes and no.
The good thing about this malware variant is that it’s isolated to just USB devices. But that’s also its danger: USB devices are so ubiquitous that consumers typically don’t pay them any attention—the best sort of attack vector hackers could hope for. Hackers could also hide this malware within a larger package and could, theoretically, infect a computer that would subsequently infect any and all USB devices that connect with that machine—thereby spreading the malware even further. All in all it’s pretty bad news.
So why did these researchers knowingly, and publicly, publish such dangerous malware? Because they want to see this security issue fixed, and the only way they’re convinced it’ll be fixed is by lighting a fire under USB manufacturers.
They’re not entirely wrong, either. Manufacturers, largely for business reasons, have been notoriously slow in fixing security issues (called patching), and USB drives are no different. By publicly making this code available, the pair of researchers will deny USB manufacturers the ability to claim that they weren’t aware of security vulnerabilities on USB. That knowledge, it’s theorized, will drive better security further down the road.
Publishing this code was well intentioned, and, truthfully, is a fairly standard practice in the information security industry. But this particular malware is going to cause a lot of headaches for quite a few years (likely a decade). So what can you do to protect yourself while this newfound attack vector is out in the wild? Well there are a few options available:
- Use caution with free USB drives. A lot of companies like to go to major conferences and events and hand out free USB drives. This is bad security practice. Free USBs have always carried the risk of being preloaded with malware, and now the risk has doubled. You don’t have to turn down free USBs drives, but you do have to be conscious of the risk you’re running when you don’t know where that USB has been. If you’re uncertain if a USB is safe, run a scan.
- Lock down your computers. USBs have long been a reliable method of compromising computers. All it takes is an unknowing person to plug a USB drive into a port, and the damage is done. Never leave your computer sitting out in a public place where someone could access your USB port.
- Use comprehensive security. BetweenUSB devices, computers and mobile phones —all the technology we own is a security risk. So how can you minimize the likelihood of getting infected by malware? By using comprehensive security like McAfee LiveSafe™ service, which provides a comprehensive shield against malware, phishing attacks and a variety of other nasties aimed at compromising your digital life. McAfee LiveSafe also automatically scans USBs when they’re connected to your computer, for known malware. This is a step you cannot afford to skip in the protection of your valuable information.