Not even Batman can stop this infection.

Photographer: David Paul Morris/Bloomberg

Practice Safe USB Behavior

Stephen L. Carter is a Bloomberg View columnist. He is a professor of law at Yale University and was a clerk to U.S. Supreme Court Justice Thurgood Marshall. His novels include “The Emperor of Ocean Park” and “Back Channel,” and his nonfiction includes “Civility” and “Integrity.”
Read More.
( Updated
)
a | A

Maybe it’s time to throw away those USB devices, or at least stop being so promiscuous with them. That is, unless you actually enjoy the risk of invisible malware controlling your computer.

To recap briefly: At the Black Hat security conference in August, a pair of researchers from SR Labs demonstrated a form of attack that would in principle allow an invisible infection of any USB peripheral. The researchers, Karsten Nohl and Jakob Lell, pointed out that users tend to regard USB sticks, for example, as simply portable flash memory devices, forgetting that they are actually microcomputers that control a storage unit and communicate with the machine into whose port they are inserted.

The processor in the USB is programmable firmware. Nohl and Lell were able to reverse engineer the firmware and reprogram it in a way that neither the user nor antivirus software would be able to detect. From that platform, the malware could infect whatever PC the USB was inserted into. And BadUSB, as they called it, would remain in place even were the entire contents of the USB memory erased.

Nohl and Lell chose not to disclose the actual code they had developed to infect USBs, because they worried that it was too dangerous. But now Wired is reporting that two other researchers have duplicated the exploit, and disclosed the method. “If you’re going to prove that there’s a flaw,” said the researchers, Adam Caudill and Brandon Wilson, “you need to release the material so people can defend against it.” Caudill and Wilson have posted the code at Github. There is no other way, they contend, to pressure USB manufacturers to fix the flaw.

That’s if it’s fixable at all; some claim it isn’t. And this matters, because we tend to be sloppy with USB devices. Consider how easy it is to borrow someone’s USB mouse or keyboard. Ask yourself when you last visited a friend and plugged his USB printer into your laptop -- or vice versa. And then there’s the way we leave USB memory sticks lying around. A 2010 British study estimated that some 17,000 of them are found annually in clothes left for dry cleaning -- and that’s just in one country.

The vulnerability of USB ports has long been known. USB sticks were blamed for malware attacks on two power plants in 2013. Yet despite years of warnings, the basic architecture of the USB hasn’t changed. Until it does, the smart security solution may be never to use a USB device of any kind that has been plugged into any computer but your own.

This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.

To contact the author on this story:
Stephen L Carter at scarter01@bloomberg.net

To contact the editor on this story:
Stacey Shick at sshick@bloomberg.net