Nearly everyone who owns a computer enjoys the convenience of USB thumb drives. They’re cheap, widely available, and offer massive amounts of storage space. Some USBs work as product license keys, and if you are curious about taking Linux for a test drive you can even run the operating system Ubuntu from the digit-sized device. With all the conveniences a USB offers, it can be easy to forget that they can also be a huge security risk; as the most recent exploit, dubbed “BadUSB,” has IT security professionals on edge.
BadUSB is another generation of the evolution of USB hacks. Previously, most USB viruses were spread when a hacker loaded malicious software onto a thumb drive just like a regular user loads photos or documents. If the attack is placed on the portion of the thumb drive that the device uses for general storage, then a user can wipe the thumb drive and get back to business as usual. However, BadUSB uses an even more clever method to attack a victim’s device. Hackers load the malicious code into the firmware of the device itself; the part that identifies the device to your computer. For example, when a user plugs in an infected USB drive the user’s computer receives multiple identifiers for the device like, “I’m a USB drive (and a keyboard/webcam/mouse).” Essentially the USB drive can tell your machine that it is any number of the peripherals you use on a daily basis.
Where this gets interesting is when the user’s computer is tricked into thinking that the USB drive is a keyboard and allows it to start typing commands without the user knowing it. Before long, the seemingly harmless USB drive in your laptop is telling your machine to download viruses and who knows what else. What’s worse is that anyone can go to GitHub and download the code to make their own batch of corrupted USB drives. Obviously, BadUSB has the potential to be a huge nuisance.
There is no reason to panic over BadUSB. Knowledge about the power of USB drives should heighten your awareness when using the convenient storage they provide. As with any new security threat there will be hype, some of it justified, and most of it resolved with a little common sense and situational awareness.
Developers are currently working on raising awareness of BadUSB and pressuring device manufacturers to come up with a solution. In the meantime, everyday users should take some simple steps to protect their devices from being hijacked:
- Don’t share USB drives with people whom you wouldn’t let use your computer unsupervised. BadUSB could be programmed to browse all of your files looking for sensitive documents.
- Don’t plug USB drives into your devices that you happen to find laying around. You wouldn’t eat something you found lying around on the sidewalk, would you?
- Pay attention to your devices when you’re out in public. Thinking of leaving your laptop unattended as you order up another pumpkin spice latte at the coffee shop? Think again.
- Replace old USB drives that you haven’t used for a while or have left unattended.
- Look into cloud storage options like the File Storage area on Global Reach’s email service. If you’re collaborating on a project, perhaps give Google Drive a shot.