Unprotected firmware -- hard-coded programming code -- rests at the heart of every USB device, and there's virtually nothing anyone can do to stop malicious software from corrupting that code to control all infected devices, indefinitely.
A pair of researchers have created BadUSB, a proof-of-concept virus, to show how malicious software that attacks USB firmware can persist through reformatting efforts and antivirus scans to enslave USB devices, ranging from smartphones and digital cameras to keyboards and mice.
Karsten Nohl, who, along with Jakob Lell, created BadUSB, said there was no way to access the firmware without asking the firmware for help to do so. If you ask the infected firmware if it has been compromised, it'll just lie and say everything is fine, said Nohl.
Antivirus software can't scan device firmware and USB firewalls lack the ability to block devices by class, according to SRLabs, where Nohl is chief scientist. Re-installing an operating system or reformatting a hard drive may not rid a computer of firmware-based viruses -- which makes the threat even bigger than Apple's backdoor problem -- as the malicious software may infiltrate a computer's embedded USB devices or compromise the system's basic input-output system (BIOS) inside the motherboard.
The persistence of firmware-based attacks can take hold of a computer during the booting process and take control over system resources before the operating system even loads up, according to SRLabs. Inside the operating system, just about all of the infected computer's abilities can be bent to the will of the malicious software -- network cards can be altered to direct Internet sessions through malicious websites, keyboard strokes can be logged and the webcam can be hijacked.
"If you put anything into your USB [slot], it extends a lot of trust," Nohl said. "Whatever it is, there could always be some code running in that device that runs maliciously. Every time anybody connects a USB device to your computer, you fully trust them with your computer. It's the equivalent of [saying] 'here's my computer; I'm going to walk away for 10 minutes. Please don't do anything evil.' "
Infected computers and USB peripheral cans never be trusted again, according to SRLabs.
But there has been hope. SRLabs said it planned to release some proof-of-concept tools at the 2014 Black Hat Briefings, a cybersecurity conference in Las Vegas running Aug. 2-Aug. 7. Nohl and Lell will present BadUSB and reveal their suggestions for where protection should lie.
