The ubiquitous Universal Serial Bus computer-to-peripheral interface standard may be a bus that stops on the malware side of town, according to a company in Germany.
The company is Security Research Labs (SRL), located in Berlin, and what it is saying is that almost any USB-powered or -connected device can be reprogrammed for evil instead of good. It has given this demon a name, and that name is "BadUSB," meaning bad not in a good way.
The list of USB devices that can be turned into cyberthreats include mice, keyboards, storage devices, networked devices, game controllers and many others.
The USB interface has been with us for over two decades, with the USB 3.0 standard now the speed leader, although the legacy USB 2.0 standard is still in greater use. It was the USB 3.0 speed boost that practically relegated Firewire 400 to the parts bin of computer history.
According to SRL, the versatility and broad compatibility built into USB is what makes it so highly vulnerable to hacking. A USB device contains controller chips that are easy to reprogram; this compatibility-over-security design makes it easy, for example, to change OS compatibility of a USB thumb drive or erase its content.
The BadUSB concept becomes reality when benign devices are reprogrammed maliciously. For example, a device can emulate a keyboard and issue commands to steal or delete files or install malware. This malware can in turn infect the controller chips of other devices linked to a computer.
A malicious device can outwit a network card, changing the computer's DNS to redirect traffic.
If an ill-intentioned USB device is used to boot a computer, or is connected to a computer at start up, it can dispatch a virus that infects an OS even before it is booted.
The problem is compounded by the lack of any effective defense against this attach of zombie USB devices. Malware and virus detection software cannot inspect USB firmware files. Firewall protections are not yet available, and it's tough to spot a BadUSB device through any obvious behavioral clues until after it's done its dirty work, permanently making a computer a vehicle for bad times.
"Once infected, computers and their USB peripherals can never be trusted again," wrote SRL.
The company will be presenting its evidence in a proof of concept at this week's Black Hat Conference in Las Vegas, The event offers training, education, briefings and networking for hackers, security programmers and IT personnel.