USB devices appear to have a serious security flaw that allows malicious code to be inserted into their firmware. The flaw was first revealed by Karsten Nohl and Jakob Lell at the Black Hat security conference a couple months ago. The two researchers were able to reverse engineer USB firmware, infect it with their own code, and essentially hijack the associated device.
Nohl told Wired that the flaw behind this so-called BadUSB attack "can't be patched" because it exploits "the very way that USB is designed." With the right code, it's reportedly possible to reprogram USB devices simply by plugging them into an infected machine. The malicious code is injected into the USB firmware, making it difficult to detect—and allowing it to spread to USB devices that lack flash or mechanical storage. Once compromised, those devices can reportedly enter keystrokes, alter files, and affect Internet activity. They can apparently infect other systems, as well, and then spread to additional USB devices from those.
Although Nohl and Lell ultimately declined to release their code into the wild, they apparently inspired two other researchers, Adam Caudill and Brandon Wilson, to do similar digging of their own. According to Wired, that pair reverse-engineered a Phison USB controller's firmware and discovered "some" of BadUSB's tricks. Instead of holding back, Caudill and Wilson have put their code on GitHub in an effort to pressure USB device makers to address the problem. It's unclear whether the exploits used by the code are specific to that particular Phison controller, but if the underlying flaw is related to the nature of USB itself, the exploits may not be confined to a specific implementation.
USB storage devices have long been used as attack vectors for malicious code, so they're hardly regarded as secure. However, it's still troubling that any USB device is potentially vulnerable to attacks that can hide malicious code in firmware.
|Intel defends its process-technology leadership at 14nm and 10nm||10|
|AOC U3277PWQU display is an affordable 32" 4K monster||0|
|Asus GTX 1080 and 1060 cards with faster RAM go the extra mile||17|
|Thermaltake's View 28 case can light up any room||23|
|Samsung unboxes Galaxy S8 and S8+ handsets and accessories||35|
|Aorus GA-AX370 Gaming K5 mobo trims a little fat||13|
|Windows 10 Creators Update set to hit PCs on April 11||23|
|SiSoft Sandra Platinum 2017 is ready for Ryzen||1|
|SteelSeries' Rival 700 gaming mouse reviewed||7|