USB devices appear to have a serious security flaw that allows malicious code to be inserted into their firmware. The flaw was first revealed by Karsten Nohl and Jakob Lell at the Black Hat security conference a couple months ago. The two researchers were able to reverse engineer USB firmware, infect it with their own code, and essentially hijack the associated device.
Nohl told Wired that the flaw behind this so-called BadUSB attack "can't be patched" because it exploits "the very way that USB is designed." With the right code, it's reportedly possible to reprogram USB devices simply by plugging them into an infected machine. The malicious code is injected into the USB firmware, making it difficult to detect—and allowing it to spread to USB devices that lack flash or mechanical storage. Once compromised, those devices can reportedly enter keystrokes, alter files, and affect Internet activity. They can apparently infect other systems, as well, and then spread to additional USB devices from those.
Although Nohl and Lell ultimately declined to release their code into the wild, they apparently inspired two other researchers, Adam Caudill and Brandon Wilson, to do similar digging of their own. According to Wired, that pair reverse-engineered a Phison USB controller's firmware and discovered "some" of BadUSB's tricks. Instead of holding back, Caudill and Wilson have put their code on GitHub in an effort to pressure USB device makers to address the problem. It's unclear whether the exploits used by the code are specific to that particular Phison controller, but if the underlying flaw is related to the nature of USB itself, the exploits may not be confined to a specific implementation.
USB storage devices have long been used as attack vectors for malicious code, so they're hardly regarded as secure. However, it's still troubling that any USB device is potentially vulnerable to attacks that can hide malicious code in firmware.
|Synaptics Clear ID FS9500 fingerprint sensors slip under phone screens||5|
|TR's 2017 Christmas giveaway: goodies from MSI, Antec, and OCZ||15|
|VESA DisplayHDR attempts to demystify HDR-capable monitors||16|
|BenQ EW277HDR brings HDR10 in reach of mere mortals||5|
|Intel Pentium Gold chips now have Silver siblings||37|
|Acer ProDesigner PE320QK is big on size and color accuracy||2|
|Thermaltake's Nemesis Switch has enough buttons for all your macros||17|
|Zotac Gaming MEK1 PCs have the requisite pieces of flair||9|
|Toshiba's latest hard drives store 14 TB without shingles||68|
|I liked it better when they called these chips "Atom". It was a more clear distinction. "Pentium Gold" is Kaby Lake. "Pentium Silver" is Gemini Lake (...||+11|