USB devices appear to have a serious security flaw that allows malicious code to be inserted into their firmware. The flaw was first revealed by Karsten Nohl and Jakob Lell at the Black Hat security conference a couple months ago. The two researchers were able to reverse engineer USB firmware, infect it with their own code, and essentially hijack the associated device.
Nohl told Wired that the flaw behind this so-called BadUSB attack "can't be patched" because it exploits "the very way that USB is designed." With the right code, it's reportedly possible to reprogram USB devices simply by plugging them into an infected machine. The malicious code is injected into the USB firmware, making it difficult to detect—and allowing it to spread to USB devices that lack flash or mechanical storage. Once compromised, those devices can reportedly enter keystrokes, alter files, and affect Internet activity. They can apparently infect other systems, as well, and then spread to additional USB devices from those.
Although Nohl and Lell ultimately declined to release their code into the wild, they apparently inspired two other researchers, Adam Caudill and Brandon Wilson, to do similar digging of their own. According to Wired, that pair reverse-engineered a Phison USB controller's firmware and discovered "some" of BadUSB's tricks. Instead of holding back, Caudill and Wilson have put their code on GitHub in an effort to pressure USB device makers to address the problem. It's unclear whether the exploits used by the code are specific to that particular Phison controller, but if the underlying flaw is related to the nature of USB itself, the exploits may not be confined to a specific implementation.
USB storage devices have long been used as attack vectors for malicious code, so they're hardly regarded as secure. However, it's still troubling that any USB device is potentially vulnerable to attacks that can hide malicious code in firmware.