USB hardware is insecure and there's no effective defense, a pair of security researchers claim.
In a coming presentation at Black Hat USA 2014, Karsten Nohl and Jacob Lell plan to demonstrate a proof-of-concept attack on USB devices they're calling BadUSB.
The researchers, who work with Security Research Labs in Berlin, claim that USB devices can easily be reprogrammed to execute malware.
Such compromised devices "can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware," the pair explained in a blog post. They also can pretend to be a network card and reroute network traffic by altering DNS settings. Or they can detect when an attached computer begins to boot up and install a virus before the operating system loads, thereby infecting an existing operating system or one that has been newly installed; this nullifies a standard defense against malware -- reinstallation of the operating system. The attack can even rewrite a computer's BIOS, offering another way to preempt security measures implemented in the operating system.
[Smartphones take on yet another job. Read Hilton Turns Smartphones Into Room Keys.]
Beyond avoiding untrusted USB devices, there appears to be very little that can be done at present to mitigate this risk.
"No effective defenses from USB attacks are known," the pair states. "Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist."
The threat looks to be theoretical, at least for a while.
"Fortunately, this type of attack has not been observed 'in the wild' yet," said Nohl in an email. "It would appear to only be a matter of time until we see actual abuse given the high gains and relatively low effort to implement such attacks."
However, the NSA, and presumably other intelligence agencies, have long been aware that USB hardware and connectors provide a path to compromising a target device. The NSA's Tailored Access Operations (TAO) group's implant catalog, leaked by Edward Snowden, contains three versions of a tool called Cottonmouth, a hacked USB connector that can send and receive data -- or exploit code -- wirelessly.
If Nohl and Lell succeed in demonstrating software to subvert USB devices, we might see more compromised USB devices. But untrusted hardware has long been a potential risk; the researchers' findings should underscore that fact. The upside for intelligence agencies is that henceforth they might be able to simply reprogram USB devices instead of rewiring them -- if they weren't already aware of this vulnerability.
A spokesperson for the USB Implementers Forum (USB-IF), the standards organization that develops and promotes USB specifications, said in an email that the group does not produce devices and cannot speak for specific manufacturers.
"The USB-IF agrees that consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices," the group's spokesperson said. "...To prevent the spread of malware, consumers should only grant trusted sources with access to their USB devices."
The USB-IF spokesperson added that USB specifications support additional security, but equipment makers decide whether to implement these capabilities, which would entail greater cost.
The BlackHat security conference is owned by United Business Media, which also operates InformationWeek.
Consumerization means CIOs must grant personal devices access to corporate data and networks. Here's how to avoid loss and corruption. Get the new Mobile Security Action Plan issue of InformationWeek Tech Digest today (free registration required).