The threat from USB sticks used to be limited to autorun virus’s that would be triggered when you put the stick into a vulnerable machine; many security professionals have used this as an infection technique as it needed little to no interaction. The autorun infection methods were quickly stopped and modern antivirus can protect against the malware but the new and emerging threat is potentially much worse and a bigger long term threat.
At Blackhat 2014 two security researchers will be presenting a talk on BadUSB “On Accessories that Turn Evil”, Jakob Lell & Karsten Nohl will present research that will define a new form of malware that can reside on a stick hidden from antivirus scanners and is capable of compromising systems as well as replicating the problem to other USB devices.
The new threat to be outlined lies in the USB device themselves; due to the way the memory works USB sticks have a controller chip that allows them to function even when the memory becomes corrupt or unusable, their stated capacity isn’t the full picture, your 4Gb USB stick may actually contain 8Gb or more actual storage managed by these controller chips. The chips themselves can be compromised and subverted and this is where the new threat resides, the controller chips themselves have been compromised and in some cases can be rewritten to deliver malware and further spread infection. They can become self-replicating and can deliver or harbour key loggers, can steal data or further infect USB devices. The nature of the USB controllers don’t allow anti-virus software to be able to test or check for this emerging threat; a key logger or data stealer could remain dormant and kick into life stealing data and keystrokes without anyone being aware.
We cannot continue using USB sticks and devices across multiple machines without first giving thought to the threat and the risk, has the stick been compromised? Where has it been and who used it? We will need to start protecting the sticks and USB peripherals with more reverence, no longer accepting them from strangers and more importantly will need to identify new ways of secure disposal of old USB devices. The size and convenience of them has until now made them almost indispensable for storing and sharing information, disposing of them needs to be a consideration. How many companies have already suffered data loss from removable media? Even when using caution we cannot guarantee data is deleted from USB sticks and they need to be considered with much more concern as the data they once held may be retrievable using simple tools and techniques.
As end users we need to protect our own USB sticks and devices, give thought to the ‘what if’ scenario and not be so willing and keen to share them to all and sundry. USB data-less cables are a thing and a good investment if you need to charge your phones as many smartphone owners do. Do you want your smartphone and its stored data (photo’s, emails, contacts) stolen or damaged by the machines you plug into?
In the meantime you can buy data-disabled USB cables to charge your smartphone without sharing data (intentionally or otherwise) as well as “USB condoms” which create a similar data gap in cables.
How long will it be before office shredders have a slot for USB sticks? How do you dispose of your USB sticks when they become too small, too slow or broken? What data breaches are around the corner from BadUSB?
I would recommend old USB sticks are smashed with a hammer (outside whilst wearing safety glasses) to ensure data cannot be retrieved; Invest in a data only cable for charging your smartphone in less trustworthy environments and be aware of the risk when the smiling stranger offers you their USB stick next time.
Jamie Duxbury, Senior Security Specialist