Inserting a control chip into a device’s USB connector an attacker could gain complete control of a machine, spy on a user using malware, and steal data. No current security measures could even detect the attack.
According Wired, the problem isn't limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed—in addition to USB memory sticks, Nohl and Lell say they’ve also tested their attack on an Android handset plugged into a PC.
once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play.
It can, for example, replace software being installed with with a corrupted or backdoored version. It can even impersonate a USB keyboard to suddenly start typing commands.
The malware can silently hijack internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases.
BadUSB’s ability to spread undetectably from USB to PC and back raises questions about whether it’s possible to use USB devices securely at all.
University of Pennsylvania computer science professor Matt Blaze said, “We’ve all known if that you give me access to your USB port, I can do bad things to your computer.”
Nohl says he and Lell reached out to a Taiwanese USB device maker, whom he declines to name, and warned the company about their BadUSB research. Over a series of emails, the company repeatedly denied that the attack was possible.
When WIRED contacted the USB Implementers Forum, a nonprofit corporation that oversees the USB standard, spokeswoman Liz Nardozza responded in a statement. “Consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices,” she wrote.
“Consumers safeguard their personal belongings and the same effort should be applied to protect themselves when it comes to technology.
The two researchers haven’t yet decided just which of their BadUSB device attacks they’ll release at Black Hat, if any. Nohl says he worries that the malicious firmware for USB sticks could quickly spread.
