A vast number of USB devices — whether they’re USB sticks or keyboards — could now be vulnerable to malware after security researchers published code that spreads itself by hiding in the firmware that controls how USB devices connect to computers.
Wired reports that the “BadUSB” vulnerability, first developed by security researchers, has been released online. This means that hackers can now start using it to infect computers.
The “good” news is that vulnerability only comes from one USB manufacturer, Phison of Taiwan. The bad news is that Phison USB sticks can infect any device they’re inserted into, and it’s not clear whether those devices can then go on to infect any other USB device that is plugged into them afterwards. Phison does not disclose who it makes USB sticks for — so it’s now clear yet how widespread the problem might be.
The vulnerability in USB works by modifying the firmware of USB devices, hiding malicious code in USB sticks and other devices in a way that’s impossible to detect. Even completely deleting the contents of a USB stick wouldn’t get rid of the dangerous code. According to Wired, the vulnerability is “practically unpatchable.” Once infected, each USB device will infect anything it’s connected to, or any new USB stick coming into it.
Hackers Could Use This To Take Over Your Computer
“BadUSB” can be used to force computers into thinking that a USB device is a keyboard, allowing hackers to type whatever they like on your computer. Alternatively, it can replace legitimate software installed on a computer with a corrupted version that hackers can use to control a computer. Another use for the exploit is monitoring all internet traffic through a computer, allowing a hacker to spy on what you’re doing.
The Manufacturer Denies It’s a Problem
The only way to fix the vulnerability would be to completely redesign the way that Phison USB devices are built. Security researchers have already contacted Phison, the specific manufacturer of the USB devices that were found to be vulnerable, but the company “repeatedly denied that the attack was possible.”
The NSA May Have Been Using This Exploit
Edward Snowden’s leaks revealed that the NSA possesses a spying device known as “Cottonmouth” that uses a vulnerability in USB to monitor computers and relay information. It’s possible that Cottonmouth works using a similar vulnerability as the discovery outlined above.
It Could Start Spreading Very Quickly
The BadUSB malware spreads two ways: From the infected USB device to a computer, and from an infected computer to a USB device. This means that if hackers start infecting people using the malware, it could soon be found around the world.