Monday

BadUSB - Not Much Good News Yet

BadUSB is a name being given to a recently discovered flaw in the implementation of USB. It actually appears to be a huge problem, and its impact could be profound. Every USB device, whether a printer, mouse, keyboard, thumb drive, etc. has a small USB controller chip in it. This also applies to USB ports on phones, tablets and computers. This controller is separate from any memory or other storage the device may have. The controller is the interface between the operating system and the device itself. As part of the design of USB, the controller is programmable - which allows USB to be very flexible and adaptable.

However, this can also allow the controller to be reprogrammed and cause all kinds of havoc. For example, the controller could be reprogrammed to cause a printer to temporarily appear and act as a keyboard, and have it run some commands to download malware onto a PC - and then revert back to just being a printer again - the ultimate trojan horse, if you like.

The problems are:

1 - this is an integral part of USB version 1, 2, 3, and there are a gazillion devices out there
2 - it cannot be detected by an antivirus
3 - there is no easy/practical way yet to just turn off the ability to progrma the controllers

One small piece of good news is that it does NOT affect SD cards, only USB devices. There is little any of us can do at the moment, other than to wait and see how this shakes out. Also, although this has been demonstrated to be a real vulnerability, so far it is not out in "the wild" (as far as is known).

No comments :