Think about how many devices you connect via a USB port daily. Cell phones, tablets, keyboards, mice, thumb drives are just to name a few. Too often we plug our devices into a USB port without any consideration of the potential risks involved. While your USB might be a quick, convenient way to charge your device or transport data, it is also a major conduit for transferring malware onto your network and for stealing data.
Any device with storage, wireless or Bluetooth capabilities can carry an infection. The real risk isn’t necessarily the infection, but how the USB operates. Since USB manufacturers do not protect the firmware in their devices, it’s possible for malware to overwrite the firmware and take control of everyday devices. And because so many different devices can plug into the same connection, one type of device can be reprogrammed and turn into a malicious device without the user even knowing.
Recent research conducted by Nohl and Lell outlined the following three ways that “bad” USB devices can act maliciously:
BadUSB – Turning devices evil. Once reprogrammed, benign devices can turn malicious in many ways, including:
1. A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
2. The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
3. A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
Despite recent findings, these vulnerabilities have existed since the early days of USB drives. Manufacturers have been working to build devices without reprogrammable firmware. In some cases antivirus software can detect the problem before it gets out of hand. But behavioral monitoring isn’t always effective since the infection is often disguised.
Currently, the only way to truly prevent the potential risk is to educate yourself and fellow users about the risks and follow computing best practices. Do not insert your devices into computers (and networks) you don’t trust and don’t plug other’s devices into your computer unless you know for certain where they’ve been.
If you have questions about USB security and risks associated with using USB devices, contact us or call us at 1.866.PickITS.