 | All USB units have a flaw due to their design. This is not limited to the thumb drive but does also include your Keyboard and mouse or anything connected with USB. The reason is that the USB's have firmware of their own - needed to make them work. This firmware can be tampered with and completely take over your PC. It does not help to give your dongle to the IT guy and have him virus scan it or even reformat it. Those processes do not even touch the data in question. The problem lies in the firmware. |
The USB security is fundamentally broken
To prove this point two guys, Karsten Nohl and Jakob Lell, made a piece of software called BadUSB.
This software will enable you to do mostly anything to your computer - and devices, like Android phones, connected to your computer.
This software can invisibly change all the files installed from the memory stick or even redirect your internet traffic.
This problem cannot be patched since it exploits the very way USB is designed.
So have a look at your computer now:
- Is your keyboard attached with an USP plug?
Is your mouse?
Your printer?
Your Hard-disk?
This is not a too bright perspective so what can you do about it?
To be absolutely sure you can put superglue in all your USB ports.
That would take care of it, but that is kind of like driving from NY to LA - without using a motorized vehicle.
You can alter the USB firmware by reverse engineering like disassembling the firmware and analyze the code.
That is no way to go for most users.
The practical way of dealing with this is to buy and use USB only on your computer
Do not Accept USB - dongle giveaways, and consider your USB unit compromised as soon as it has been attached to other un-trusted PC's.
Even though the BadUSB unit can replace installed files on your computer with other files containing back-doors it should be possible to discover and repair the altered files.
So the most critical period is when the "infected" USB unit is attached.
All of this could have been avoided if the USB firmware would have code signing which would require any altering of the firmware code to be signed by the manufacturers encryption key.
So remember if you want to be safe do not transport USB dongles from PC to PC - not even Linux distributions.
If you do; be sure that you trust all the computers the dongle has been attached to.
IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.
That should keep you safe from crooks. Dongles that are modified by design by "force majeure" like governments who need to take care of fundamental basic rights like absence of terror aka national security and DRM, will continue to infect your hardware.
But that is for the good cause - so that is nothing to worry about.
A typical example of this use would be to make the USB HDD firmware report about any movies and music on it to check if Digital Rights are respected. That would catch those professional criminals who run around from house to house with a HDD and show pirated movies
It is time to change the way USB's works.
