In business it has become common to transfer data between parties over the Internet or via a USB device. USB devices are very handy. They can hold a lot of data and can be used and reused many times. Also, the cost of a USB device is relatively low so giving a USB device to a client or accepting a USB device from another party does not always require that it be returned. They are also usually generic in appearance so that once we receive a USB device we may not be able to identify where we got it. The convenience of USB devices is great, but it may come with a hidden cost.
Recently a major flaw was discovered in the firmware of USB devices that affects a large percentage of the USB devices in use today. Storage devices, keyboards, mice, cell phones, and any other device with a USB connection can be affected by this flaw. The threat runs deeper than just the information stored on USB drives; it is a flaw in how USB devices work.
An attacker can manipulate or recode a USB device and, at this time, this change is undetectable as the USB device functions at a layer below that of anti-virus software and is automatically trusted by the machine. This is very scary since almost all computers have USB devices connected to them at some point in time. An infected USB device can completely take over a computer, invisibly alter files, redirect Internet traffic, or capture usernames and passwords. Unfortunately, right now there is no fix. This vulnerability will likely remain for years to come since it is a flaw in the way USB devices are made. It is not something that can be picked up by virus scans at the moment and is virtually undetectable.
The researchers that discovered this vulnerability recently released the code online, hoping to get expedited collaboration to fix this problem, but this also gave “bad guys” access to the code. Striving to quickly identify a fix is certainly desirable. However, until a fix is identified and can be widely applied, anyone with coding experience can easily exploit this flaw.
We are not recommending that you stop using USB devices. Their convenience and low cost makes them very useful. As of right now we are advising everyone to be extremely careful with USB devices.
- NEVER buy a USB device that has been opened and returned. The risk is not worth the few pennies saved.
- NEVER plug in a USB device that you find lying around. If you didn’t open it and remove it from the original package – do not plug it into a computer.
- If someone hands you a USB device, make sure they followed the above statements or do not trust it (don’t use it). Only use USB devices from someone you trust and who you believe has taken care with them. Conversely, if you want to share data, give your thumb drive to someone else and let them put the data you need on your thumb drive.
We will continue to monitor this vulnerability and provide an update as information changes or solutions are found. As of right now, we ask that you please be very careful with USB devices, and certainly do not use any USB device from an untrusted source. Karl Epps