BadUSB – Turning devices evil. Once reprogrammed, benign devices can turn malicious in many ways, including:
- A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
- The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
- A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
For the security conscious, USB devices should be considered potentially as risky as contaminated hypodermic needles. Of course to infect a machine it will require physical access to the computer, but once infected the entire computer can never be trusted again.
A BadUSB device can actually replace a system’s BIOS. Wiping & reinstalling the operating system will do nothing as the corrupted firmware of the USB device is outside the control of an operating system installation. Apparently, this security hole has been known for some time and has already been weaponized.
There is no known fix to this security hole.
Hopefully USB manufacturers can issue a patch that can be applied universally to pre-existing firmware.