Snippet: Why the Security of USB is Fundamentally Broken ☇

Shared on August 1, 2014

Andy Greenberg for Wired:

That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.

These sort of security articles get picked up by a lot of sites and become the TV news tease du jour. It’s good to know that such a vulnerability exists, but it’s also really frustrating that someone took the time to discover it, yet the industry can’t fix it. I guess it’s time to go back to Bluetooth and FireWire devices only…

Snippets are posts that share a linked item with a bit of commentary.