BadUSB: Time to Start Checking Your Laptop’s USB Ports Before Turning On

We’ve recently reported on a software called NetHunter that can turn your smartphone into a “hackphone” that acts as a HID device and can compromise a computer it is connected to, while acting as a keyboard or a network adapter. The principle behind it runs parallel to “BadUSB,” presented at BlackHat 2014 Conference.

BadUSB is based on the idea that that since USB flash drives are so common place, no one will suspect it can be used as a cyberattack tool carrying malicious code. After all, most antivirus programs scan USB drives for viruses and malware, so surely you’re safe. That’s not the case anymore. BadUSB modifies the firmware of the USB stick to appear as a USB stick, but instead a HID (Human Interface Device) or a network adapter, subsequently running the malicious code or re-routing internet traffic, respectively. Creators of BadUSB, SR Labs, did not release the how-to for making one of these.

A week ago, a pair of intrigued security researchers, Adam Caudill and Brandon Wilson, did just that. They presented their process at DerbyCon. For the interested, you can watch the presentation video below. They replicated the BadUSB process only for one specific type of USB controller (Phison 2251-03), however it should be easily modified to work with other types as well. They claim to have done it to raise awareness of this sort of threat and to “push device manufacturers to insist on signed firmware,” said Caudill.

At this time, there isn’t a good way of defending yourself from this sort of attack, said Wilson during the presentation. Manufacturers of USB devices could start locking the firmware, but even then, with all these flash drives already out, it’ll be hard to tell the old, unsafe ones from the new, locked ones. Another option is for the firmware to be required to be signed. This will, of course, take some time to become the norm.