Why the security of USB is fundamentally broken and cannot be fixed

“Computer users pass around USB sticks like silicon business cards,” Andy Greenberg reports for Wired. “lthough we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.”

“That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken,” Greenberg reports. “The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue. ‘These problems can’t be patched,’ says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. ‘We’re exploiting the very way that USB is designed.'”

Greenberg reports, “The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed — in addition to USB memory sticks, Nohl and Lell say they’ve also tested their attack on an Android handset plugged into a PC… University of Pennsylvania computer science professor Matt Blaze speculates that the USB attack may in fact already be common practice for the NSA. He points to a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden. The device, which hid in a USB peripheral plug, was advertised in a collection of NSA internal documents as surreptitiously installing malware on a target’s machine.”

Much more in the full article here.


      1. I’ve never seen a USB flash memory card, either. Just SD and similar, which can then be read in several different ways. Surely a FireWire reader exists for that SD card that you think is USB.

        1. I have a SanDisk Ultra II SD card that folds in half to reveal a USB connection. Best most convienent memory card I have ever owned. I wish SanDisk hadn’t discontinued them.

  1. “The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer”

    This came to the forefront when Palm abused the “honour system” to spoof their device product and vendor IDs as those assigned to iPods and Apple, respectively, when plugged in to USB, to make iTunes sync to the Palm Pre.

  2. There has always been this type of risk of malware spreading through through USB devices.

    The only thing this article adds is Wired’s special mix of sensationalism and flawed technical information.

  3. Just read through the referenced citation.

    My initial thoughts are that an OS should (note: theory) be able to sandbox all I/O to a USB port and do a basic “who are you?” interrogation.

    Take that response and reach out over the Internet with a query to access a library of device firmwares – – find the “Golden Master” firmware of what the device claims to be.

    Download this ‘trusted’ firmware version, then do a compare vs. the firmware that’s in the attached USB device.

    If they don’t match, flag and deal with it accordingly.

    Just my initial thoughts….

    1. If not at the OS level, maybe this is an opportunity to create a device that will act as a sandbox layer to check any USB device plugged in to it. This would ‘outsource’ the checking to a universal device that could be sold in cost effective quantities and free up the main device from such tasks. Maybe even have some way of updating the device periodically to deal with new threats.

  4. OK, I can see where suspect info can be included and even downloaded to a computer. If the code is for a PC, will it infect a Mac?? And visa versa?

    Just wondering.

    1. The answer is that potentially yes.

      Example: Plug in your iOS device while iTunes is running and iTunes will pick up the connection and read the device into iTunes. It’s automatic unless you tell iTunes NOT to do it. However, in this case, there is no malware on any iOS device to read into the Mac. But for some devices there could be.

      Obviously, whenever any hardware is connected to a Mac, the machine immediately detects and identifies it. This does NOT mean any malware on the device is read. But a process on the computer could look for more than just hardware identification data.

      For years on Windows, Microsoft stubbornly insisted that discs and devices connected to Windows could automatically and immediately have certain executable files booted. If they were malware, oh darn. It’s still possible to activate automatic reading on Windows, a terrible idea.

  5. I stopped liking USB a long time ago, when it became more than USB. It became a networking alternative, sported ever higher speed ratings while not really being able to deliver, it’s wireless connectivity … it tries too hard to be everything at all times to everyone and it has stifled alternate tech like FW, 400/800 and it’ll probably do its level best to outdo THunderbolt … What it does do a decent job of is connecting keyboards and mice and other input devices into a computer, and personally I wish it would just do that and nothing more.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.