Why the security of USB is fundamentally broken and cannot be fixed

“Computer users pass around USB sticks like silicon business cards,” Andy Greenberg reports for Wired. “lthough we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.”

“That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken,” Greenberg reports. “The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue. ‘These problems can’t be patched,’ says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. ‘We’re exploiting the very way that USB is designed.'”

Greenberg reports, “The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed — in addition to USB memory sticks, Nohl and Lell say they’ve also tested their attack on an Android handset plugged into a PC… University of Pennsylvania computer science professor Matt Blaze speculates that the USB attack may in fact already be common practice for the NSA. He points to a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden. The device, which hid in a USB peripheral plug, was advertised in a collection of NSA internal documents as surreptitiously installing malware on a target’s machine.”

Much more in the full article here.

20 Comments

  1. I stopped liking USB a long time ago, when it became more than USB. It became a networking alternative, sported ever higher speed ratings while not really being able to deliver, it’s wireless connectivity … it tries too hard to be everything at all times to everyone and it has stifled alternate tech like FW, 400/800 and it’ll probably do its level best to outdo THunderbolt … What it does do a decent job of is connecting keyboards and mice and other input devices into a computer, and personally I wish it would just do that and nothing more.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.