USB devices, commonly used to copy, store and share data, have also been known as a prime place to carry malware, or malicious software, from one computer to another. But that’s not the end of the story: researchers argue that USB security breaches don’t just originate from bad software, but from the fundamental core of how memory sticks function .
A recent finding by researchers Karsten Nohl and Jakob Lell from security consultancy SR Labs revealed that USB firmware can be reprogrammed to hide attack code, which means that malware can stay hidden. Not only can this prevent antivirus and other security software from locating malicious code, but it even allows malware to survive when all the data in a device is wiped clean.
To prove these fundamental security problems, they created a malware called “BadUSB” that demonstrates how malware could be carried on a USB drive to take over a computer and make inconspicuous changes to files. The malware hides inside the firmware of the USB that controls the basic functions, instead of the flash memory of the device, remaining almost impossible to fix.
“These problems can’t be patched,” Nohl told Wired magazine. “We’re exploiting the very way that USB is designed.”
Lell and Nohl plan to present the research at the Black Hat security conference in Las Vegas next week.