Has ‘BadUSB’ Malware Effectively Killed USB Devices in the Enterprise?

As our industry is a major source of secure hardware and workflow solutions for the security-conscious enterprise, this news is both disruptive and disturbing. Findings from security researchers Karsten Nohl and Jakob Lell will be presented next week contending that the security of USB devices has long been fundamentally broken.

BadUSB is a new form of malware that allows any USB device including memory sticks (thumb drives), keyboards, mice, smartphones, etc. to invisibly hijack a PC and even possibly redirect a user’s internet traffic or logged keystrokes. The seriousness in this all is that it’s not just a file that can be wiped from said devices, it embeds in the firmware of the device which in turn, opens up a Pandora’s box of conspiracy nightmares.

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”

Nohl and Bell also describe BadUSB as an above-average theoretical threat, as that they contend that the infection can travel bilaterally from a USB device to the PC and vice versa. This means that any time a USB device is plugged into an infected PC, its firmware can be re-programmed unnoticed by the user. “It goes both ways,” Nohl says. “Nobody can trust anybody. In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it. You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer. And that’s incompatible with how we use USB devices right now.”

Liz Nardozza, spokesperson from the USB Implementers Forum, a non-profit corporation that oversees the USB standard, responds accordingly: “Consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices. Consumers safeguard their personal belongings and the same effort should be applied to protect themselves when it comes to technology.”

The Only Solution

The solution is not a patch. We will have to fundamentally change how we use USB devices. To avoid an attack, you do not connect your USB device to computers you don’t own or don’t have good reason to trust. Conversely, you don’t plug an mistrusted USB device into your own computer. Nohl admits that makes the ubiquitous USB-flash drives and many other USB-powered devices significantly less useful. “In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” says Nohl. “You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer. And that’s incompatible with how we use USB devices right now.”

What Does it All Mean

For our security-conscious industry, it probably means the death of USB convenience ports that are located on the control panel of a printer or MFP or print controller, as well as those found on the back of some devices to facilitate firmware upgrades, PictBridge printing, and peripheral attachment. At the very least, this news should spur the manufacturers to: 1) eliminate USB ports altogether; 2) provide the concrete ability to lock them down both electronically and physically; 3) secure firmware related to said USB ports; and 4) re-consider their marketing strategies when it comes to USB. Finally, providers of USB-based solutions will have to re-group and consider a fundamental re-design of their solutions.