Reference: CERT-EU Security Advisory 2014-138 - New: BadUSB Short Summary - ------------- BadUSB is a dangerous USB security flaw that allows attackers to turn a simple USB device into a keyboard, which can then be used to type malicious commands into the victim's computer. Potentially, although a working exploit is not currently covering this, a BadUSB device could inject malware into files as they're copied from a USB device to a computer and back [2]. Impact - ------ Once reprogrammed, benign devices can turn malicious in many ways, including [1]: * A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer. * The device can also spoof a network card and change the computer=E2=80=99= s DNS setting to redirect traffic. * A modified thumb drive or external hard disk can - when it detects that the computer is starting up - boot a small virus, which infects the computer=E2=80=99s operating system prior to boot. Technical Description - --------------------- BadUSB revolves around the fact that many different devices plug into the same USB connectors. By hacking the code of the USB micro-controller of an "innocent" device, like a USB memory stick, you can turn it into something far more capable, such as a keyboard or a network card. Insert the device into a computer and it could execute commands or even a malicious program without the owner knowing. This is made worse by the fact that malware scanners cannot access the firmware running on USB devices, meaning they cannot fix the problem [2]. The exploit code that demonstrates this problem has been posted on GitHub [3] Solutions - --------- There is essentially no short term solution to this problem except for not plugging unknown USB devices. Vulnerable Systems - ------------------ Any USB host device (computers, routers, printers, etc.) is potentially vulnerable. References - ---------- [1] SRLabs: https://srlabs.de/badusb/ [2] Mashable: http://mashable.com/2014/10/03/bad-usb/ [3] GitHub: https://github.com/adamcaudill/Psychson CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383