Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

USB via Shutterstock

Hackers have figured out a major security flaw in USB sticks

Even completely deleting the contents of a USB stick wouldn’t get rid of the dangerous code.

A VAST NUMBER of USB devices — whether they’re USB sticks or keyboards — could now be vulnerable to malware after security researchers published code that spreads itself by hiding in the firmware that controls how USB devices connect to computers.

Wired reports that the “BadUSB” vulnerability, first developed by security researchers, has been released online. This means that hackers can now start using it to infect computers.

The “good” news is that vulnerability only comes from one USB manufacturer, Phison of Taiwan. The bad news is that Phison USB sticks can infect any device they’re inserted into, and it’s not clear whether those devices can then go on to infect any other USB device that is plugged into them afterward.

Phison does not disclose who it makes USB sticks for — so it’s not yet clear how widespread the problem might be.

The vulnerability in USB works by modifying the firmware of USB devices, hiding malicious code in USB sticks and other devices in a way that’s impossible to detect.

Even completely deleting the contents of a USB stick wouldn’t get rid of the dangerous code. According to Wired, the vulnerability is “practically unpatchable.” Once infected, each USB device will infect anything it’s connected to, or any new USB stick coming into it.

Hackers Could Use This To Take Over Your Computer

“BadUSB” can be used to force computers into thinking that a USB device is a keyboard, allowing hackers to type whatever they like on your computer. Alternatively, it can replace legitimate software installed on a computer with a corrupted version that hackers can use to control a computer. Another use for the exploit is monitoring all internet traffic through a computer, allowing a hacker to spy on what you’re doing.

The Manufacturer Denies It’s a Problem

The only way to fix the vulnerability would be to completely redesign the way that Phison USB devices are built. Security researchers have already contacted Phison, the specific manufacturer of the USB devices that were found to be vulnerable, but the company “repeatedly denied that the attack was possible”.

The NSA May Have Been Using This Exploit

Edward Snowden’s leaks revealed that the NSA possesses a spying device known as “Cottonmouth” that uses a vulnerability in USB to monitor computers and relay information. It’s possible that Cottonmouth works using a similar vulnerability as the discovery outlined above.

screen shot 2014-10-03 at 10.29.51 EFF EFF

It Could Start Spreading Very Quickly

The BadUSB malware spreads two ways: From the infected USB device to a computer, and from an infected computer to a USB device. This means that if hackers start infecting people using the malware, it could soon be found around the world.

- James Cook

Read: Biggest US bank reveals 76 million customers were hacked >

More: Celebrities who took nude photos are “dumb” – EU Commissioner >

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Published with permission from
View 9 comments
Close
9 Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.
    JournalTv
    News in 60 seconds