#Open journalism No news is bad news

Your contributions will help us continue to deliver the stories that are important to you

Support The Journal
Dublin: 11°C Wednesday 23 June 2021

Hackers have figured out a major security flaw in USB sticks

Even completely deleting the contents of a USB stick wouldn’t get rid of the dangerous code.

Image: USB via Shutterstock

A VAST NUMBER of USB devices — whether they’re USB sticks or keyboards — could now be vulnerable to malware after security researchers published code that spreads itself by hiding in the firmware that controls how USB devices connect to computers.

Wired reports that the “BadUSB” vulnerability, first developed by security researchers, has been released online. This means that hackers can now start using it to infect computers.

The “good” news is that vulnerability only comes from one USB manufacturer, Phison of Taiwan. The bad news is that Phison USB sticks can infect any device they’re inserted into, and it’s not clear whether those devices can then go on to infect any other USB device that is plugged into them afterward.

Phison does not disclose who it makes USB sticks for — so it’s not yet clear how widespread the problem might be.

The vulnerability in USB works by modifying the firmware of USB devices, hiding malicious code in USB sticks and other devices in a way that’s impossible to detect.

Even completely deleting the contents of a USB stick wouldn’t get rid of the dangerous code. According to Wired, the vulnerability is “practically unpatchable.” Once infected, each USB device will infect anything it’s connected to, or any new USB stick coming into it.

Hackers Could Use This To Take Over Your Computer

“BadUSB” can be used to force computers into thinking that a USB device is a keyboard, allowing hackers to type whatever they like on your computer. Alternatively, it can replace legitimate software installed on a computer with a corrupted version that hackers can use to control a computer. Another use for the exploit is monitoring all internet traffic through a computer, allowing a hacker to spy on what you’re doing.

The Manufacturer Denies It’s a Problem

The only way to fix the vulnerability would be to completely redesign the way that Phison USB devices are built. Security researchers have already contacted Phison, the specific manufacturer of the USB devices that were found to be vulnerable, but the company “repeatedly denied that the attack was possible”.

The NSA May Have Been Using This Exploit

Edward Snowden’s leaks revealed that the NSA possesses a spying device known as “Cottonmouth” that uses a vulnerability in USB to monitor computers and relay information. It’s possible that Cottonmouth works using a similar vulnerability as the discovery outlined above.

screen shot 2014-10-03 at 10.29.51 Source: EFF

It Could Start Spreading Very Quickly

The BadUSB malware spreads two ways: From the infected USB device to a computer, and from an infected computer to a USB device. This means that if hackers start infecting people using the malware, it could soon be found around the world.

- James Cook

Read: Biggest US bank reveals 76 million customers were hacked >

More: Celebrities who took nude photos are “dumb” – EU Commissioner >

Published with permission from:

Business Insider
Business Insider is a business site with strong financial, media and tech focus.

Read next:


This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
write a comment

    Leave a commentcancel