As I understand this problem is actually a pretty serious issue – or at least it could become one.
The real problem is that there’s no work-around other than not using USB for one of the things that it was intended to be used for: easy portability between machines.
Right now I’m honestly not quite certain how concerned we need to be, but I’m not panicking.
Become a Patron of Ask Leo! and go ad-free!
USB devices as small computers
To understand what this vulnerability is all about we need to first understand something that isn’t at all obvious about USB devices: many of them are actually small computers unto themselves.
This applies to any USB device. It really doesn’t matter if the device itself appears to be smart and complex – like, say, a printer – or as simple as a USB memory stick. It’s possible that inside that device is a small micro controller running software (more correctly referred to as “firmware”) that is performing the tasks of interacting with the USB interface and performing the functions that the USB device performs.
We might normally consider a USB device to be conceptually like this:
In this example there is hardwired single-purpose circuitry that’s designed to handle the USB interface on one side, and the hardware that implements whatever the device’s functionality might be on the other. That way the electronics behind the functionality can focus on whatever that might be, whereas the interface circuitry handles the “translation” to the USB interface.
The problem, of course, is that this interface circuitry is both complex and single-purpose. It can only interface to this specific device’s functionality. If you want to make a new device or change the device’s operation in any way, you need to build a completely new device with new circuitry.
That’s where micro-controllers come in:
Rather than designing new interface circuitry, that circuitry is replaced with a tiny programmable computer – a micro-controller.
On the surface you might think that using a multi-purpose micro-controller might be overkill for many of these tasks – and you’d be quite right. But the irony is that it’s often much cheaper to build one micro-controller device and use it in hundreds of different USB applications than it is to build hundreds of different sets of dedicated interface circuitry.
The net result is that using a programmable micro-controller can be quite common. There could be one in your USB memory stick, your USB mouse, your USB keyboard … your USB anything.
Programmable means re-programmable
And this is where things get interesting.
The issue that many are calling a design flaw in USB – even giving it the catchy name “Bad USB” – is that these micro-controllers, if present, can be reprogrammed.
More specifically, they can be reprogrammed to perform malicious acts.
- any USB device could suddenly decide to “look like” a keyboard, and start entering commands to your computer to install malware.
- any USB device could suddenly decide to “look like” a network card and redirect your network activity to malicious sites, or once again cause malware to be downloaded to your computer.
- the list goes on…
But wait! It gets worse
On top of what a maliciously programmed USB device could do is the fact that its malicious alteration would be undetectable.
If you receive a USB device that has been compromised, there’s simply no way to tell that that’s the case. Anti-malware tools don’t scan for it, and of course the USB devices themselves would be reprogrammed to lie about their condition to any kind of security probe.
And finally, the root of the flaw is that there are no safeguards built into the system to prevent USB devices with micro-controllers from being maliciously reprogrammed, or otherwise detect that it’s happened.
How big a deal is this really?
We simply don’t know yet how big an issue this is.
There have been no reports of this flaw being exploited in the wild. None.
That doesn’t mean that there couldn’t be, or that there may be soon now that the information is out.
The problem is that exploiting it may, or may not, be worthwhile. To be useful or valuable to hackers it actually requires several things to be the case:
- A large number of USB devices use micro-controllers (we don’t know)
- A large number of those USB devices use the same micro-controllers, or micro-controllers that are reprogrammed the same way (we don’t know how many micro-controller types there might be)
- Those micro-controllers have enough reprogrammable memory to contain the additional malicious instructions to perform the malicious activity (we don’t know how much capacity or capability these micro-controllers might have)
It also relies on the existence of re-programming software; either in the form of infected PCs, or at some central location before entering general use.
Right now, to me, it seems like that’s a lot to have to happen for this to become a big issue. Based on what we know today I’m not terribly concerned.
Protection is simultaneously excruciatingly simple and annoying.
Only get USB devices from trusted sources, and don’t share them.
On one hand, for things like mice, keyboards, printers and the like, it’s not that annoying. You buy it, you install it and you use it. There’s no real “sharing” involved.
USB memory sticks, the focus of much of the current press about the issue, are another story. Sharing is what they’re used for. They’re the floppy disks of data transfer today.
And as long as you use them on only trusted machines, you remain safe. But plug them into a computer you don’t know – like say a public computer – then theoretically all bets are off. That public computer could have malware that knows how to reprogram the micro-controller in your memory stick. What you get back might well be compromised.
And the same applies to all USB devices – including phones and cameras.
What would Leo do?
If you know me at all, you’ll know one thing I’m not doing is panicking.
In fact, I’m not doing much of anything. I don’t regularly use USB devices with computers I’m uncertain of, so there’s little for me to change.
Even if I did, today I would probably not even change those habits. At least not until there was more information, and perhaps more confirmation of this flaw actually being exploited in the wild, since right now I don’t expect it to be particularly common.
But from now on I will be on the look out for new USB devices that incorporate some sort of safety measures that prevent random reprogramming.