Great — there’s a new security risk popping up that has a lot of people worried, and it uses USB to change the game and raise the risk of what can be infected if your system is compromised.
Traditional software viruses live on a hard drive, as an App or part of the OS. Protecting your drive from getting infected has been the defense.
If you picked a virus up you tried to scrub it from your drive. If successful your computer was restored to regular use. If not successful you could reformat your drive, restore your data from a backup, and return to normal work.
But now USB firmware has been cracked and can be spoofed. Firmware is the little bit of software built into all USB devices that handles low-level operations such as Who/What/When/Where/Why. See, if you manage to get compromised firmware onto a device, it can say it’s something it’s not. It can misrepresent itself and do tasks not associated with it at all. Traditional computer viruses can easily start installing evil firmware to your devices.
For instance – a USB stick with compromised firmware could ID itself as a keyboard and tell the computer to open a command window and accept what it ‘types’. A camera with comprised firmware could take your data while it’s copying pictures to your drive. A USB keyboard could run a keylogger program, recording all your passwords and using your computer to transmit them to someone else.
And even worse — a USB device is actually allowed to ID itself as multiple things simultaneously, so your computer would easily accept whatever USB devices it sees.
Detecting the bad firmware is also very difficult. Nothing on the market currently would even be able to recognize a problem with the device. It could do it’s dirty work in the background for years without ever being detected.
Adding to this is the intimacy at which firmware and the hardware interact. Even the tools to debug or monitor firmware needs the firmware to work. Compromised firmware could continue to report that there is no problem. Firmware is designed to allow updates over top of itself, and only the factory that builds the device could guarantee that the device has clean firmware.
All in all, a messy situation, one that probably kept one of the designers of USB up all night.
Put into simple terms — the next virus you get could infect every USB thing plugged into your computer, rendering them compromised with no way to restore them, nor a way to accurately identify whether they even are compromised. Some of us will keep the devices and lose even more security, while others will have to replace most of their system because of a virus.
Watch out for USB devices on eBay once this gets out in the wild, and never let a stranger put a USB stick in your computer.