USB Security Flaw –
A newly discovered fundamental flaw in USB design means increased security risks for PC users. The issue derives from the fact that USB, by design, is incredibly versatile. The designers of USB technology (the USB Implementers Forum) sacrificed security in favor of versatility.
Essentially the flaw, dubbed BadUSB by Security Resarch Labs in Berlin, takes advantage of the fact that every USB device has a controller chip to manage the connection between your computer and your device. The controllers have firmware which can be reprogrammed to change the function of the device. This reprogramming can do a whole host of malicious things and is almost impossible to detect. More importantly there doesn’t appear to be an immediate fix.
So what can you do to protect yourself?
The most important thing you can do to protect yourself is to only use USB devices which you know and trust. If you purchased your USB printer, flash drive or other device from a reputable source, and you have maintained possession of the device, then you are likely safe. Additionally, if your computer is infected with viruses or malware then your own computer could infect your USB devices. So it is very important to maintain Safe Computing Best Practices.
For those of us who rely on flash drives to obtain documents from clients and co-workers it may be difficult to be certain of the trustworthiness of those drives. So here are some methods you can employ to try and keep your PC safe and clean.
Virtual Clean Room.
My concept for a “Virtual Clean Room” is a spare computer, not connected to the internet, where you can transfer documents from untrustworthy drives to a trustworthy media/drive. Ideally your trustworthy drives would be something other than a USB drive since an infected drive could, in theory, infect a clean drive. So what can you use instead of a USB drive? CDRW discs, DVDRW discs, SD Memory Cards or an eSATA external hard drive would be suitable.
Request your clients change their media devices.
Rather than having to implement a Virtual Clean Room you could ask your clients and co-workers to change the type of device they use to share their documents. As mentioned above a re-writable DVD or CD could be a great solution. Or you could suggest Dropbox, IDrive or another online document solution to avoid physical media all-together.
Get a better flash drive
IronKey makes a USB flash drive which it claims is invulnerable to BadUSB malware. They’re expensive, but if your company or line of work requires heightened security they may be the best solution for you.
As always, if you think you’ve got an infection; Call and we’ll come to the rescue!