Massachusetts Attorney General Announced Settlement With Travel Company For Pressure Sales And Over-Priced Vacations
Dating Service Admitted Performing Online Experiments Using Its Customers Without Notice And Consent

Researchers Claim USB Security Is Broken

Image of USB stick
Everyone uses USB flash drives (a/k/a thumb drives) to store and share information. Consumers rely upon anti-virus software to scan and detect any computer viruses infecting USB drives. According to a Wired report, researchers have created a proof-of-concept demonstrating the difficulty -- or impossibility -- to detect and remove malware from USB devices:

"... researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken... Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it... The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic..."

A wide variety of devices employ USB technology: mice, keyboards, desktop computers, laptops, smartphones, tablets, and more. Experts advise consumers to:

  1. Purchase USB sticks and devices only from reputable, trusted retailers,
  2. View any USB sticks or devices you receive from untrusted sources, or people, as infected, and
  3. Don't insert USB sticks and devices into untrusted computers or devices.

What are your opinions of USB sticks? USB security?

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

So given the threat that Mr. Jenkins describes, supra, and the advice in the Wired articles that:

". . . The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets. To avoid the attack, all you have to do is not connect your USB device to computers you don’t own or don’t have good reason to trust—and don’t plug untrusted USB devices into your own computer."

It appears that we can’t securely use USB devices, especially but not only USB sticks. So my advice is don't use them, or at last don't use USB sticks, which can be easily and practically replaced with a former technology, which doesn't have any firmware to corrupt, the venerable CD/DVD disk. This older technology can hold data and/or program files, is cheap, and has large capacity, but they don't have firmware, which can be compromised. Disks can be scanned from first sector to last, and any malware, firmware or otherwise, can be identified and dealt with by antivirus software. Disk can also be signed to guard against a third-party hacker compromising the disk.

So let's return to CD/DVD disks to substitute for and get rid of at least USB sticks and other USB drives. While other USB devices will still be vulnerable to the firmware exploit described, supra, those devices generally don't travel from computer to computer, though there are exception, such as in large companies. But eliminating USB sticks and other USB drives and following the advice that I quoted, supra, from the Wired article will do much mitigate this latest threat to the security of our computing devices.

The other and perhaps more useful lesson is to defer adopting new technologies, whose only real advantage is convenience, when, as here, their technologies can or do or must introduce new security risks and/or other problems. For me, the USB stick is now dead, at least until this latest security breach is effectively and practically fixed.

The comments to this entry are closed.