According to Wired, the only way to combat this exploit is to start treating USB devices like hypodermic needles.

It turns out that USB devices — all of them — have a fundamental flaw that allow a malicious hacker to take over your computer and infect any other USB device that is plugged into it. According to Wired, which first reported the USB exploit, malware can be installed in the firmware of any USB device. Once plugged into a computer, it can allow a malicious hacker to completely take over.

Importantly, this is not limited to USB drives (frequently called thumb drives for reasons that have always escaped me). Because the exploit lives in a USB device’s firmware, it can be passed around by any USB device, like a mouse, Bluetooth dongle, your printer, your USB rocket launcher — anything.

The malware can also be spread from the computer to any USB device plugged into it. Consider the laptops that most conferences have at the podium so you don’t have to deal with hooking up your own laptop to the projector. If someone plugs in an infected USB drive in order to transfer his slides, everyone USB device plugged into that computer afterward would become infected. Plug it into your computer back in your office, and now you are spreading the malware to every other USB device you have, which will spread it to every computer they are plugged into, and so on.

From what I can tell, the exploit does not automatically work this way, but it seems like a logical way to implement the malware if you wanted to compromise as many computers as possible. It would spread extremely quickly.

This USB exploit sounds very similar to the NSA’s “Cottonmouth” device, a spying device hidden in a USB peripheral’s plug. There is no way to know for sure, but it would not be surprising if the researchers who discovered this exploit turned out to be a few years behind the NSA. If the NSA does have something similar, it could just be using it to target specific computers, or it could be using the exploit to increase its access to as many computers as possible.

According to Wired, the only way to combat this exploit is to start treating USB devices like hypodermic needles. The moment a USB device is plugged into a computer you do not trust (for most of us, this means any computer we do not control), throw it away. And if you plug an untrusted USB device into your computer, well, format it and start with a clean OS install, at a minimum. You might even want to throw it away. Just hope China — you know, the country where all your computers, USB devices, and peripherals are manufactured — has not already discovered this exploit and decided to use it on a large scale.

The only other way to know a USB device is safe is if the manufacturer has implemented “code signing,” in which case you could run a scan to ensure the firmware comes from the manufacturer and has not been tampered with. The researchers who uncovered the exploit say that companies might want to buy USB devices only from manufacturers who sign their code and provide a way to check the integrity of their devices — although such a company may not even exist, yet.

So for now, don’t plug any USB device into your computer unless you trust it.

Featured image: “usb plugs” from Shutterstock.

  • Aaron Street

    Computer security posts are always such downers.

    I hope the Silicon Valley wizards get to work on something so that some day in the future you can announce, “No worries, lawyers, your data is really pretty safe.”

  • Bert Freeman

    Fix this immediately…..or risk consequences of of extreme nature. Knowledge is power, and knowledge leaked to our country’s adversaries is power that returns to defeat us on the battlefield and in the global economy.

  • Paul Spitz

    Every time I come to this site there’s another post on something that isn’t safe. Pretty soon, I’ll come here and find a post entitled “Next time you start your laptop, you will die.”

    • I’m not ready to give up yet, but every time I write one of these posts I get closer to saying “screw it” and going back to pen and paper and big deadbolts on the file room door.

  • EuroBirdbrain

    How many times have I stuck my USB thumb drive into a public photo-mat to make copies. I’ve had USB sex with millions.

    • From here on out I think flash drives you plug into public machines should be considered disposable.

      And maybe format your hard drive and reinstall your OS just to be on the safe side.

  • At the risk of sounding either dismissive or fatalistic, are these risks not present with each new bit of software we install regardless of the medium, and with each new Web site we visit? Forewarned is forearmed, of course, but even big deadbolts on the file room door are irrelevant to a disloyal employee.

    • There are similarities, sure. This is a different attack vector, though, obviously.

      • I agree. I think we’ve reached the same conclusion: there’s no such thing as “secure,” and there never really was. I just hope that Bartok LP I bought yesterday hasn’t converted my record player into a malware zombie.

        • This article raises an interesting problem (tl;dr: security is inconvenient and companies don’t really care about it because fixing security glitches often does more harm to the bottom line than leaving them), especially in the context of legal software.

          Are lawyers more serious about security than the average consumer? The number of lawyers content to use consumer-grade software seems to suggest they aren’t any more serious about security, or don’t appreciate the risks any better.

  • bp490

    Okay; I get it. BUT, if you are attending a seminar and the handouts and other information is on a thumb drive, is there a safe way to upload the information? Ditto with attorneys providing case information to courts or other related parties.

    • I’d ask for a link to download the materials, instead. That way, you’re just getting the data, not the application that could be lurking in the USB drive’s firmware.

  • topsully

    Sam – How do you feel about the “cleaning” staff walking around after having been bribed to pop usb drives into computers for a few minutes in every office they visit to clean? Sort of defeats any precautions you personally take to keep bad devices out of your machine.

    • How do I feel? I feel like it is an unlikely scenario that is probably defeated by making everyone log out at the end of the day. I can think of easier ways to get USB drives into a firm’s computers.

      But yes, it’s pretty difficult to protect against this exploit unless you have full control over your machines at all times. This is the stuff system admins’ nightmares are made of.