According to Wired, the only way to combat this exploit is to start treating USB devices like hypodermic needles.
It turns out that USB devices — all of them — have a fundamental flaw that allow a malicious hacker to take over your computer and infect any other USB device that is plugged into it. According to Wired, which first reported the USB exploit, malware can be installed in the firmware of any USB device. Once plugged into a computer, it can allow a malicious hacker to completely take over.
Importantly, this is not limited to USB drives (frequently called thumb drives for reasons that have always escaped me). Because the exploit lives in a USB device’s firmware, it can be passed around by any USB device, like a mouse, Bluetooth dongle, your printer, your USB rocket launcher — anything.
The malware can also be spread from the computer to any USB device plugged into it. Consider the laptops that most conferences have at the podium so you don’t have to deal with hooking up your own laptop to the projector. If someone plugs in an infected USB drive in order to transfer his slides, everyone USB device plugged into that computer afterward would become infected. Plug it into your computer back in your office, and now you are spreading the malware to every other USB device you have, which will spread it to every computer they are plugged into, and so on.
From what I can tell, the exploit does not automatically work this way, but it seems like a logical way to implement the malware if you wanted to compromise as many computers as possible. It would spread extremely quickly.
This USB exploit sounds very similar to the NSA’s “Cottonmouth” device, a spying device hidden in a USB peripheral’s plug. There is no way to know for sure, but it would not be surprising if the researchers who discovered this exploit turned out to be a few years behind the NSA. If the NSA does have something similar, it could just be using it to target specific computers, or it could be using the exploit to increase its access to as many computers as possible.
According to Wired, the only way to combat this exploit is to start treating USB devices like hypodermic needles. The moment a USB device is plugged into a computer you do not trust (for most of us, this means any computer we do not control), throw it away. And if you plug an untrusted USB device into your computer, well, format it and start with a clean OS install, at a minimum. You might even want to throw it away. Just hope China — you know, the country where all your computers, USB devices, and peripherals are manufactured — has not already discovered this exploit and decided to use it on a large scale.
The only other way to know a USB device is safe is if the manufacturer has implemented “code signing,” in which case you could run a scan to ensure the firmware comes from the manufacturer and has not been tampered with. The researchers who uncovered the exploit say that companies might want to buy USB devices only from manufacturers who sign their code and provide a way to check the integrity of their devices — although such a company may not even exist, yet.
So for now, don’t plug any USB device into your computer unless you trust it.
Featured image: “usb plugs” from Shutterstock.