Bad USB!

First off, my apologies for the late post. I spent all day recording the lecture for the week I’ll be gone, and it turned out to be much more involved than I had anticipated. I think it ultimately came out all right, but it took about six and a half hours.

So we’ll see how it goes, in the meantime here’s a late post.

There was, earlier this year, the revelation that every single one of the billions of USB devices out there has a fatal flaw in its firmware, in which a malicious user or hacker could reprogram it to fool the machine into which it is plugged that it is some other type of device. In other words, it may be a thumb drive, but its firmware could be reprogrammed to fool a PC into thinking it’s a keyboard, which would then allow it to send keypresses to the host machine and a malicious user to then get the host to carry out malicious tasks. The flaw is known as BadUSB.

The flaw is serious, VERY serious, and there are not one, not two, not three, not four, but five different worst parts about it. First, it’s unpatchable, unfixable. Second, even if a fix is discovered, it won’t be something that happens in the near future. Third, it affects every single USB device out there. Fourth, it is almost impossible to determine if a particular device has been exploited. Fifth, the code that allows the exploit to happen has been released to the public by security researchers. They claim it’s to force the industry to find a fix, I however feel it was probably a bad idea.

The only thing you can do in response is use USB devices that you trust, ones that you’ve already been using. Otherwise, this could cause a real upheaval and change in behavior of how people use technology and devices, it’s a very serious flaw and one that will be with us for quite some time.