Thanks to a couple of enterprising security experts and hackers presenting at Derbycon in Louisville, Kentucky, last week, BadUSB is now out in the wild — Or at least downloadable on GitHub. It’s enough to make your stomach turn and certainly leave you wondering: How do I avoid BadUSB?
To know how to stop BadUSB, the seemingly unstoppable USB stick hack that can turn a USB memory stick into a system-lethal weapon, it’s instructive to understand what it is and isn’t. BadUSB is not malware. It’s not a file you can download from email or off an infected device that can then run rampant on your computer and network. BadUSB is, as the name suggests, a bad USB drive that has been altered to connect to a computer in ways that normal USBs do not.
If you plug such an altered USB into your computer it can, because it’s actually a tiny computer all by itself, run commands, execute files and generally wreak havoc.
While it’s not easy to create these kinds of dangerous USB devices, it’s also impossible for you to tell the difference between a regular USB and an altered one. Worse yet, since the files stored on the USB will not likely be infected, standard security software probably won’t even detect that these are dangerous little pieces of hardware when you plug them into your computer.
We spoke to some security software firms about their best advice for avoiding BadUSB and their recommendations were remarkably analog.
Representatives from the Security Response team at Symantec, which makes the popular Norton family of security software products, acknowledged that traditional anti-virus technology can’t “inspect the drivers running inside a USB device.”
For consumers they recommend:
Security software company McAfee echoed Symantec’s advice. Gary J. Davis, the company’s chief consumer security evangelist, told us, “The best practical advice McAfee can give consumers regarding the BadUSB attack is to avoid thumb drives that are not from a credible source, such as a big box retailer or they have not previously used. Additionally, we would discourage consumers from using promotional thumb drives that are given away at events.”
Davis’ last bit of advice points to what may be one of the chief distribution vectors for BadUSB. Trade show exhibitors long ago gave up handing out pamphlets and folders to show goers and now favor bowls full of USB sticks pre-loaded with information about their products and services. Many of us simply grab every one of them in sight, knowing that we can wipe the data and reuse them for personal storage. However, what if there’s a bowl full of BadUSB drives? Erasing the data will not remove the threat.
Until there’s a technical fix for BadUSB, which likely means re-architecting the fundamentals of USB hardware, we may have to call a moratorium on free USB keys.
Businesses are, perhaps, even more vulnerable than homes. The USB drive is the 21st Century 3.5-inch floppy. While everyone is on a network, it’s not unusual to sneakernet it and hand someone a USB drive with the needed file or presentation. And how often are we handing around reused USB sticks?
As Symantec’s Security Response Team notes, though, there is a way around this practice.
Administrators can lock USB port use on Windows 7 and 8 PCs or they can install endpoint software like Symantec Endpoint Protection, which offers a device control module that prevents USB devices from mounting on systems. There are actually a wide variety of tools for system administrators including Safend Protector, Sophos Endpoint Security and Data Protection and Skyrecon StormShield Endpoint Security.
Fears over how to manage and share files and documents across a company and between partners without running into BadUSB may prompt more people to adopt the cloud. (Cloud storage is, of course, an Internet-only option for sharing and synchronizing all kinds of files. )
If you do plug a BadUSB into your computer, there is a chance that security software could protect you. Symantec points out that while the BadUSB may be able to cloak its nefarious purpose, as soon as it tries installing or running malware on a protected system, resident security software should detect and block it. “So the threat may remain hidden,” said one Symantec analyst, “but it will not be able to infect a protected machine.”
At least in practice. In the meantime. it’s unlikely anyone will stop using USB ports for storage and data transfer, but if USB goes from GitHub to your desktop, you’ll want to change your USB stick-sharing ways.