The BadUSB attack is quickly gaining global attention, and rightfully so. BadUSB makes history as the first USB malware to attack the USB device itself instead of attacking the data on the device. It changes the firmware that controls the behavior of the USB hardware, allowing the USB device to become a host that can subsequently infect other computers and USB devices. Once infected, the USB device could act as a keystroke logger or be used to send personal information back to the hacker. Perhaps scariest of all is that the modified firmware cannot be detected by today's anti-malware solutions and, in many cases, may remain undetectable.
BadUSB was first announced in July at the Black Hat 2014 security conference by SR Labs. Since then, additional researchers have replicated the attack. These researchers believe that the only way to drive USB vendors to provide a solution is to publish the code, which they did via GitHub. Fortunately, there are already measures in place that protect against the malware – but we'll get to that in more detail later.
The threat posed by BadUSB potentially impacts all users who use USB ports on their devices. The biggest threat is to organizations, governments and any other entity concerned about being hacked from other countries, corporate espionage or insider threats. Organizations that have mobile workers who work from home or are in remote locations are at additional risk.
What can organizations do?
The best protection against this vulnerability is to only use USB drives that use code signing for firmware updates. If the signed firmware is modified, the device cannot authenticate the firmware and simply will not operate. This prevents the infection from spreading but will result in an unusable device. In addition, you should deploy an end-point protection system that gives IT the ability to specify what devices are allowed to plug into a computer. For even greater security, use tamper-proof USB devices.
To fully protect the enterprise, IT must ensure that employees use only safe USB devices at work, at home and on the road. Using ironclad rules via an end-point protection system will ensure no bad devices are connected to an internal network. To fully protect the business while employees are on the road or at home, employees need a way to carry those IT rules with them at all times so they can safely access the corporate network no matter where they are.
Employing these techniques will prevent BadUSB from affecting an enterprise network. To select safe USB devices, IT can refer to federal guidelines laid out by the National Institute of Standards in Technology (NIST), the federal technology agency in charge of validating technology deployed in the government. FIPS 140-2 is the latest Federal Information Processing Standards (FIPS) is the latest cryptography standard required by the U.S. government for protection of sensitive data. Any device that meets FIPS 140-2 Level 3 will be immune from BadUSB.
While the measures discussed above are available today to protect against BadUSB, it will take time to refresh all vulnerable devices with secure versions of USB. Until then, educating the workforce on best practices, such as not using untrusted flash drives, is crucial to helping prevent the risk of BadUSB.