Storage sticks, keyboards and a wide host of devices rely on USB to make them usable but USB contains vulnerabilities that attackers can exploit to create all sorts of mischief — from dropping malware to deleting files from a disk, researchers from SRLabs said Thursday at BlackHat 2014 in Las Vegas.
They can also be used to infect a computer or redirect traffic over a different network through a rogue server. There are “no effective defenses” against USB-based attacks, according to a release from SRLabs, in part because a USB device can have several descriptors and it can “deregister and register again as a different device,” said SRLabs Karsten Nohl.
While a USB device has to go through a negotiation process with a user computer, it “tells a computer what it is and indicates its capabilities,” Nohl explained.
Also, there's no one-to-one correlation between the device and a port or interface. Those traits can turn the benign USB into a tool for exploitation. From there, “we have all the tools we need for malicious activities,” Nohl said, as he and Jakob Lell went on to demonstrate some of the hijinks that bad actors could pull off, using a set of proof-of-concept tools they call badUSB.
While guarding against badUSB devices is difficult, Nohl said among the best defenses is to give thoughtful consideration to the USB devices being used on a network and who the influencers are.” And, that's “just the opposite of how we use them today,” he said.