USB Spying Still a Danger

by Mike on April 19, 2015

in VPN

USB ports were awesome alternatives for data transfers when they first came out. They were so convenient because they allowed people to connect so many different types of devices as opposed to just using discs to read and write data. They were so awesome back in 1998 that they never went out of style. So new computers like Chromebook Pixels and MacBooks are going to get another upgraded USB version called USB-C. As soon as its features were announced, there were immediately thousands who couldn’t wait to have it. But USB-C doesn’t just deliver a better fit or faster data speeds; it also delivers malware.

Why USB-C is Being Targeted

Let’s first talk a little bit about USB-C. USB-C comes with USB version 3.1, which will allow a 10 gigabyte per second transfer rate as opposed to the previous version, USB 3.0, which is up to 5 Gbps only. Also, USB-C has a 20-volt capacity compared to the USB 3.0’s measly 5 volts. USB 3.1 is a big step up because the power boost allows people to use it for both charging and fast data transfer at the same time. The connectors are also all the same size, so there will be no more cable confusion and fitting fits. It’s an awesome technology, and we are sure that the NSA can’t wait to exploit it, along with your average online thieves and various scoundrels.

First of all, this new USB version is not immune to the BadUSB type of malware. BadUSB is reprogrammed USB firmware that turns a flash drive into a malicious device. When this flaw in USB technology was discovered and announced last July by researchers Karsten Nohl and Jakob Lell of Germany’s SR Labs, the code for the bug was not released. The researchers knew that the vulnerability was a really bad one, and thought that they could protect people by keeping it a secret. But of course the idea was out there in the open, so other malicious brains could figure it out while security researchers had nothing to go on even if they desperately wanted to develop a cure.

Security researchers Brandon Wilson and Adam Caudill have since worked on BadUSB and were able to share their code on GitHub so that a solution could be developed. Of course, sharing the code would allow attackers to easily take advantage of the bug. But at least security teams can also work faster on developing a fix for it. With this information on hand, the serious problems that BadUSB presents should have been immediately tackled by USB manufacturers. But of course they did not. These manufacturers focus on features and bet that they can sell their product based on this alone, relying on users to disregard risks and not demand that security be ensured before they make any purchases. People are often blinded by new features and easily think these are more important than the chance they might be infected by a vulnerability, even one that can do so much damage. Wilson and Caudill did issue a patch for the bug, but it is not a truly reliable cure for BadUSB. It is not effective on all devices and has to be manually modified for starters. The USB firmware can then also be reprogrammed again after the patch is applied using the pin shorting technique.

So the duty falls to other concerned parties like our top VPN provider ExpressVPN, who shared this story with us. Thanks go to them also for stepping up to warn the buying public of the dangers of BadUSB and new technology like USB-C that is even more prone to infection than its predecessors. Without this we would not know that BadUSB can actually be used to deliver control of a computer over to attackers. These malicious elements can make changes to any files that have been installed using the infected flash drive. They can also do other things on the computer like automatically redirect Internet traffic.

Why It’s So Dangerous

A lot of people argue that they can easily avoid BadUSB by not using strange USB devices. We are already careful about plugging in unknown devices from just the usual old threats like Trojans and worms, right? So what’s the big deal?

Pre-loading devices with malware has become very common. Remember how Lenovo even accepted payment for using Superfish? Lots of smaller, struggling manufacturers would surely be even more likely to do similar deals for desperately needed extra funds. When USB-C hits the mainstream, with its power capabilities and fast data transfer, it will be the ultimate hacking tool. Online criminals can use it to snoop around and quickly find the juiciest of targets. Spies can use it to get direct access to any device they want. The NSA is actually already perfecting Cottonmouth-I, their very own man-in-the-middle USB implant. This attack – there’s just no other word for it – is designed to make a USB into a tapping device and even to permit remote access and control over the device that it infects. These types of attacks are no joke because they only take about 20 US dollars to build and will soon be abused by cybercriminals to execute a whole range of scams.

Just because you are about to invest in a sophisticated machine from a respected vendor like Apple or Google, it doesn’t mean that you are secure. Remember the Apple Pay hack? Remember the Apps for Work bug? These are just the most recent examples, and very recent they were indeed. No matter how secure these companies claim their stuff is, there’s always a tiny thing that gets overlooked. In this case, it’s USB-C with its universal cable. Without a fix, there’s nothing anyone can do to prevent the infection, which is more likely to hit a ton of people not only as time goes by but also because of the sophistication and projected popularity of the technology. Being neither good nor bad, technology can and always will be manipulated for both purposes. It’s just too easy to spread BadUSB with a one-size-fits-all solution like USB-C.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Leave a Comment

Previous post:

Next post: