Get All Access for $5/mo

Why a Dangerous Security Flaw in USB Devices Is Putting Computers Everywhere at Risk Thumb drives and other USB devices are vulnerable to malware that could let an attacker take over a user's computer.

By Benjamin Kabin

Opinions expressed by Entrepreneur contributors are their own.

USB devices and the computers their users connect them to are vulnerable to malicious code that can totally take over a user's computer, manipulate files stored on the drive and redirect Internet traffic.

Security researchers Karsten Nohl and Jakob Lell first demonstrated the attack this summer at the Black Hat security conference in Las Vegas where they showed a large crowd how their malware embeds itself in the firmware that allows USB devices to communicate with computers, Wired reports.

Nohl and Lell did not publish their code, called BadUSB, for fear that it would be used for nefarious purposes; but now two other researchers have opened Pandora's Box.

Related: FBI to Apple, Google: Your New Privacy Policies Are Making People Less Safe

At last week's Derbycon hacker conference two other researchers, Adam Caudill and Brandon Wilson demonstrated that they'd reverse engineered the BadUSB malware and then published it on Github for anyone to see.

"The belief we have is that all of this should be public. It shouldn't be held back. So we're releasing everything we've got," Caudill said at Derbycon. "If you're going to prove that there's a flaw, you need to release the material so people can defend against it."

Caudill's statement highlights a philosophical split among security researchers: those who elect to keep the flaws they find under wraps in order to protect the public directly, and others, who believe publishing their software exploits is the best way to put pressure on the industry to fix security flaws quickly.

In an interview with Wired, Caudill said even if this particular flaw isn't being used by garden variety hackers already, he believes well-funded organizations, like the NSA, may already have the capability and are using it.

Related: "Bash' Bug Could Be Bigger Than Heartbleed

"You have to prove to the world that it's practical, that anyone can do it … That puts pressure on the manufactures to fix the real issue," Caudill said. "If this is going to get fixed, it needs to be more than just a talk at Black Hat."

Because the malware is stored on the device's firmware, which controls the basic functionality of the device, it's very difficult to detect and can't even be deleted by clearing the storage contents. Caudill also demonstrated how the malware can be used to hide files and secretly disable password-protected security features.

Before last week's demonstration Nohl told Wired that he considered this exploit to be basically unpatchable. In order to mitigate against these types of attacks, he said, the entire security architecture would have to be rebuilt from the ground up with code that cannot be changed without the manufacturer's signature. Even then, he said, it could take more than a decade to get rid of vulnerable devices and smooth out all the new bugs.

Both research teams reverse engineered the firmware from USB devices made by Phison, a Taiwanese company and one of the largest USB device makers. Even if you don't use Phison devices yourself, your computer is still vulnerable, especially if you swap files with other users or happen to pick up a new free thumb drive at a business conference.

Related: JPMorgan Hack Exposed Data of 83 Million Homes and Small Businesses

Benjamin Kabin

Journalist

Benjamin Kabin is a Brooklyn-based technology journalist who specializes in security, startups, venture capital and social media.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Business News

These Companies Offer the Best Work-Life Balance, According to Employees

The ranking is based on Glassdoor ratings and reviews.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Science & Technology

Use This Framework to Successfully Integrate AI Into Your Business Operations

Here's how to ensure both innovation and compliance when using AI in your organization.

Leadership

Why Your AI Strategy Will Fail Without the Right Talent in Place

Using fractional AI experts through specialized platforms allows companies to access top talent cost-effectively, drive innovation and scale agile strategies for growth.

Growing a Business

5 Effective Strategies to Boost Your Business's Online Presence

Boosting your online presence in 2025 is the key to success for businesses looking to grow. Working on your branding and reputation management is important to drive more sales and improve conversion.