A new report claims that devices that are plugged into USB ports, such as flash drives and keyboards, can be reprogrammed by hackers to deliver cyberattacks.
The vulnerability, which has been named BadUSB, may be exploited by attackers to insert software into the computer chips of USB devices. While that may seem frightening, it's actually worse than it sounds. There is no way to defend against the security flaw since USB devices do not have built-in defenses against the alteration of its code.
According to researchers from German research firm SR Labs, the security hole became a possibility because of the versatility of USB devices, which can connect to devices with different purposes such as for storage, input and battery charging.
"Once infected, computers and USB peripherals can never be trusted again," said SR Labs researchers Karsten Nohl and Jakob Lell in a blog post.
"No effective defenses from USB attacks are known. Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device's behavior when it changes its persona looks as though a user has simply plugged in a new device."
BadUSB works by emulating a keyboard and executing commands. Once a USB device has been reprogrammed, it can be used by hackers to install malware and steal files. When a malware is successfully inserted into the system, it can then transfer itself into the controller chips of other USB devices that are connected to the same computer.
Aside from disguising as a keyboard, BadUSB can also imitate a computer's network card to redirect traffic through changes in its DNS settings. If a user attempts to reboot the system, the infected computer or USB drive would insert a virus into the OS before booting.
The usual tactic of rehabilitating compromised computers, such as reinstalling its operating system, does not patch the vulnerability at its roots. At that point, the security flaw may have already inserted itself into USB drives and other parts such as computer webcams. The worst case scenario is when BadUSB replaces the computer BIOS, which is responsible for loading the operating system from the device's memory.