USB Devices such as thumb drives can be exploited in such a way that they can infect computers with malware in a way that cannot be easily discovered or prevented. The problem arises due to the lack of protection to the firmware which runs the microcontroller inside the USB devices and this was practical proved by Karsten Nohl, the founder and chief scientist of Berlin based Security Research Labs. The same will be presented as a topic of debate, at the Black Hat Security conference in Las Vegas held next week.
In the research it was proved that any malware program can replace the firmware on a USB device by using Small Computer System Interface (SCSI) commands and can make it act as other USB devices such as a keyboard. This virtual keyboard can then be used to emulate key presses and send commands to download and execute malware programs or can create conducive environment for hacking activities.
As per the content provided to the media by Security Research Labs, it can be concluded that USB devices lack both the versatility of having a Standard and Security at the same time. Though, the greatest feature of it is to have ‘plug and play’ capabilities, it also hands out vulnerability on a parallel note.
It was revealed by the researchers of Security Research Labs, that there is no easy fix for this problem. They tried to find out different ways, but failed to get up to the required standards. One way was to fix the issue in USB specification by devising a secure pairing process. But that did not work in practicality and needs many years to be developed as per our expectations.
The other way is to tune the OS, where it can ask users to confirm the addition of new USB devices to their computers and then remember the approved devices. Something in terms of a USB firewalls. But this might not be practically possible as USB devices use a string of zeros for their serial number and there is no way for the OS to recognize the device specifically on an individual note.
The last place to fix this issue will be in the USB micro-controllers where firmware updates will be required to be digitally signed or some kind of software lock can be implemented in order to eliminate the mechanism to re-write the firmware. But this needs to be brought as a standard to be practiced by the USB device manufactures and that may not be possible in near future.
Finally, the only way to curb this issue to a certain extent will be by educating the users on the risks and cautions to be followed while plugging their USB devices to their computers. But the process of inculcating consumers may not be possible in near future and so the tables are now turned towards the manufactures for a proper resolution on this issue.