BadUSB

BadUSB is a computer security attack using USB devices that are programmed with malicious software.^[1] For example, USB flash drives can contain a programmable Intel 8051 microcontroller, which can be reprogrammed, turning a USB flash drive into a malicious device.^[2]

The BadUSB attack was first revealed during a Black Hat talk in 2014 by Karsten Nohl, Sascha Krißler and Jakob Lell. Two months after the talk, other researchers published code that can be used to exploit the vulnerability.^[3] In 2017, version 1.0 of the USG dongle, which acts like a hardware firewall, was released, which is designed to prevent BadUSB style attacks.^[4]

Karsten Nohl stated: "It's the struggle between simplicity and security. The power of USB is that you plug it in and it just works. This simplicity is exactly what's enabling these attacks."^[5]

Author Catalin Cimpanu from ZDNet noted that the BadUSB attack is "incredibly rare". Though, in 2020, an attack was found in the wild where a hospitality provider was attacked using a fake gift card. The attack downloaded malware through a PowerShell command which was typed in through the programmed keystrokes in the flash drive.^[6]

References

^ Greenberg, Andy (July 31, 2014). "Why the Security of USB Is Fundamentally Broken". Wired. ISSN 1059-1028. Retrieved 2021-09-07.
^ Nohl, Karsten; Krißler, Sascha; Lell, Jakob. "BadUSB - On accessories that turn evil" (PDF). Archived (PDF) from the original on 2016-10-19.
^ Greenberg, Andy (October 2, 2014). "The Unpatchable Malware That Infects USBs Is Now on the Loose". Wired. ISSN 1059-1028. Retrieved 2021-09-07.
^ Doctorow, Cory (March 2, 2017). "USG: an open source anti-BadUSB hardware firewall for your USB port". Boing Boing. Archived from the original on 2017-03-03. Retrieved 2021-09-07.
^ Goodin, Dan (July 31, 2014). "This thumbdrive hacks computers. 'BadUSB' exploit makes devices turn 'evil'". Ars Technica. Archived from the original on 2017-09-09. Retrieved 2021-09-07.
^ Cimpanu, Catalin (March 26, 2020). "Rare BadUSB attack detected in the wild against US hospitality provider". ZDNet. Archived from the original on 2020-03-26. Retrieved 2021-09-07.

[1] Greenberg, Andy (July 31, 2014). "Why the Security of USB Is Fundamentally Broken". Wired. ISSN 1059-1028. Retrieved 2021-09-07.

[2] Nohl, Karsten; Krißler, Sascha; Lell, Jakob. "BadUSB - On accessories that turn evil" (PDF). Archived (PDF) from the original on 2016-10-19.

[3] Greenberg, Andy (October 2, 2014). "The Unpatchable Malware That Infects USBs Is Now on the Loose". Wired. ISSN 1059-1028. Retrieved 2021-09-07.

[4] Doctorow, Cory (March 2, 2017). "USG: an open source anti-BadUSB hardware firewall for your USB port". Boing Boing. Archived from the original on 2017-03-03. Retrieved 2021-09-07.

[5] Goodin, Dan (July 31, 2014). "This thumbdrive hacks computers. 'BadUSB' exploit makes devices turn 'evil'". Ars Technica. Archived from the original on 2017-09-09. Retrieved 2021-09-07.

[6] Cimpanu, Catalin (March 26, 2020). "Rare BadUSB attack detected in the wild against US hospitality provider". ZDNet. Archived from the original on 2020-03-26. Retrieved 2021-09-07.

[1]

[2]

[3]

[4]

[5]

[6]