"Are you sitting down? Good. ‘Cause I’ve got some really bad, scary news to share with you: Every single device plugged into a USB port on your computer could pose a threat worse than any malware we’ve ever seen." http://venturebeat.com/2014/07/31/why-you-can-no-longer-trust-any-usb-device-plugged-into-your-pc/

Yes this is not so new. Rewriting firmware to deliver viruses has been done before. The difference is that mostly people only use thumb drives in multiple machines, and they have very little firmware on them - so have very little space to place it  (note: they can't use normal file space as virus scanners will see it - it has to be loaded to EPROM on the device). Most (all) thumb drives run off of drivers - most use standard drivers that comes with the OS - or are downloaded immediately. Other devices often have disk based drivers (which would be virus scanned anyway on loading).

 

So, what then does the infected firmware do? Remembering it will be very small and low level (machine code), it is limited in just what it can do. It could pretend to be something else, like a keyboard and sendkey key presses to the machine and cause it to shut down perhaps. At worse it could drop a worm that could cause havoc, except that you up to date virus checked stops the worm in its tracks (it is now a memory resident and/or file resident virus/malware and easy prey for the virus scanner).

 

Think of it this way. It is reported that a new way to smuggle a gun aboard an airplane is detected - travellers become scared. Turns out that only very small guns can be taken through, and disassembled. The gun could still get aboard, and if re-assembled, even though small, could cause some damage. Problem is, you can't assemble it without being seen and arrested.

Wow...providing physical access to your machine allows a security concern...who'd thunk?

OK, so USB is now as officially scary as a bootable floppy was back in the 90's :P

Not just USB flash drives but any USB device with a controller. The article linked by the OP is echoed in several other, more techie mags. What can it do? Quoting from the link:

 

" “It can do whatever you can do with a keyboard, which is basically everything a computer does.”

Perhaps the most disturbing part of what Nohl and Lell have dubbed the “BadUSB” exploit is that it can pass from USB device to PC and then from PC to USB device completely untraced and invisible. “You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’”

The Black Hat conference is a month away and should bring out more info.

 

http://www.tomsguide.com/us/badusb-dont-panic,news-19258.html

The biggest threat from USB's is ninnies running XP with Autoplay turned on.

 

http://www.pandasecurity.com/uk/homeusers/downloads/usbvaccine/

This has nothing to do with Autoplay (as bad as Autoplay is). 

 

This is a trojan that can turn a normal USB stick into a malware USB stick.

 

The malware USB stick pretends to be a keyboard to the computer. And enters thousands of keystrokes in a second which is basically an executable program which can do whatever it wants on your system. 

 

The researchers say this cannot be detected or prevented by current AV programs - I agree.

 

Some things a keyboard connected to a computer can do:

- Turn off your AV program, or modify it so it won't cause alarm

- Get admin rights via various other exploits

- Install itself as part of the boot process

- Download more code from the internet

 

I can imagine future AV programs could protect against false USB devices. For example rate-limit the keyboard to typing speed.

This has nothing to do with Autoplay (as bad as Autoplay is). 

 

I never said it was.

I said that was the biggest threat as far as USB was concerned.

 

The infection vector for Stuxnet no less.

Eweek put it in perspective:
 

While the Security Research Labs researchers claim there are few defenses, the truth is somewhat different.

A reprogrammed USB device can have certain privileges that give it access to do things it should not be able to do, but the bottom line is about trust. On a typical Windows system, USB devices are driven by drivers that are more often than not signed by software vendors. If a warning pops up on a user's screen to install a driver, or that an unsigned driver is present, that should be a cause for concern.

As a matter of best practice, don't plug unknown USB devices into your computing equipment. It's just common sense, much like users should not open attachments that look suspicious or click on unknown links. The BadUSB research at this year's Black Hat USA conference is not as much a wake-up call for USB security as it is a reminder of risks that have been known for years.

 

 

Hackers can tap USB devices in new attacks, researcher warns

BY JIM FINKLE

BOSTON Thu Jul 31, 2014 6:35pm IST

 

(Reuters) - USB devices such as keyboards, thumb-drives and mice can be used to hack into personal computers in a potential new class of attacks that evade all known security protections, a top computer researcher revealed on Thursday.

 

Karsten Nohl, chief scientist with Berlin's SR Labs, noted that hackers could load malicious software onto tiny, low-cost computer chips that control functions of USB devices but which have no built-in shields against tampering with their code.

 

"You cannot tell where the virus came from. It is almost like a magic trick," said Nohl, whose research firm is known for uncovering major flaws in mobile phone technology.

 

Read more: http://in.reuters.com/article/2014/07/31/cyber-security-usb-attack-idINKBN0G00MD20140731