USB devices are perfect for this type of attack as they are versatile, compact and to the untrained eye will look completely untouched
By Harriet Geoghegan – Digital marketing strategist at Veridu
Computer hackers were always going to get more creative and cunning – with ever improving security software, but it seems they have just found their ideal hacking weapon. Something they are unwittingly slipping into our hands and convincing us to plug in to our own computers – like an elaborate, James Bond inspired plan. And most surprisingly, we’re referring to one of the most commonly used computer devices, something we all have and use regularly: the humble USB.
Researchers at Berlin’s SR Labs noted last recently a new type of hacker attack that they’re dubbing the ‘Bad USB’.
Hackers are secretly hiding malware inside the part of a USB designed for controlling the device. This firmware is then manipulated for purposes that the hacker can exploit. Experts are saying they didn’t see this coming, as innocent USB users worldwide are unknowingly plugging the infected devices into their computers, and inviting hackers into their lives
USB devices are perfect for this type of attack as they are versatile, compact and to the untrained eye will look completely untouched. A USB device contains controller chips that don’t show up easily when a user plugs it in, and are incredibly easy to reprogram; this compatibility-over-security design makes it easy to be infected with malware.
How are the hackers actually doing this?
An unknowing user inserts their USB flash drive into their computer and the anti-virus software won’t protest as it can’t detect the malware. The manipulated stick then behaves like a network card, meaning the now infected computer sends all its data via this “network card”. Once this has happened, it’s goodnight nurse to your saved and private files. The hacker can then copy all the data traffic, which researchers say create virtually infinite dangers.
But wait, it gets worse…
If the hacker has prepared the stick they can actually access the data they steal directly, without having to actually get the USB back – an Internet connection is all they need, and passwords are out the window.
Where infected USB’s are being used, hackers can also use them to install a keylogger, which records every keystroke made on the infected computer. Everything the user types is then stored. If it happens to you, you could be entering highly secure passwords and the key logger will record everything. This information is then sent in a nice neat data package once a day to the hacker.
Once this has happened, nothing on your computer is safe and experts are saying there is almost nothing they can do to prevent it from continuing to happen.
Here at Veridu we haven’t been friends with passwords for a while, something we have written about quite a bit lately. This is just one more reason why having a password is simply not sufficient to protect yourself anymore, and an outdated technology. If you’ve unwittingly used a USB like this, or been the victim of a password theft in one of the millions of other ways hackers try to attain our data, there are still a number of protections that are available if the sites/services you are logging into simply think out of the box.
We’re big proponents of working backwards from the problem, and creating the right solution, rather than looking at what’s traditionally been done and try to build on that. The traditional (and quite frankly, outrageously outdated) method of online security is to have a password. When it became apparent hackers were quite easily cracking them, people built on that, by trying to make them harder. By adding numbers, symbols, making them longer, encouraging us not to use the same password again, adding captcha codes, and trying to encrypt all the locations that passwords are stored.
The list goes on, and it is essentially a hacker’s checklist. Sure, it’s harder and takes longer, but they can still be cracked. So instead of trying to fix a fundamentally flawed issue, we’ve moved away from what’s at its core – one code to access data. Instead, we’ve looked at what can’t be faked, duplicated or hacked – and that’s your unique online behaviour. By combining a range of data points and processes, Veridu can accurately determine that it is you, truly you, and only you trying to access something and thus let you in. A hacker doesn’t know who your friends are to spot them, can’t fake all of the conversations you’ve had online with them over years and most of the time won’t be using your computer and phone together. Combine all of these things and it is pretty damn hard to fake. That’s what we call using social and behavioral data for identity, and what we know to be the way of the future for online security.
So if you used one of these “bad USBs”, but were accessing a platform that verified with Veridu instead of a password, your files could remain safe despite the hacker having your password, as they would but hit a brick wall when asked to verify your friends and family on Facebook. This is where using social data as a form of security can really save you.
Why is this new form of hacking unstoppable?
Unfortunately, no current anti-virus program can scan such a small infected area. The firmware runs rampant on your computer completely undetected and the manipulated USB device could also pretend to be a keyboard, a webcam, or even a network adapter, with no one noticing.
What is being done about this USB hacking scandal?
Karsten Nohl and Jakob Lell, security researchers at SR Labsplan, will discuss these attacks at next week’s Black Hat hacking conference in Las Vegas, in a presentation titled: “Bad USB – On Accessories that Turn Evil.
The researchers are saying it’s not really possible to protect against this kind of data theft at this stage. Unfortunately, their only suggestion right now is to simply ‘not use USB sticks’. Sure, it’s unhelpful advice, but at least they haven’t gone so far as to tell use to go back to using floppy disks!
What can I do to protect myself?
While it’s hard to see exactly when the USBs are being infected, we’d recommended not buying USB sticks from cheap stores, and sticking to reputable ones. While the problem is fairly new, it would be worth asking the sales staff if they can confirm that the USB sticks are secure and haven’t been hacked. We hope that retailers will soon issue statements about how they are resolving the issue, but that might be a bit ambitious on our part…
Make sure you’re only borrowing USB sticks from people you know and trust and in return don’t leave your USB in stores, Internet cafes or any location where there is an opportunity for someone to infect them.
We’ve all had a good relationship with the technology of the USB for over two decades, but it might be time to look into other ways of sharing and saving our information. With the multitude of online file sharing services, the discovery of this hacking method might have arrived at just the right time – a time when the USB isn’t as necessary as it once was.
We’re aware that it’s important to keep up to date with security systems and to be one step ahead of hackers. It pays to not be complacent with the security software that you currently have. If you do have concerns about your current user access systems then get in touch with the team at Veridu to see if we can tighten things up!
This post was originally published on the Veridu blog