We’ve been hearing about the “Heartbleed” vulnerability involving OpenSSL that was considered to be the most widespread internet loophole earlier this year, only to be replaced by the Shellshock vulnerability that took the Web by surprised within the last week or so.
The Shellshock vulnerability has been compared to the Heartbleed vulnerability in its destruction, confirming the worst for consumers: that is, that the Internet is full of loopholes that can be exploited by worldwide hackers.
We’d been told that the American government was using USB sticks to spy on Chinese officials and military personnel, but we now have confirmation that USB sticks do contain vulnerabilities that can also become the target of future exploits – at least certain USB sticks, anyway.
The USB loophole, known as the BadUSB vulnerability, was created by security researchers who wanted to show that USB sticks are a mini computer that, like all computers, are susceptible to attack and destruction when placed in the hands of hackers. The security researchers unveiled the BadUSB vulnerability at the Las Vegas Black Hat Security Conference two months ago.
Security researchers Adam Caudill and Brandon Wilson decided to not only replicate the same USB vulnerability as the Black Hat researchers at the Louisville, Kentucky DerbyCon hacker conference last week, but also to publish it on GitHub – leading to millions of devices worldwide that can become controlled by hackers remotely.
Caudill and Wilson decided to release the USB vulnerability to the public so that USB manufacturers will do something about the problem and find a solution: “If this is going to get fixed, it needs to be more than just a talk at Black Hat. If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it. You have to prove to the world that it’s practical that anyone can do it…That puts pressure on the manufactures [sic] to fix the real issue,” Adam Caudill said in a recent interview.
Caudill and Wilson were able to show that the malware inserted in USB sticks by a hacker can then be used to control the keystrokes of a keyboard attached to a computer. The duo also showed that malware passed from the USB stick can disable the security feature of a USB stick without warning or hide within invisible code that dodges flash storage and thus, isn’t susceptible to deletion.
So far, the BadUSB vulnerability only affects USB sticks manufactured by Taiwanese USB production company Phison. Phison has said that its USB sticks aren’t susceptible to malware and hacking, but these same USB sticks have been known to affect every device they connect to. USB sticks, similar to the floppy disks of old, can infect any device they’re placed into – and the same USB ports on computers, once infected, can then infect new USB sticks that’re placed into the same USB ports. Essentially, any USB port worldwide could be the target, and all USB sticks could become infected.
We’ve heard that the NSA could hack into home Wi-Fi networks, USB cables, and even mobile operating systems such as Android and iOS – but this beats everything. We understand Caudill and Wilson’s commitment to making manufacturers aware of the issue, but could we see a future hacker attack similar to the one involving JPMorgan Chase? At this point, anything’s possible.