When Karsten Nohl published his research on 21 July 2014, BadUSB spread throughout the media within hours. One had the feeling that the end of the world arrives at the door. Millions of potentially compromised USB sticks could take over control of all other USB devices.
But the worst is yet to come: We are utterly powerless! Antivirus products of whatever vendor could not block this kind of attack. As if we did not know, that Antivirus products are of limited value today.
My first reaction was: Keep cool! It’s just a proof of concept. It’s not in the wild! And the best is: It’s a very complex task, and therefore not lucrative for normal attackers.
Vulnerabilities in the handling of USB devices are not new. A search in the U.S. National Vulnerabilty Database (NVD) shows 4 high severity flaws in the past 18 month. Moreover, it is well-known that viruses are very often spread through USB devices. We all know the risk!
And even the vulnerabilities in onboard controllers are not new. Mathieu Stephan reports in his post ‘Hacking SD Card & Flash Memory Controllers’ from 29 December 2013 that the Firmware of SD Card’s was compromised. Take a look at the Video in his post.
Marshall Honorof’s post ‘Don’t Panic Over the Latest USB Flaw’ from 1 August 2014 saved my day.
At the end of his post Marshall sums it up: ‘Make no mistake: BadUSB is a fantastic proof-of-concept, and lays bare some serious problems with USB stick security. But, like anything else in the world of computing, you can avoid trouble using a little common sense.‘
To be honest, I expect a technical solution to the BadUSB trouble within the next month. Otherwise the USB stick market will collapse.
But in the meantime: Don’t Panic!