Don’t Panic Over the Latest USB Flaw
In 1979, Douglas Adams wrote the immortal guiding principle of The Hitchhiker’s Guide to the Galaxy: DON’T PANIC. Computer users would be wise to heed those words regarding the BadUSB malware that made headlines yesterday by being able to compromise almost any computer. Yes, it’s bad, but it’s not as bad as you might think.
In case you missed it, BadUSB is malware that hides in the firmware of USB drives. Security researchers Karsten Nohl and Jakob Lell will present their full findings on the software, which they created, next week at the Black Hat USA security conference in Las Vegas.
MORE: 13 Security and Privacy Tips for the Truly Paranoid
Wired wrote that malware of this type could cause an “epidemic.” Nohl told Reuters that BadUSB functioned like a “magic trick.” Publications from ZDNet to VentureBeat predicted apocalyptic consequences for BadUSB.
But take a deep breath, because BadUSB is not likely to open the floodgates to a computing cataclysm — or, at least, not likely to open them any wider.
First things first: BadUSB is a proof-of-concept attack, designed by security researchers. They’re not going to release it into the wild, and most malicious hackers (who lack both the resources and know-ho to design something similar) would rather rely on tried-and-true phishing and malware attacks. These attacks are easy to avoid with a little common sense and even the most rudimentary antivirus software.
Furthermore, demonstrating something like BadUSB at a conference like Black Hat is basically an open invitation for the security community to fix this vulnerability before it becomes widespread. With some of the world’s foremost researchers and hackers on the case, prophylactic and curative measures won’t be too far behind.
Perhaps the most important point is that USB sticks compromising PCs is nothing new; it’s actually the easiest way for malefactors to get ahold of your system. Any public computer is susceptible to sneaky USB-based malware (and, in fact, most hotel computers are just ripe for hacking). Even so, USB hacks are relatively uncommon, compared to online ones.
The reason why is because USB attacks — even sophisticated ones like BadUSB — are extremely easy to prevent. If you own a private computer, you control who has access to it. If you buy a new USB stick, it will not come with any unwanted software. Simply use your judgment when accepting sticks from friends or third parties, and you’re not likely to contract any malware.
Make no mistake: BadUSB is a fantastic proof-of-concept, and lays bare some serious problems with USB stick security. But, like anything else in the world of computing, you can avoid trouble using a little common sense.
Tom’s Guide