Security researchers Karsten Nohl and Jakob Lell from SR Labs claim they've created a proof-of-concept of a piece of malware that can hide in the firmware of a USB memory stick. Nohl and Lell explain the malware exploits the very way that the USB protocol is designed and claim there's no easy fix for the problem because it can't simply be patched.
Named BadUSB, their proof-of-concept is capable of pretty much anything including taking over a PC, spying on you, invisibly altering files installed from the memory stick and redirecting Internet traffic.
The worst part is that the malware can't be easily deleted, you need to reflash the firmware to get rid of it and you can't even detect it without reverse engineering the firmware. The issue isn't limited to USB sticks, basically any USB device that can be infected can be the carrier for this new type of virus. Malware like BadUSB can travel from both a computer to the USB and the other way around, but at present its unknown if all USB devices are vulnerable. The researchers achieved their exploit on devices with Phison USB controllers but it's unclear if attacks could be devised for USB controllers from other firms.
Most of us learned long ago not to run executable files from sketchy USB sticks. But old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against.
The element of Nohl and Lell’s research that elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer. “It goes both ways,” Nohl says. “Nobody can trust anybody.”