Embedded within USB devices—from thumb drives thorough keyboards to smartphones—is a controller chip which allows the device and a computer it's connected to send information back and forth. It's this that Nohl and Lell have targeted, which means their malware doesn't sit in flash memory, but rather is hidden away in firmware, undeletable by all but the most technically knowledgable. Lell explained to Wired:
"You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it's 'clean... [But these] problems can't be patched. We're exploiting the very way that USB is designed."
The kicker is that it's virtually impossible to check whether a device's firmware has been tampered with, and even if it was, there's no single trusted version of it to check against. It's also worth pointing out that it can travel both ways: a USB stick could infect a computer with its malware, say, and the PC could then infect any USB device plugged into it.
So it's fairly worrying that the pair of researchers have demonstrated—and will present at the upcoming Black Hat security conference in Las Vegas—that the flaw can be exploited on thumb drives, mice, keyboards and even an Android smartphone. (It should, in theory, work on any USB device that can have its firmware reprogrammed). Some of Wired's sources even speculate that the hack could already be being used by the NSA.
That's a lot of bad news—so what can you do about it? Technically speaking, very little: there's no patch of code that can be be used to solve the problem. Instead, both the USB Implementers Forum and the researchers point out that a change in the way we use USB is the only solution: don't plug a USB device into any computer you don't 100 percent trust, and don't plug untrusted USB device into your computer either. That may prove inconvenient—but it may also save you from a very nasty surprise, too.
source: gizmodo.com by Jamie Condliffe