BadUSB exploit affects more than half of USB devices

More than than 50% of the USB devices currently on the market are vulnerable to the BadUSB exploit. Which devices can be exploited remains unknown due to non disclosure of chips used in end products, according to the security researchers who discovered BadUSB. They disclosed the information during Pacsec, a security conference currently held in Tokyo.

In August the security researchers demonstrated the BadUSB exploit which works by modifying the firmware of a USB device in such a way that it can be used to attack a system and works on both Linux and Windows systems.

usb-drive

With BadUSB it’s possible to infect computers with malware using a manipulated USB device, the exploit can also be used to send keystrokes to the system or log all user actions. To measure the impact of the exploit, the researchers analysed all USB controller chips developed by the eighth largest USB controller developers. More than 50% of the chips were vulnerable to the attack. A major problem is that the researchers are unable to compile a list of safe products and that it’s it’s fairly impossible for the average consumer to identify safe products.

The researchers found that all USB storage controller of the Taiwanese company Phison are vulnerable. The chips of ASmedia aren’t. In case of the Taiwanese company Genesys the chips supporting USB 2.0 were not vulnerable, while chips supporting USB 3.0 were at risc. The devices that are immune to BadUSB aren’t immune by design. By coincidence the controllers can’t be reprogrammed making the exploit impossible, according to Wired.

Unfortunately manufacturers of computer devices don’t mention the used USB chips on the packaging. Some manufacturers also use different controllers in products with the same model name. If it’s up to the researchers, manufacturers should state on the packaging which USB controller chips they use.

The researchers also commented on criticism that the BadUSB exploit would only target Phison chips. “Some people have accepted that USB is insecure. Others remember BadUSB only as the Phison bug. That second group needs to wake up to the same level of awareness of the first group,” a researcher said. “For practical purposes, it affects potentially everything”.