Your USB Devices Aren’t Safe Anymore, Thanks To BadUSB

Matthew Hughes 07-10-2014

If you bought a computer before 1997, you probably noticed that the back was a pock-marked mess of connectors and ports. And if you bought a new printer and scanner, odds were good it would only work with a certain type of port. And if the pins on the connector broke, your device was worthless. It was a nightmare. And then USB arrived.


Universal Serial Bus (USB) was created by a consortium of seven major technology companies, all hoping to solve one important question; ‘How do I connect this device to my computer?’. Almost 20 years later, USB has reached a level of absolute ubiquity.

This ubiquity has been both a blessing and a curse. Whilst USB has made using peripherals and removable storage trivially easy and convenient, there has recently been a discovery of a vulnerability with USB that makes every computer in the world vulnerable. It’s called BadUSB, and you need to know about it.

Meet BadUSB

The earth-shattering revelations that USB isn’t as secure as first thought was first disclosed by security researchers Karsten Nohl and Jakob Lell in July, 2014. The malware they created – dubbed BadUSB – exploits a critical vulnerability in the design of USB devices which allowed them to hijack a user’s Internet traffic, install additional malware and even surreptitiously gain control of a user’s keyboard and mouse.

The BadUSB malware isn’t stored on the user-accessible storage partition, but rather on the firmware of a USB device – including Keyboards, phones and flash drives. This means that it’s virtually undetectable to conventional anti-virus packages, and can survive the drive being formatted How to Format a USB Drive and Why You Would Need To Formatting a USB drive is easy. Our guide explains the easiest and fastest ways to format a USB drive on a Windows computer. Read More .



Fortunately, would-be attackers have been unable to take advantage of BadUSB, due to Nohl and Lell not publishing the code in order to give the industry an opportunity to ready a fix. Until recently, that is.

In a talk given at DerbyCon – a computer security conference held in Louisville, Kentucky – Adam Caudill and Brandon Wilson demonstrated their successful reverse-engineering of BadBSD, and published their exploit code on code-sharing platform GitHub What Is Git & Why You Should Use Version Control If You’re a Developer As web developers, a lot of the time we tend to work on local development sites then just upload everything when we’re done. This is fine when it’s just you and the changes are small,... Read More .

The motivation behind releasing BadUSB was simply to spur-on a notoriously slow-moving industry to add some security to how USB works. But, this means that from this point onwards, USB is no longer safe.

But when one looks at the history behind USB, one realizes that USB has never been especially secure.


USB As An Attack Vector

The term ‘attack vector’ refers to the path taken by an attacker in order to compromise a computer. These range from malware, to browser exploits (such as the one recently found in the stock browser on Android This Android Browser Bug Will Make You Upgrade To KitKat A serious issue with the stock browser on pre-KitKat phones has been discovered which could allow malicious websites to access the data of other websites. Sounds scary? Here's what you need to know. Read More ), to vulnerabilities in software already installed on the computer (much like Shellshock Worse Than Heartbleed? Meet ShellShock: A New Security Threat For OS X and Linux Read More ).


The use of a USB flash drive as a potential attack vector isn’t especially new or uncommon. For years, hackers have dropped USB drives in public areas, just waiting for someone to plug them in and unlock the nasties stored within. Just ask Dutch chemical firm DSM.

In 2012, they reported finding flash drives that had been intentionally dropped in their parking lot. Upon examination, they were found by DMS’s internal IT staff to contain malware which was set to auto-run and harvest login credentials, potentially giving an attacker access to privileged and confidential information.


If one looks even earlier, we can see malware that specifically took advantage of the Sandisk U3 flash drives. Discontinued in 2009, this line of consumer USB drives contained a partition which ‘tricked’ the computer into thinking it was a CD-ROM. This streamlined the process How To Convert Any Windows Program to Run on a U3 Drive Read More of installing and managing portable applications, but also meant that it would auto-run whatever was stored in this partition. A package of malware (called the USB Switchblade) was developed, that allowed an attacker with physical access to a post-Windows 2000 computer running with root to obtain password hashes, LSA secrets and IP information.

An exploration of how to create a USB Switchblade is found in the above video.

Of course, any USB-based attack can be easily thwarted by avoiding plugging in devices that you don’t personally own, which brings me on to how you can protect yourself against future BadUSB-based attacks.

How To Stay Safe

I’ve got some bad news. It’s going to be incredibly challenging to fight any attacks that are based upon the BadUSB exploit. As it is right now, there are no firmware-level security systems for USB. A long-term fix to the issue would require a significant update to the USB standard, the most recent of which was USB Type-C What Is USB Type-C? Ah, the USB plug. It is as ubiquitous now as it is notorious for never being able to be plugged in right the first time. Read More . This would still leave thousands with older hardware lacking the update vulnerable.


So, what can you do? Well, it’s still very early days, but there’s one fix that’s guaranteed to protect you from BadUSB. Simply put, you’ve got to have your wits about you. If you see a USB drive lying about, ignore it. Don’t share USB drives. Don’t let people put untrusted USB devices in your computer.

Don’t Have Nightmares

Although BadUSB is incredibly frightening, it’s important to put the risk in perspective. USB has never had a huge amount of popularity as an attack vector. Furthermore, at the time of writing, there are no documented examples of BadUSB-based attacks ‘in the wild’.

I’d still love to hear your thoughts. Worried about BadUSB? Got any thoughts? Let’s chat. The comments box is below.

Related topics: Anti-Malware, USB Drive.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. L. McNeely
    November 16, 2014 at 5:25 pm

    Gee, thanks for the info. I had no idea. WOW, I'll bet that thousands off bored hackers will
    start to work after learning about this. Perhaps, sometimes, it's best that things are left un-said.

  2. Frank
    November 15, 2014 at 6:22 am

    I enjoyed your article. Reminds me of Stuxnet and also that batch of USB LCD photo frames that would "phone home" kind of like a bot.

  3. lott
    October 21, 2014 at 4:11 am

    Ho by the way,
    For those that rent PC's for a living or cafe’s, what you can do is post no USB do to security.
    But you can sell a new USB drive, you can find then from China or Taiwan dirt cheap.
    1GB, 2GB, 4GB in bulk you can get them $ 1.00 $2.00 plus they will even put your logo on them.

  4. lott
    October 21, 2014 at 3:48 am

    Most anti-malware or anti-virus just will not work,
    They all use a data bases to conpare for any of those exploits.
    The best thing that you can do is block it on your machine.
    The second thing is have a sacrificial machine to test for those exploits that would look for then.
    Let say like and bagel bone, raspberry pie, viva la vida, to have code look for it.
    But to protect your self your PC partially try this software and it is free. Phrozen Safe USB 2.0
    this is not a promo I have tools like this for years, to stop self run exploits.
    I just looked it up on the net I got 12 hits, and this one just look simplest one to use.
    The only difference is that I just add the code to my machines.
    Hope this helps and good luck

  5. Paul Coleman
    October 16, 2014 at 12:50 pm

    Thanks for an interesting article. I hope to see more from you on this subject.

    It's annoying enough to deal with self-anointed computer experts, without being flamed by self-anointed editors.

    Those who attempted to correct your article are not quite paragons of English usage. I noticed the following grammar and usage errors among the alleged corrections.
    Improper use of hyphens and ellipses
    Improper capitalization
    Sentences without subjects
    Run-on sentences
    Awkward sentence constructions
    Missing and superfluous punctuation (in the same paragraph)
    Failure to use a dictionary
    These people seem to live in glass houses.

    • Matthew Hughes
      October 19, 2014 at 6:47 pm

      Paul, you rock. Thanks for your kind words, and your support.

  6. michael
    October 15, 2014 at 10:09 pm

    Do you know how to measure the size of the firmware (in "bits") installed on a device? If compared to a manufacturers reported firmware size (in "bits") in a "sandboxed" machine or maybe a machine w/no harddrives and 1 optical drive with a non writable Live CD it should be very easy to tell the difference between the two without risking more than the CD drive firmware... or no?

    • Matthew Hughes
      October 19, 2014 at 6:45 pm

      I'm actually not sure. There's a standard for it, but I can't find it!


  7. michael
    October 15, 2014 at 9:48 pm

    @ mizrable,
    "so far so good"? You don't have anything on your system that can detect if your infected or not. As for not leaving it plugged in all the time, it could infect your system before you got your hand off the drive. You "wiped the drive and then formatted it". That did absolutely nothing to get rid of the malware, if it was infected. You have to flash the firmware (which is not that hard, if you can get a clean copy from the manufacturer and an interface device and a program to get into the eeprom, if they even have eeprom) of the infected device, if someone comes up with a way for "everyday joe" to be able to detect the germ.

  8. michael
    October 15, 2014 at 9:20 pm

    thanks Matthew

    • Matthew Hughes
      October 19, 2014 at 6:47 pm

      You're welcome!

  9. michael
    October 15, 2014 at 9:19 pm

    @ Stu,
    Formatting does not erase firmware. That is where the m/ware is hidden. Who says it can't relocate to your optical drive firmware after gaining access to your computer? You can format and reinstall or reimage and solve nothing.

    @... ,
    "been no REPORTED cases in the wild". If none of the A/V products can detect it, who or what could do the reporting?
    Seems that quite a few computer users can't even tell when their computer has been turned into a spambot zombie and their net usage is maxed out or don't know the difference between fake/rouge A/V alerts and their own installed A/V product.
    This should spread easier than cheap syrup in the middle of August... provided the germscum get their act together.

    • Matthew Hughes
      October 19, 2014 at 6:44 pm

      Probably. Thanks for your comment, Michael!

  10. SomeDude
    October 15, 2014 at 1:06 am

    This isn't malware, it's just a way to re-write the BIOS of a flash drive. One thing that I hate about makeuseof is that they always over-exaggerate EVERYTHING

    • Matthew Hughes
      October 15, 2014 at 1:08 pm

      You're wrong.

      1.) Flash drives don't have BIOS. They have firmware.
      2.) It doesn't just affect flash drives.
      3.) Malware is code that performs an unauthorized, undesired and harmful action. Any way you look at it, this is malware.

  11. Brad Begas
    October 12, 2014 at 8:50 am

    Been to your local Library of late, well I have and they have banned the use of USBs' in their systems, so I had to send my info via email back to me.

    • Matthew Hughes
      October 19, 2014 at 6:46 pm

      Aye, that's a common story.

      Thanks for your comment Brad!

  12. Stu Mountjoy
    October 11, 2014 at 10:55 pm

    My standalone computer - which has USB slots and uses a flash drive - is safe. LOL. But more importantly, it is a TESTBED system, which means IF bad things happen (and they do, from time to time) I can re-install off a CDROM or boot-able factory-image recovery disks (all 7 of them, phew).

    • Matthew Hughes
      October 19, 2014 at 6:46 pm

      Your setup is interesting. I'd love to hear more about it!

    • Stu Mountjoy
      October 19, 2014 at 11:44 pm

      I use it mainly for 'testing' (as in, playing with) any new software I am planning to use in a productive manner. The only downside is that I am NOT connected to the Internet at all. And the other day a friend had to re-apply the thermal grease, between the CPU and the heatsink. LOL.

  13. Mizrable
    October 10, 2014 at 6:14 pm

    Recently purchased a 128 GB thumb drive on E-Bay for $10. The seller stated it would come directly from China. The seller had a good rating so I decided to give it a try. Took unusually long to arrive and while waiting I had considered the possibility of it being a Trojan Horse so to speak. When it arrived I ran a wipe of the drive and then reformatted it. Came out to be a little more than 125 GB useable. I only purchased the drive to make system images of my computers when things go astray so the data on the drive isn't sensitive and isn't left into a USB port at all times. So far so good, but you have heightened my concern over this purchase. Perhaps it's best I destroy this stick and lose $10 rather than a much worse loss.

    • Matthew Hughes
      October 19, 2014 at 6:44 pm

      It's unlikely, but possible. Again, these are very early days. Alas, verifying your drive is safe is hard at this very, very early stage.

      It's your call man.

  14. Claire
    October 10, 2014 at 4:36 pm

    I wonder if it would be possible to have a device to plug your usb drives into that would check the firmware for this exploit.
    I just came back from a trade show in which USB drives with show material on them were given out. This is not uncommon. And as someone mentioned, buying USB devices on eBay has become a risk. If there were a device or a program designed to scan the firmware - surely there is some tell-tale code that could be detected?

    • Matthew Hughes
      October 19, 2014 at 6:42 pm

      Yeah, that's definitely common.

      There are tools that check the storage volume for malware. Bitdefender has one such program.

      For firmware-based threats? No idea.

  15. Mike A.
    October 10, 2014 at 2:08 pm

    The only question I have no one seems to have hit on is if you plugged in a BadUSB while operating in a virtual environment would the USB's malware still work? Furthermore is it even detectable at this point? So how would you know whether the USB is good or not.

    • Matthew Hughes
      October 19, 2014 at 6:41 pm

      In the virtual environment? Probably not, as the USB connection itself is virtualized by the computer. On the host? Probably.

  16. Vicky
    October 10, 2014 at 1:51 pm

    I am responsible for many public access computers. This is scary indeed. We have done away with floppy, then CD (boss hates optical for some reason, plus they were a PIA); not sure what to do next....grrr. Not cool at all.

    • Matthew Hughes
      October 19, 2014 at 6:40 pm

      Cloud storage?

      Thanks for your comment, Vicky.

    • Vicky
      October 20, 2014 at 1:28 pm

      Staff has the ability to use the cloud (if they can wrap their heads around the concept--lol) and also our file server. Our main concern is the public. We have no way to offer them cloud storage and a majority of them have a hard enough time with most things we take for granted. Thanks for the recommendation, and heads up.

  17. intelligencia
    October 10, 2014 at 6:34 am

    Is this software from Bitdefender a good way to thwart this BadUSB attack from infecting one's computer?:
    Just Curious, thanks


    • Matthew Hughes
      October 19, 2014 at 6:39 pm

      Afraid not. That only deals with threats found on the storage volume, not the firmware.

      Thanks for your comment!

  18. lott
    October 10, 2014 at 6:31 am

    This is not new this also happen with omega, zip, jazz & PD drives.
    How long ago!
    Far back as 12 years, this exploit was never published.
    The only one's that knew of it where server administrators.
    And for those of you that do not know what PD is Phase-Change Dual, this came before CD -RW they Where use for local backup.
    They came in rewritable optical media in 120 Mb, 256 Mb, 524 Mb, later 650Mb.
    That is the reason for formatting this types of media on a stand alone unit, not on production units.
    But this exploit is not new to windows.
    The problem is that windows user run as administrators by default.
    Most I/O devices are on auto run, commonly known today as plug & play devices.
    And to top this of most anti-malware, anti-virus, and firewalls do not look for this behavior.
    Unix those not let any user be an administrator by default, just when the Sudo command is used by the user.
    Servers had an exploit in the I/O like printer ports, later on they were blocked.
    Technically any I/O devices can be use for this purpose, in the firmware or by flashing the firmware.
    Just look at routers, they call them exploits or holes in the software.
    Typically firmware exploits are found by the open source community or developers, like DD-Wrt & security experts.
    This are more commonly on personal equipment, not on commercial hardware well most of the time.
    To avoid this problem, always get the firmware from the manufacture or reputable software source.

    • Matthew Hughes
      October 19, 2014 at 6:39 pm

      Interesting. Thanks for your comment, Lott.

  19. RTIT
    October 10, 2014 at 6:15 am

    Here' s a Solution:

    CryptOnKey has a separate SMI Controller. It's memory unit doesn't get power unless the user successfully authenticates.

    If someone messes with the Controller's code and emulates a different device than a disk-on-key, there is no way it can write nor run malicious code from the memory unit.

    • Matthew Hughes
      October 19, 2014 at 6:38 pm

      That looks really, really interesting. Thanks for your comment!

      How did you find out about Cryptonkey? And how does it compare to Ironkey?

    • RTIT
      October 19, 2014 at 7:15 pm

      CryptOnKey seems to be only for SMBs and not Enterprises, specially not for those under regulative restrictions.

      It is not FIPS compliant.

      IronKey is the best Enterprise solution out there, but the price comparing to CryptOnKey is way to high. Specially if your are a small to medium business, looking for an affordable solution.

      Just for example, a 2GB Drive IronKey equivalent to CryptOnkey's 4GB Drive, costs around $100 while the 4GB CryptOnKey Drive only costs around $40.

      IronKey - 2GB - for - $100
      CryptOnKey - 4GB - for - $40

      Simple math :)

    • Matthew Hughes
      October 19, 2014 at 7:18 pm

      Interesting. I'd love to give CryptOnKey a go one of these days!

  20. Yogesh
    October 10, 2014 at 6:03 am

    One more typo I guess...

    "Brandon Wilson demonstrated their successful reverse-engineering of BadBSD, and published their exploit code "

    It should be BadUSB and not BadBSD, no?

    • Matthew Hughes
      October 19, 2014 at 6:37 pm

      Yikes. I'll get that fixed ASAP.

      Thanks Yogesh.

  21. Paul
    October 10, 2014 at 3:53 am

    Excellent article. Eye opening, safety-related, easy and quick information to pass around to friends and other contacts. The consistent comments regarding a misprint, which everyone understood anyway, was obviously due to the intense interest in the article. Thancs.

    • Matthew Hughes
      October 19, 2014 at 6:37 pm

      Thanks so much Paul. You rock.

  22. Euclid
    October 10, 2014 at 1:07 am

    Nice article Matt, very informative. Reminds me of Stuxnet.

    • Matthew Hughes
      October 10, 2014 at 10:02 am

      Thanks Euclid!

  23. Lalith
    October 10, 2014 at 12:08 am

    What about pen drive locker?

    • Matthew Hughes
      October 19, 2014 at 6:37 pm

      I'm sorry, I don't understand the question. Can you rephrase?

  24. glen
    October 9, 2014 at 11:25 pm

    Please use safe using.......use a condom.

  25. Bud
    October 9, 2014 at 6:03 pm

    Does ANYONE ever re-check their comments here before posting??? It’s called “QUALITY CONTROLS, man !!! And seems to be a very rampant online ‘disease,’ reading numerous web articles and comments across the board, especially spelling and bad grammar, included. And yes we make typos, but those typos should be checked well before posting............then again we are now living in a world of laziness and speed to meet “supposed” deadlines !

    • Matthew Hughes
      October 9, 2014 at 8:20 pm

      I do. But it's easy to miss things when you're working to a deadline. In the grand scheme of things, the rest of the article is quality, and I stand by it.

  26. Tim Vels
    October 9, 2014 at 3:51 pm

    Wow i never heard of this before. Thanks on this insight.
    I can't worry cause the next version of usb is coming later. So it will be a long time to reach consumers :(

    • Matthew Hughes
      October 19, 2014 at 6:36 pm

      Yep. We're going to be dealing with the repercussions of this for a while.

      Thanks for your comment Tim.

  27. Mark
    October 8, 2014 at 4:45 pm

    So it sounds like the only way to get this would be if the USB device was physically tampered wth and someone put the malicious firmware on it... IE you can't plug the USB device into a computer and upload the virus into it that way.

    And it can't really spread this particular malware to another device because it can't update the firmware on that device. (Unless the firmware is updatable, but even then it is probably device specific firmware) But it could be used to install a virus or malware that propogates through traditional methods.

    So really just avoid plugging in a USB key that you don't know the source of and you should be fine. Although that being said if your friend comes over with their USB device you don't know where that came from and could potentially contain the attack program.

    • Matthew Hughes
      October 9, 2014 at 8:19 pm

      Pretty much. The answer is to get more people to be more skeptical when it comes to USB devices.

      That'll require a massive change in people's mentality.

      Thanks for your comment man.

  28. Cory S
    October 8, 2014 at 2:26 pm

    USB drives and people's natural curiosity have long been exploited by hackers and script-kiddies alike but this is a very interesting vulnerability in and of itself. This more than confirms my belief that we have no idea what we are doing with technology and have a long ways to go... it also confirms my belief that if someone wants your data badly enough, they'll find a way to get it, no matter how secure you think it is.

    Great article, Matt! :)

    • Matthew Hughes
      October 9, 2014 at 8:17 pm

      Thanks so much Cory!

  29. Robert
    October 8, 2014 at 10:35 am

    How is it that apparently plugging in a USB device in a computer is enough to pick up the virus, but formatting your device does not get rid of it? If it is that simple to get the virus on a device, there must be a way of removing it again, right?

    • Matthew Hughes
      October 8, 2014 at 11:51 am

      Because the malware isn't stored on the storage medium, but rather on firmware of the USB connector itself.

      Hope that helps!

  30. Liam
    October 8, 2014 at 4:49 am

    Thanks for telling about "successful reverse-engineering of BadBSD" in your article. I knew that BSD is bad and you confirmed it :)

    I hope I won't catch either, BadUSB and BadBSD.

    Great article though, I might disable auto-mount in my Debian box ;).

    • Matthew Hughes
      October 8, 2014 at 11:50 am

      Thanks so much man. :)

  31. aletta mes
    October 8, 2014 at 3:57 am

    Is one OS particularily vulnerable or does it make no difference, I have devices using XP, CentOS, Android.

    • Matthew Hughes
      October 8, 2014 at 11:50 am

      My understanding of BadUSB is that it's an issue with the architecture of USB itself, rather than a platform-specific issue.

      Hope that helps!

    • Andy
      October 9, 2014 at 7:27 pm

      Yes, but it still requires that the host OS execute the code. If there's no vulnerability in the host OS to exploit then this is useless.

      Even in windows it still has to go thru AV programs etc.

      This really isn't any different than the autorun from CDs problem.

  32. bedUSB
    October 8, 2014 at 2:58 am

    we could use it on atm machines!! whoe!! such money! such internetz!

    • Matthew Hughes
      October 9, 2014 at 8:15 pm

      wow! many felonies!

  33. Svein
    October 8, 2014 at 2:14 am

    1 - Is this dependent on the OS of the computer?

    2 - Even though existing anti-malware solutions can not detect it, is it possible to make a small program to test for this that will detect it?

    • Matthew Hughes
      October 9, 2014 at 8:18 pm

      1 - No. It's an issue with USB as a whole.

      2. - Perhaps. We'll have to wait and see.

    • Svein
      October 10, 2014 at 1:22 am

      Yes, I understand that USB is the problem, but the payload would still have to be OS specific? That way, it would be like with most things - Windows will be the biggest problem. And if it could be detected by a specially made program, run it on a Linux computer and use this as a sanitizer before plugging the USB device into a Windows computer... ?

    • Matthew Hughes
      October 19, 2014 at 6:35 pm

      Oh, sorry. I misunderstood your question.

      In short, yes. Just like a Windows virus doesn't work on Linux, the payload would indeed have to be OS specific.

      I can't answer your other question, as I'm not aware of any such program. Is it theoretically possible? Perhaps.

      Thanks for your comment.

  34. Kevin Dethlefs
    October 8, 2014 at 1:40 am

    Woot on Hak5, great show. Highly recommend them for anyone remotely interested in hacking electronics or computer security. And for the ones that catch grammar errors and time travel, lay off.... the guy does his best and isn't perfect... :D

    • Matthew Hughes
      October 9, 2014 at 8:17 pm

      Darren Kitchen *is* a beast. Thanks man! And thanks for the kind words!

  35. Katie
    October 7, 2014 at 9:14 pm

    Matt, what do you recommend for people using public computers, like in computer labs or at the library?

    • Matthew Hughes
      October 9, 2014 at 8:16 pm

      Great question! I'm not sure. There haven't been any real demonstrable attacks found 'in the wild' yet.

      I'd have to wait a few months to give you an answer to that.

  36. Nelson Delgado
    October 7, 2014 at 7:40 pm

    Are Linux, Mac and other Unixes vulnerable too?

    • Andy
      October 9, 2014 at 7:14 pm

      No. Theoretically the same sort of exploits would work, but it's very unlikely anyone will every use them - infecting linux and MacOS computers is far more difficult than infecting Windows computers - and there are other practical problems like trying to run exec files from CDs/DVDs (most linux distros mount disc media with noexec set).

      Hard to figure out why anyone would bother. There are far more Windows computers out there and they are far more vulnerable to anything the authors want to load from the USB stick, plus the ENORMOUS library of windows hacking code that exists.

    • Matthew Hughes
      October 9, 2014 at 8:15 pm

      Yep. It's not an OS issue. It's an issue with how USB works.

  37. Kim
    October 7, 2014 at 7:13 pm

    Do you think we'll reach the day where antivirus programs will be able to scan USBs for things like this? Or is it too rare of an occurrence, so it's still not a priority for programmers?

    • Matthew Hughes
      October 9, 2014 at 3:18 pm

      I don't know! It's very speculative at this stage.

      Thanks for your comment Kim!

    • Danny
      October 11, 2014 at 2:52 pm

      I use Mc×××fe. It's free from my internet provider. I have the plug n play options turned off. When I insert a USB, Mc××××fe does open a box asking if I would like it to scan the device.

    • Haque
      February 17, 2015 at 12:10 am

      "When I insert a USB, Mc××××fe does open a box asking if I would like it to scan the device"

      It scans the files on the device, these are contained on the NAND chip/chips in a (usually) Fat32 Filesystem. badUSB however is not. The code for BadUSB is in the controller chip, and is not able to be scanned by Mcxxfe.
      Your system dos not have any way to interact with the controller to know if there is malicious code on the USB drive or not.
      The actual code that runs is not even the same as your PC, and is not run on the PC processor. The USB drive has a CPU all of its own, meaning it can run whatever it wants and your PC will not know unless the device actually performs operations that have been discovered and mitigations have been written. Think of the Flash drive as a minicomputer with RAM,CPU, an OS and memory all of its own. BadUSB could be likened to software running on that little PC.

  38. Roland Hesz
    October 7, 2014 at 7:09 pm

    Ok, so to comment on the content of the article.

    My take on this is use the normal common sense.

    If you don't know where it came from, don't plug it in.
    The virus appearing on brand new devices - straight from factory - will take a few months, on used devices maybe one month.
    So be careful with buying that $5 high-end gamer mouse on eBay from the account that has been created yesterday and selling hundreds of them.

    But that applies to everything really.
    If it won't get fixed in the next six months, then we can start to worry about brand new, fresh from the factory gadgets too.

    • Matthew Hughes
      October 9, 2014 at 3:17 pm

      Thanks so much Roland. And yes. People should be much more skeptical of the USB devices they plug into their computers.

  39. Jay
    October 7, 2014 at 6:47 pm

    Sounds like a perfect spy tool. I wonder how long governments of the world have been using it to hack foreign systems?

    • Matthew Hughes
      October 9, 2014 at 3:16 pm

      Who knows!

      Thanks for your comment Jay!

  40. Nicolás
    October 7, 2014 at 5:01 pm

    the thing is: does MY usb pendrive can get infected by plugin it to another computer and then transforming it into an attack vector for my computer?

    • Matthew Hughes
      October 7, 2014 at 6:22 pm

      Potentially. There's not really been any use of the exploit 'in the wild' right now, so it's hard to tell.

    • Zanzal
      October 7, 2014 at 10:53 pm

      "There’s not really been any use of the exploit ‘in the wild’ right now, so it’s hard to tell."

      That is untrue. Security researcher @dragosr tweeted on this almost a year ago. At the time he was attempting to track an infection that seemed to a) transmit itself by overwriting USB firmware and b) infecting font files, and infected machines would communicate with other infected machines using high frequency (air gap) modem. Some people of course laughed at him for these claims, but no one is laughing now.

      To address your question: Nicolás - Yes, but since there is no way to stop it, there isn't much sense in worrying about it. Just keep your USB devices out of strange machines and try and prevent physical access to USB ports when possible.

    • Matthew Hughes
      October 9, 2014 at 3:16 pm

      No, it's true. BadBIOS has nothing to do with BadUSB, and BadBIOS has not been independently verified. BadUSB has. Incidentally, I wrote about BadBIOS last year.

      At the time, I was open to it being true. But now? I'm pretty skeptical.


  41. School Teacher Jim
    October 7, 2014 at 4:37 pm

    "USB has became reached a level of absolute ubiquity."

    Not sure whats more frightening, BadUSB or BadEnglish?

    • Matthew Hughes
      October 7, 2014 at 6:22 pm

      Ah, good catch. Thanks man. It's fixed now.

  42. twilight009
    October 7, 2014 at 4:31 pm

    July ... 2015?

    You guys seem to have a problem with basic fact-checking.

    • Matthew Hughes
      October 7, 2014 at 6:21 pm

      That, or I'm from the future. Pick one.

      Nah, it was a typo. Sorry man. Nobody's perfect!

  43. Michael Madarasz
    October 7, 2014 at 4:29 pm

    Ummm, July 2015? This time travel can be worrisome!

    • Matthew Hughes
      October 7, 2014 at 6:23 pm

      I knew it was a bad idea to buy a Delaurian.

      Sorry man. It's been fixed now.

  44. hazem elsaiegh
    October 7, 2014 at 4:20 pm

    oh my god , that's a big problem

    • Matthew Hughes
      October 7, 2014 at 6:25 pm

      Yes, yes it is!

  45. Daryl Kirchen
    October 7, 2014 at 4:17 pm

    "The earth-shattering revelations that USB wasn’t as secure as first thought was first disclosed by security researchers Karsten Nohl and Jakob Lell in July, 2015" WOAH TIME TRAVEL.

    • Matthew Hughes
      October 7, 2014 at 6:26 pm

      I KNOW, RIGHT?

      Apologies man. It's since been fixed. Just a typo.

  46. Mike Merritt
    October 7, 2014 at 4:02 pm

    July 2015 ??? Under heading "Meet BadUSB" ... Typo ? Seeing into the Future ??

    • Matthew Hughes
      October 7, 2014 at 6:26 pm

      It's a skill of mine.

      Sorry about the typo man. It's all fixed now!