A newly discovered flaw in USBs, dubbed BadUSB, that allows them to become automated hacking tools is the latest challenge for data security professionals. This recently announced vulnerability may fundamentally change how the world uses and shares information, since USB interfaces are built into virtually all computers. Unfortunately, the code to leverage this vulnerably in USB devices worldwide is now available at the code-sharing site, Github.
Conventional cyber defenses, such as anti-malware, are ineffective in defending against a BadUSB device.
“The vulnerability is in the firmware on all USB devices, which allows any altered USB device to automatically run commands, download malware or extract files. The versatility of USBs is also their Achilles heel, since different device classes can plug into the same connectors. One type of device can turn into a more capable or malicious type without the user noticing,” explained Carl Leonard, of Websense Security Labs. “We don’t know yet what type of malware will be delivered through this infection vector. It could be anything from data exfiltration or ransom ware to targeted data destruction.”
The news is not all bad, however.
“Deploying a vigorous data loss prevention (DLP) solution is of utmost importance, because with it, you can at least stop the data theft, if not the infection,” Leonard said. “Stopping data exfiltration is the first and most critical step against BadUSB, and we can do that.”
In the wake of BadUSB news and last week’s announcement of the Shellshock vulnerability, now is a good time to re-examine your data security posture.
Follow our Websense Insights and Websense Security Labs blogs for more information as it becomes available.