THE USB FLAW AND HOW TO PROTECT YOURSELF
The flaw affects thumb drives and external hard drives, but also any device that connects to a PC using USB.
This includes keyboards and the mouse, as well as the USB drives used to charge phones and tablets.
If malicious code is programmed into the firmware, hackers could use it to issue their own commands on a PC, for example.
This includes installing malware, taking over a PC, or redirecting web traffic.
According to the researchers, this reprogramming is virtually untraceable and can't be patched.
They added the best course of action is to only use USB devices that are 100 per cent trustworthy. USB's Achilles heel: Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing.'
By reprogramming the USB central firmware with malicious code, which is then pushed to individual devices, the hackers could gain access to a PC once its connected to an infected USB.
The hackers discovered BadUSB could then be used to issue their own commands, for example.
This includes emulating a keyboard and issuing commands on behalf of the user, such as opening files or installing malware.
Such malware could then be used to infect any other connected USB devices.
The device can also spoof a network card and change the computer's settings to redirect web traffic to certain sites.
Mr Nohl and Mr Lell added there are 'no effective defenses from USB attacks.'
' Malware scanners can't access the firmware running on USB devices.
' USB firewalls that block certain device classes do not (yet) exist.
' And behavioural detection is difficult, since a BadUSB device's behaviour when it changes its persona looks as though a user has simply plugged in a new device.'
The researchers are due to present their research at the Black Hat security conference in Las Vegas next week.
' USB has become so commonplace that we rarely worry about its security implications,' they continued.
' USB sticks undergo the occasional virus scan, but we consider USB to be otherwise perfectly safe - until now.'
' We demonstrate a full system compromise from USB and a self- replicating USB virus not detectable with current defenses.'
Sadly, because of the nature of the flaw and the wide scope it covers, there is little users can do to protect themselves.
The researchers told Wired the best course of action is to only use USB devices that are 100 per cent trustworthy; ones that users know haven't been used by anyone else and couldn't have been compromised.