USB may be port of entry for malware

Aug. 04--Black Hat, the most controversial information security conference in the world, kicks off this week in Las Vegas with a topic that affects nearly every consumer: the security of USB devices.

USB -- or Universal Serial Bus -- is the ubiquitous port found on nearly every laptop and desktop. It's what you use to connect everything to your computer -- cameras, smartphones and of course, USB keys. And now, two German-based researchers say it's a huge risk.

Karsten Nohl and Jacob Lell are scheduled to unveil their findings about the vulnerability of USB on Wednesday at Black Hat, and they've already begun insinuating that everyone should throw away their USB keys and fill their ports up with hot glue.

"No effective defenses from USB attacks are known," write Karsten Nohl and Jacob Lell in a blog post, later adding, "Once infected, computers and their USB peripherals can never be trusted again."

Nohl is credited with discovering a major flaw in 750 million SIM cards last year. This time, the pair says they have reverse-engineered a type of malware that can be installed on a USB device and travel to the device's computer. This malware, which they've dubbed BadUSB, is particularly nefarious because it can't be removed or detected. The pair contends the security problem is allegedly built into the core of USB -- its firmware -- and undetectable by virus screens.

But are they offering a veritable "how-to" for the bad guys? Or providing the good guys with the intel needed to ensure protective measures?

Whether or not the proof-of-concept for BadUSB pans out on Wednesday, the researchers will feel heat for digging up this discovery in the first place. They follow in a long line of Black Hat melodramas that have shaken the information security world. In past years, Black Hat has been host to the live-hacking of an ATM (to continually dispense money on stage), a diabetic security expert who reprogrammed his insulin pump and a demonstration in how to subvert digital hotel key systems.

There's a fine line between being a proactive information security expert and a hacker. This is the continuous debate about Black Hat. Information can always get into the wrong hands, so is it better to suppress the truth?

No. It's better to arm the good guys with information even if it means you're arming the bad guys, too. Consumers deserve to know when devices they rely upon may be vulnerable. Especially when it's as universal as USB.

Copyright 2014 - Boston Herald