BadUSB

BadUSB is a computer security attack using USB devices that are programmed with malicious software.^[2] For example, USB flash drives can contain a programmable Intel 8051 microcontroller, which can be reprogrammed, turning a USB flash drive into a malicious device.^[3] This attack works by programming the fake USB flash drive to emulate a keyboard. Once it is plugged into a computer, it is automatically recognized and allowed to interact with the computer. It can then initiate a series of keystrokes which open a command window and issue commands to download malware.

"It's the struggle between simplicity and security. The power of USB is that you plug it in and it just works. This simplicity is exactly what's enabling these attacks."

- Karsten Nohl, 2014^[1]

At 2, the USB controller which the custom firmware can be flashed to is visible.

The BadUSB attack was first revealed during a Black Hat talk in 2014 by Karsten Nohl, Sascha Krißler and Jakob Lell. Two months after the talk, other researchers published code that can be used to exploit the vulnerability.^[4] In 2017, version 1.0 of the USG dongle, which acts like a hardware firewall, was released, which is designed to prevent BadUSB style attacks.^[5]

Criminal usage

In March 2020, the FBI issued a warning that members of the FIN7 cybercrime group had been targeting companies in the retail, restaurant, and hotel industries with BadUSB attacks designed to deliver REvil or BlackMatter ransomware.^[6] Packages have been sent to employees in IT, executive management, and human resources departments.^[6] One intended target was sent a package in the mail which contained a fake gift card from Best Buy as well as a USB flash drive with a letter stating that the recipient should plug the drive into their computer to access a list of items that could be purchased with the gift card.^[6][7] When tested, the USB drive emulated a keyboard, and then initiated a series of keystrokes which opened a PowerShell window and issued commands to download malware to the test computer, and then contacted servers in Russia.^[6][7]

In January 2022, the FBI issued another warning that members of FIN7 were targeting transportation and insurance companies (since August 2021), and defense companies (since November 2021), with BadUSB attacks designed to deliver REvil or BlackMatter ransomware.^[8][9] These targets were sent USB drives in packages claiming to be from Amazon or the United States Department of Health and Human Services, with letters talking about free gift cards or COVID-19 protocols that were purportedly further explained by information on the USB drive.^[8][9] As above, when plugged in, the USB drives emulate a keyboard, and then initiate a series of keystrokes which open a PowerShell window and issue commands to download malware.^[8][9]

See also

• Juice jacking

Further reading

• Lu, Hongyi; Wu, Yechang; Li, Shuqing; Lin, You; Zhang, Chaozu; Zhang, Fengwei (May 2021). "BADUSB-C: Revisiting BadUSB with Type-C". 2021 IEEE Security and Privacy Workshops (SPW). pp. 327–338. doi:10.1109/SPW53761.2021.00053. ISBN 978-1-6654-3732-5.