Cybercriminals may have another tool in their kit for infiltrating computers and networks: USB drives. A recent finding points to a fundamental security flaw in the technology that could serve as an avenue for malware.
Threat to 'day-to-day computing'
Reporting on the revelation, CBS remarked that the vulnerability "could have a significant impact on day-to-day computing," throwing doubt on the security and practicality of using the devices to store and share data.
According to the news source, Security Research Labs analysts Karsten Nohl and Jakob Lell discovered a lack of firmware protection within USB devices opens the door for malware to overwrite the technology and take control of computers through mice, keyboards, thumb drives, external hard drives, and other components that connect via USB ports.
The potential infection, which occurs before antivirus tools are activated, could enable cybercriminals to issue their own commands, steal files, redirect website traffic and more, the source added. CIO Today noted that this strategy may already be in use, including by the National Security Agency, and Nohl and Lell explained that "no effective defenses from USB attacks are known."
What's to be done?
Although these findings are concerning, they're no reason for widespread panic. First of all, CBS emphasized that many devices, especially inexpensive ones, don't have the reprogrammable firmware that forms a core component of the vulnerability. Furthermore, the problem isn't new: It's been around pretty much as long as the devices have, the source added.
However, with cybercrime on the rise and hackers always looking for new, unexpected ways to attack, taking extra precautions is a good idea. Organizations with sensitive documents, for example, might want to be cautious about which USB devices they allow workers to connect to computers. Replacing thumb drives and hard drives with secure file sharing and archiving programs could eliminate at least some of the risk.
As with any security threat, bolstering defenses requires multiple layers of solutions and ongoing vigilance. In addition to implementing strong antivirus programs and firewalls, for example, companies should consider how they monitor their networks and maintain control over important accounts and resources.
More information about the USB security flaw is likely to come to light as time progresses. In the immediate future, Nohl and Lell will explain their discovery at the the annual Black Hat USA 2014 in Las Vegas, which takes place August 2-7.