A recently discovered proof-of-concept malware has the chance to change the entire threat landscape as well as the way organizations, such as critical infrastructure, view the safety of portable devices. The threat is called ‘BadUSB’ and what makes it incredibly dangerous is the fact that it is undetectable by antivirus software.
Two cyber security professionals, Karsten Nohl and Jakob Lell, discovered the ‘BadUSB’ malware, and presented their findings at Black Hat this year. The threat can go undetected, as it’s built into the actual firmware of a USB device, and not contained in the storage. Typically antivirus software scans all the files stored on the device, but since the malware is embedded within the firmware, the antivirus software is unable to access and scan that portion of the device. Once the ‘BadUSB’ is installed, it can take over control of the device and execute commands to download additional malicious software.
Most organizations are heavily reliant on USB devices to transfer files between computers, often spanning employees and customers external to the organization. Malware such as this could be used to penetrate even the most secure organization's defenses, and cause havoc. The malware is still in a proof-of-concept stage, and as such is only a theoretical risk. However, should this malware suddenly become available in the wild, there is currently no effective way to detect or prevent this type of threat, short of completely banning USB-based devices.
What if You Can’t Ban USBs?
For organizations that utilize peripheral devices on a day-to-day basis there are a few guidelines you can follow to ensure a secure data workflow in your environment. You should always make sure that you are using a trusted USB device on your own computer. You can’t always know for sure if the external media is clean, so it’s important to consider if the person has taken the necessary precautions to protect their portable device at all times.
OPSWAT recommends a role-based approach to security policies, as a means of addressing policies and training to specific user communities. We’ve touched on this type of strategy in the past, but it's worth repeating. Setting effective and appropriate security policies for varying groups helps to reduce the risk of being infected from a portable device. Certain user groups, such as security professionals, tend to take precautionary steps to protect their devices, while sales representatives who have presentations on a portable device and transfer them frequently to various laptops might not be as cautious about the security of their device.
Malware-writers continually come up with creative ways to attack critical infrastructures and if the 'Energetic Bear' attack is any indication, they are only going to grow in sophistication. While USB devices can be incredibly beneficial to work place productivity, there must be necessary precautions in place to ensure the security of the endpoints in an organization.