BadUSB - reason to worry?

[rowdy]

This has been around for a little while: https://srlabs.de/badusb/

(Search for yourself for more matches.)

Basically a USB controller on any device can be programmed to emulate a keyboard, and can, for example, send keystrokes to the host computer at a nominated time to disable antivirus, open firewall ports, and do pretty much anything else that you can do via keyboard commands.

I recently got a new USB memory stick, my first new one for many years, certainly the first one I have bought since long before BadUSB was a thing.

Now I'm worried, or perhaps a little paranoid.  The device in question is a generic made in China Target brand 16GB SUB stick.

Has anyone here suffered a BadUSB event?

[sethk_]

I haven't personally, is there any way to check reviews for yours

[rowdy]

I don't think so.  If the USB stick has malware in its firmware, there is nothing you can do about it.  Even formatting the USB stick doesn't affect the firmware, as I saw in a video somewhere.

Something that can inspect and reprogram the firmware on a USB controller could probably detect and remove it, but I have nothing remotely like that.

[fanpeople]

Where did you get the USB from?

It would be interesting to see stats on something like this but it would be hard to gather considering most home users wouldn't really have a centralised organisation to report to for the purpose of data collection. Most people would just assume their computer committed suicide, I know that is what I would assume.

Hey if any hacker wants my negative $20,000 they are welcome to it  . Don't even need BadUSB, you can have my $170 parking ticket also if you like (got that one for parking on the strip out the front of my house, that's what I get for being considerate of the bus that goes down the tight street that I live on).

[rowdy]

Where did you get the USB from?

It would be interesting to see stats on something like this but it would be hard to gather considering most home users wouldn't really have a centralised organisation to report to for the purpose of data collection. Most people would just assume their computer committed suicide, I know that is what I would assume.

Hey if any hacker wants my negative $20,000 they are welcome to it  . Don't even need BadUSB, you can have my $170 parking ticket also if you like (got that one for parking on the strip out the front of my house, that's what I get for being considerate of the bus that goes down the tight street that I live on).

Target.

[Computer-Lab in Basement]

it's probably safe

i'd like to think Target would be opposed to identity theft that could be tied to them in any way... mainly for legal reasons...

[fenwick]

Just because an attack exists and has been demonstrated doesn't mean you need to worry about it.  Especially on hardware coming straight from the shelf at Target.

It would have to be a very complex attack for them to install something like this on thousands of drives, then somehow know when to run the keystrokes without anyone noticing applications opening and closing on their own, or seeing keyboards appearing and disappearing.

The only attacks coming from hardware out of the box that I can think of are NSA interception ops, but those are usually network hardware and are caught during shipment to someone they don't like.

[baldgye]

If your worried about that kinda stuff why not use an old laptop (everyone has one somewhere) have it off your network and install a bunch of software on it to allow you to safely format drives etc, when you buy a new usb stick, plug it into that bad boy and format it/scan it. If nothing else would help you be less paranoid

[jamster]

If your worried about that kinda stuff why not use an old laptop (everyone has one somewhere) have it off your network and install a bunch of software on it to allow you to safely format drives etc, when you buy a new usb stick, plug it into that bad boy and format it/scan it. If nothing else would help you be less paranoid

Because this issue has nothing to do with malicious software installed on the USB stick, the worry is malware at the firmware level which means that it can't simply be reformatted or even detected by AV.

[baldgye]

If your worried about that kinda stuff why not use an old laptop (everyone has one somewhere) have it off your network and install a bunch of software on it to allow you to safely format drives etc, when you buy a new usb stick, plug it into that bad boy and format it/scan it. If nothing else would help you be less paranoid

Because this issue has nothing to do with malicious software installed on the USB stick, the worry is malware at the firmware level which means that it can't simply be reformatted or even detected by AV.

But couldn't you flash the firmware with the correct software?

[rowdy]

If your worried about that kinda stuff why not use an old laptop (everyone has one somewhere) have it off your network and install a bunch of software on it to allow you to safely format drives etc, when you buy a new usb stick, plug it into that bad boy and format it/scan it. If nothing else would help you be less paranoid

Because this issue has nothing to do with malicious software installed on the USB stick, the worry is malware at the firmware level which means that it can't simply be reformatted or even detected by AV.

But couldn't you flash the firmware with the correct software?

If you had the equipment to flash the firmware on a USB controller, which I do not.

This is a generic Chinese USB memory stick, and I have no idea where it really came from (except it was China) and where the components, including the firmware, came from.

Maybe it is part of a Chinese attempt to install malware on western PCs, but that is probably being far too paranoid.

Nevertheless BadUSB is out there, and this is the first USB memory stick I have bought for quite a few years.

[GL1TCH3D]

The argument that an off the shelf product from target is safe is not solid.

Not too long ago either Wal-Mart or target was selling cheaper generic Chinese tablets that came prerooted and therefore very vulnerable to data theft, loss, etc.

[Leslieann]

They also got sold a bunch of fake Sandisk sticks at one point as well.

[phosphoric]

If your worried about that kinda stuff why not use an old laptop (everyone has one somewhere) have it off your network and install a bunch of software on it to allow you to safely format drives etc, when you buy a new usb stick, plug it into that bad boy and format it/scan it. If nothing else would help you be less paranoid

Because this issue has nothing to do with malicious software installed on the USB stick, the worry is malware at the firmware level which means that it can't simply be reformatted or even detected by AV.

But couldn't you flash the firmware with the correct software?

If you had the equipment to flash the firmware on a USB controller, which I do not.

This is a generic Chinese USB memory stick, and I have no idea where it really came from (except it was China) and where the components, including the firmware, came from.

Maybe it is part of a Chinese attempt to install malware on western PCs, but that is probably being far too paranoid.

Nevertheless BadUSB is out there, and this is the first USB memory stick I have bought for quite a few years.

not to mention that flashing the firmware on every single usb stick that you buy/acquire is going to be a pain in the ass at some point... especially if you're digging out an old craptop just to do it

[tp4tissue]

I'd be worried,  if I weren't so desperately poor.