What You Need to Know About BadUSB

Posted by George Yunaev on 2014-10-30 16:11:00

BadUSB is the slang term attributed by the media to describe malicious USB devices. It used to refer only to devices manufactured specifically for malicious purposes. But recently, security researchers found a way to replace firmware on certain innocuous USB flash drives, and turn them into malicious USB devices. Which means, not only can a malicious device be created from scratch, but there’s a way to make your harmless device turn malicious as well. 

How does it work?

USB means “Universal Serial Bus,” which is technical-speak for a standardized “language” that we, techies, call “communication protocol.” All devices connected to this socket must “speak” to interact with computers and with each other. This protocol is fairly broad - in layman’s terms, it is more like interacting with an ATM than switching on the light bulb.

The bus supports a number of inquiries, such as:

  • Identifying USB device and properties (is it a keyboard? Webcam? Flash drive?; if it is a drive – how much storage it has?; if it is camera – what is the resolution?).

  • Listing connected devices. Certain USB devices contain more than one. For example, a USB keyboard-mouse combo with a single receiver will present itself as two devices – a USB keyboard and USB mouse.

  • Setting device options (such as turning on the webcam).

  • Receiving information from the device (such as receiving keystrokes, mouse movements, or video feed).

  • Transferring data between host and device (for example, when a file is being copied to the USB flash drive, the processor receives the data from a computer and writes it into the flash memory, and vice versa).



On the computer side, those commands are handled by the USB driver. But on the device side there is no computer and hence, no driver. Instead, every USB device has a special processor built inside it - just like a computer processor, but much less powerful - to manage the connection with the USB. This processor knows how to “speak” the USB protocol. Just like your computer boots when powered up, the USB device “boots” when plugged into the USB port, and executes the special program called “firmware”. It is basically a program that reacts to the USB commands and sends the requested data. The firmware running on this processor is written to handle all those tasks. The processor is usually embedded, and does not run any common operating system, so it cannot execute any common binaries, such as Windows executables from your computer. This firmware, on the other hand, is designed by engineers and programmed into the device during manufacturing.

For the legitimate devices the firmware does the legitimate things.

However, even legitimate firmware can be replaced with malicious firmware on almost any device. [Tweet this]

Historically, this was rather difficult to achieve, requiring hardware modifications, such as chip replacement, or utilizing special hardware. But recently (July 2014), several security researchers found a way to replace the firmware on certain USB flash drives with a modified version right from a computer, using only software. This makes it possible for the bad guys to reprogram USB sticks to perform malicious actions.
Also, because it is much easier to replace the firmware this way, malware writers can mass-produce the infected devices at a low cost, and attack the targets by leaving them where they are likely to be picked up, or giving them out as gifts.

So what exactly can a malicious USB device do and cannot do, and what prevention measures can you take to protect your organization from BadUSB attacks? Download our threat analysis, What you need to know about BadUSB, to find out.

New Call-to-action


George Yunaev

George Yunaev is a Senior Software Engineer at Bitdefender. He joined the company's OEM Technology Licensing Unit in 2008, after working at Kaspersky Lab for seven years. Aside from developing SDKs for various OEM solutions, George is also providing partners and prospects with useful insights into emerging threats and potential pitfalls of technology licensing. His extensive software engineering experience of 19 years also covers reverse-engineering and malware analysis. He is based in Silicon Valley, California, and enjoys traveling and active sports such as skydiving and wakeboarding.

Topics: Threats