USB vulnerabilities and the trojans that exploit them are nothing new. Up until now this took the shape of a programmable computer inside a USB stick, though. Karsten Nohl from the Berlin security company SRLabs has discovered something new, however. He calls this exploit “BadUSB”, evoking last year’s alleged super trojan BadBIOS.


Nohl found a way to reprogram the native firmware of USB devices to do what he wants. The vast majority of these include a chip made by only one of three manufacturers. The most common being made by a company called Phison.

These USB controller chips implement a protocol that is based on SCSI with proprietary extensions. Nohl and his team found some research on reverse engineering these and went to work. They managed to flash their own firmware on the stick that can, like a hardware USB trojan, pretend its a keyboard or a mouse and do whatever it pleases on the target machine. Including downloading malicious code and taking it over, infecting other USB devices that are present or are inserted at a later time. Including web cams, USB hard drives, other sticks and phones.

This way, a USB virus is born that jumps from device to device and can’t be stopped by conventional anti-virus software. Registered as a keyboard it can circumvent almost all security measures, after all since the computer can’t tell it from an actual user typing commands. There is no inherent security in the USB protocol and no real “USB firewall” solutions that can stop the attack either. right now, the only thing that seems to help is taking a glue gun to the actual physical ports.