Why the Security of USB Is Fundamentally Broken | Threat Level | WIRED

Computer users pass around USB sticks like silicon business cards. Why the Security of USB Is Fundamentally Broken http://www.wired.com/2014/07/usb-security/ article tells that we typically depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work. The security of USB devices has long been fundamentally broken: USB firmware,(which exists in varying forms in all USB devices) can be reprogrammed to hide attack code and USB device can completely take over a PC. USB firmware on many USB devices could be reprogrammed by malware on that PC, converting an innocent device to attack tool. All this is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue. The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets.



  1. Tomi Engdahl says:

    bad USBs are SCARY!! (build one with a Raspberry Pi Pico for $8)

  2. Tomi Engdahl says:

    FIN7 Uses Flash Drives to Spread Remote Access Trojan https://www.recordedfuture.com/fin7-flash-drives-spread-remote-access-trojan/
    Recorded Future analysts continue to monitor the activities of the
    FIN7 group as they adapt and expand their cybercrime operations.
    Gemini has conducted a more in-depth investigation into these types of attack after a Gemini source provided analysts with a file sketch_jul31a.ino, which was linked to FIN7s BadUSB attacks. The file had the extension (.INO), indicating it contained the source code for an Arduino sketch (the Arduino term for a program). BleepingComputer also recently released a public report on FIN7s use of the BadUSB attack method, outlining the activity around this type of attack.

  3. Tomi Engdahl says:

    RapidCharge™ Controllers Prevent Fast Charger Hacking

    Recent news stories report that some fast chargers designed with MCUs can be easily hacked. When users connect their devices to these fast chargers via the USB cable, hackers may be able to compromise the charger by sourcing more power than the device can safely handle, damaging or even destroying the device. Hackers can alter the firmware of fast charge devices in order to deliver extra voltage and damage connected equipment . . .

    Designers can try to add more code in the MCU to prevent hacker modifications, but only if the MCU has the option to be updated. Or, they can try to add overload protections in the devices for which the chargers are designed. These methods are hardly ideal.

    Hard-Wired State Machine Approach

    A simpler and lower cost approach is to design fast chargers and power supplies without MCUs and firmware, and instead use a hard-wired state machine approach.

    Fast chargers and power supplies designed with Dialog’s Rapid Charge™ controllers cannot be hacked, because they are hard-wired state machines, so there is no firmware that can be accessed and corrupted. And, with a hard-wired state machine, you won’t need to spend extra time and expense to harden firmware or add overload protections.

    BadPower attack corrupts fast chargers to melt or set your device on fire

    Attackers can alter the firmware of fast charger devices to deliver extra voltage and damage connected equipment.

  4. Tomi Engdahl says:

    5 things you didn’t know your USB Flash Drive could do!

    USB drives can be used for more than just moving files around.
    So before you throw out those old flash drives, check out the 5 epic things you can do with your Flash USB drives that you may not know about!

  5. Tomi Engdahl says:

    macOS will soon block unknown USB-C accessories by default
    A new security feature in Apple’s upcoming macOS 13 Ventura will automatically block new USB-C devices from communicating with the operating system until the accessory can be approved by the user.
    According to Apple’s description, the feature will be enabled by default and will require the user to approve a USB-C accessory before it can talk to the operating system essentially an on-screen pop-up asking the user for permission. Apple says this doesn’t apply to power adapters, standalone displays and connections to an approved hub and devices can still charge even if you don’t approve the accessory.
    Apple says that accessories that are already connected will automatically work when updating to the new macOS software.

  6. Tomi Engdahl says:

    The USBGuard software framework helps protect your Linux-based computer/laptop/desktop/server against rogue USB devices by implementing safelisting and denylisting capabilities. https://www.cyberciti.biz/security/how-to-protect-linux-against-rogue-usb-devices-using-usbguard/ give it a try

  7. Tomi Engdahl says:

    The CuVoodoo USB Bug Detector Safely Ferrets Out Those Sneaky Malicious O.MG Cables

    Designed to find malicious USB cables hiding hardware for remote access or data exfiltration, this cable tester is simplicity itself to use.

  8. Tomi Engdahl says:


    BadUSB Attack Prevention
    Some viruses modify the firmware of USB devices to trick the operating system into detecting the USB device as a keyboard. As a result, the virus may execute commands under your user account to download malware, for example.

    The BadUSB Attack Prevention component prevents infected USB devices emulating a keyboard from connecting to the computer.

  9. Tomi Engdahl says:


    A video for this product popped up in my Youtube suggestions today. It’s crazy what you can buy over the internet. It may look like a simple lightening or Micro USB cable, but there’s a full PC hidden in the connector. Plug the cable in and you have a keystroke injector, payload storage, a self destruct capability if discovered, keyboard logger, etc. Lots of stuff.

    Literally all you’d have to do is drop one in the parking lot of a target and odds are high that some sucker would pick it up and try to use it.


    (This is not an affiliate link).

  10. Tomi Engdahl says:

    So How Do You Make A Self-Destructing Flash Drive?

    A self-destructing storage device that vaporizes its contents at the first sign of trouble would be an invaluable tool for many people, but good luck getting your hands on such a thing if you don’t work for a three-letter agency. Or at least, that’s what we would have said before [Walker] got on the case. He’s working on an open source self-destructing USB flash drive for journalists, security researchers, whistleblowers, or anyone else who really values their privacy.

    But how exactly do you pull that off? Sure we’d love to see a small thermite charge or vial of acid packed in there, but obviously that’s not very practical. It needs to be safe to carry around, and just as importantly, unlikely to get you into even more trouble with whoever is searching through your belongings. To that end, [Walker] thinks he’s come up with an elegant solution.

    The datasheet for his flash memory chip says the maximum voltage it can handle before releasing the Magic Smoke is a meager 4.6 V. So he figures running a voltage doubler on the nominal 5 V coming from a USB port should disable the chip nicely with a minimum of external drama. Will it be enough to prevent the data from being recovered forensically? We don’t know, but we’re eager to find out.

    I’m Building a Self-Destructing USB Drive Part 2

    I’m building an open-source USB drive with a hidden self-destruct feature. Say goodbye to your data if you don’t lick your fingers before plugging it in.

  11. Tomi Engdahl says:


    Google recently made some videos to highlight cybersecurity. The video below is episode three, and it tells an interesting story about the first crash test dummy. However, the really interesting part is the story about a USB plasma globe built to hack into computers. One of the people who built that globe tells the story of its insides in a recent blog post that has a bit more technical detail.


    Luckily, there is a simple back channel to talk to the keyboard once you have a shell on the machine: the OS can instruct the keyboard to toggle its standard LEDs (Num Lock, Scroll Lock, Caps Lock). So, our secret protocol involved the host toggling Scroll Lock five times within one second. On Linux, it was as simple as xset led named ‘Scroll Lock’; on Windows, you had ActiveXObject(“WScript.Shell”).SendKeys(“{scrolllock}”). Either way, upon the receipt of this confirmation code, the plasma globe would set a bit in its EEPROM and go dormant forever… well, OK – until reflashed.

    It worked; the Google video tells the rest of the story (even though it gets some small details wrong). As for potential mitigations, see https://github.com/google/ukip

    EP003: Red Team | HACKING GOOGLE

  12. Tomi Engdahl says:

    How to protect Linux against rogue USB devices using USBGuard https://www.cyberciti.biz/security/how-to-protect-linux-against-rogue-usb-devices-using-usbguard/

    You deployed a perfect firewall and other network security policies preventing unauthorized access to the user’s desktop computer over a network. However, you still need to block USB device access. We can configure a Linux desktop security policy to protect your computer against rogue USB devices (a.k.a. BadUSB) by implementing essential allow and blocklisting capabilities based on device attributes. For instance, I can define what kind of USB devices are authorized and how a USB device interacts with the Linux system. For example, I can define policy allowing Yubikey with serial number “XYZ” and USB LTE modem with serial # “ABC.” Every other USB device access is denied by default.

    USBGuard only works on Linux, and the following tutorial will not work with other operating systems such as *BSD or macOS.

    We need to install USBGuard as follows as per your Linux distro version.

    Use the systemctl command to configure the usbguard service at boot time or restart it when you apply new policy.
    Use the lsusb command or usb-devices command for displaying information about USB buses in the system and the devices connected to them.
    Want a graphical summary of USB devices connected to the system? Try:
    sudo usbview
    Next cd into /etc/usbguard directory as the root user.
    The usbguard service reads its default and options from a file named /etc/usbguard/usbguard-daemon.conf

    Almost all Linux distros ship with no rules. Hence the file is empty. To generate a rule set (policy) that authorizes the currently connected USB devices, run:
    sudo usbguard generate-policy -X >/etc/usbguard/rules.conf

    The reject or block policy as the base policy is recommended because:

    It defined a permanent USBGuard policy that allows a specific USB device to interact with the Linux system.
    In other words, currently, connected devices are accepted, but USBGuard will block or reject any additional USB devices.

  13. Tomi Engdahl says:

    HackyPi Is a USB Dongle Designed to Teach Ethical Hacking
    HackyPi is a USB dongle designed for ethical hacking and it is on Kickstarter right now.

  14. Tomi Engdahl says:

    Vuonna 2000 esiteltiin laite, joka mullisti tieto­koneella tallentamisen – nyt se lähinnä naurattaa https://www.is.fi/digitoday/art-2000009320752.html

    Tietotekniikan kehitys käy ilmi esimerkiksi tallennustilan kasvua seuraamalla. Pysäyttävän todisteen antaa ensimmäinen usb-muisti.

  15. Tomi Engdahl says:

    PlugX malware hides on USB devices to infect new Windows hosts
    Security researchers have analyzed a variant of the PlugX malware that can hide malicious files on removable USB devices and then infect the Windows hosts they connect to.
    The malware uses what researchers call “a novel technique” that allows it to remain undetected for longer periods and could potentially spread to air-gapped systems.
    Hidding PlugX in USB drives
    PlugX is an old piece of malware that has been used since at least 2008, initially only by Chinese hacker groups – some of them continue to use it with digitally signed software to side-load encrypted payloads.
    Over time, however, it became so widespread that multiple actors adopted it in attacks, making attribution for its use a very challenging task.
    In the recent attacks that Unit 42 observed, the threat actor is using the 32-bit version of a Windows debugging tool named ‘x64dbg.exe’ along with a poisoned version of ‘x32bridge.dll,’ which loads the PlugX payload (x32bridge.dat).
    At the time of writing, most antivirus engines on the Virus Total scanning platform don’t flag the file as malicious, the detection rate being of just 9 out of 61 products.
    More recent samples of the PlugX malware are detected by even fewer antivirus engines on Virus Total.
    “To achieve code execution of the malware from the hidden directory, a Windows shortcut (.lnk) file is created on the root folder of the USB device,” Unit 42 says.
    “The shortcut path to the malware contains the Unicode whitespace character, which is a space that does not cause a line break but is not visible when viewed via Windows Explorer” – Palo Alto Networks Unit 42
    The malware creates a ‘desktop.ini’ file on the hidden directory to specify the LNK file icon on the root folder, making it appear as a USB drive to trick the victim. Meanwhile, a ‘RECYCLER.BIN’ subdirectory acts as a disguise, hosting copies of the malware on the USB device.
    The victim clicks on the shortcut file on the root folder of the USB device, which executes x32.exe via cmd.exe, resulting in the infection of the host with the PlugX malware.
    Simultaneously, a new Explorer window will open to show the user’s files on the USB device, making everything appear normal.
    After PlugX gets on the device, it continually monitors for new USB devices and attempts to infect them on discovery.
    While PlugX was typically associated with state-backed threat actors, the malware can be purchased on underground markets and cybercriminals have also used it.
    With the new development that makes it more difficult to detect and allows it to spread through removable drives, Unit 42 researchers say that PlugX has the potential to jump to air-gapped networks.

  16. Tomi Engdahl says:

    Self-Destructing USB Drive Releases The Magic Smoke

    There were some that doubted the day would ever come, but we’re happy to report that the ambitious self-destructing USB drive that security researcher [Walker] has been working on for the last 6+ months has finally stopped working. Which in this case, is a good thing.

    Readers may recall that the goal of the Ovrdrive project was to create a standard-looking flash drive that didn’t just hide or erase its contents when accessed by an unauthorized user, but actively damaged itself to try and prevent any forensic recovery of the data in question. To achieve this, [Walker] built a voltage doubler circuit into the drive that produces 10 volts from the nominal 5 VDC coming from the USB port. At the command of an onboard microcontroller, that 10 V is connected to the circuit’s 3.3 V rail to set off the fireworks.

    I Built a Self-Destructing USB Drive Part 3

  17. Tomi Engdahl says:

    “Journalist plugs in unknown USB drive mailed to him—it exploded in his face”

    Journalist plugs in unknown USB drive mailed to him—it exploded in his face
    Explosives replace malware as the scariest thing a USB stick may hide.

    It’s no secret that USB flash drives, as small and unremarkable as they may look, can be turned into agents of chaos. Over the years, we’ve seen them used to infiltrate an Iranian nuclear facility, infect critical control systems in US power plants, morph into programmable, undetectable attack platforms, and destroy attached computers with a surprise 220-volt electrical surge. Although these are just a few examples, they should be enough to preclude one from inserting a mysterious, unsolicited USB drive mailed to them into a computer. Unfortunately, one Ecuadorian journalist didn’t get the memos.

    As reported by the Agence France-Presse (via CBS News) on Tuesday, five Ecuadorian journalists have received USB drives in the mail from Quinsaloma. Each of the USB sticks was meant to explode when activated.

  18. Tomi Engdahl says:

    Is Your USB-C Dock Out To Hack You?

    In today’s installment of Betteridge’s law enforcement, here’s an evil USB-C dock proof-of-concept by [Lachlan Davidson] from [Aura Division]. We’ve seen malicious USB devices aplenty, from cables and chargers to flash drives and even suspicious USB fans. But a dock, however, is new. The gist is simple — you take a stock dock, find a Pi Zero W and wire it up to a USB 2.0 port tapped somewhere inside the dock. Finding a Pi Zero is unquestionably the hardest part in this endeavor — on the software side, everything is ready for you, just flash an SD card with a pre-cooked malicious image and go!

    On the surface level, this might seem like a cookie-cutter malicious USB attack. However, there’s a non-technical element to it; USB-C docks are becoming more and more popular, and with the unique level of convenience they provide, the “plug it in” temptation is much higher than with other devices. For instance, in shared workspaces, having a USB-C cable with charging and sometimes even a second monitor is becoming a norm. If you use USB-C day-to-day, the convenience of just plugging a USB-C cable into your laptop becomes too good to pass up on.

    The Threat on Your Desk: Building an Evil USB-C Dock

  19. Tomi Engdahl says:


    We’ve covered a lot of sketchy USB devices over the years. And surely you know by now, if you find a USB drive, don’t plug it in to your computer. There’s more that could go wrong than just a malicious executable. We’ve covered creative and destructive ideas here on Hackaday, from creative firmware to capacitors that fry a machine when plugged in. But what happened to a handful of Ecuadorian journalists was quite the surprise. These drives went out with a bang.

    That is, they literally exploded. The drives each reportedly contained a pellet of RDX, a popular explosive in use by militaries since the second World War. There have been five of these hyperactive USB devices located so far, and only one actually detonated. It seems that one only managed to trigger half of its RDX payload. Because of this, and the small overall size of a USB drive, the explosion was more comparable to a firecracker than a bomb.

    Of the other four, two more were plugged in, but failed to go off. One of which using a USB extension cable, which is reported to have lacked enough voltage under load to have triggered the payload.

    Yet another reporter …. might have set off the USB stick’s explosives if he had plugged it into the computer properly[.]

    So either these were the worst-designed bombs in the world, or a handful of journalists got incredibly lucky. The universal multi-flip process of trying to plug in a USB drive came in hand this time, it seems. But the proof-of-concept is out there, and it’s just a matter of time before someone clever packs a larger USB gizmo with something nasty. So if you’re something like a journalist, and you absolutely have to access untrusted USB drives, there’s yet another step to take to do so safely.

    On the Hackaday Discord, we discussed how one might go about this safely, and the conclusion was a machine without writable firmware, without internet access, and booted off either a DVD, or disposable SD card. A standalone Raspberry Pi might be great, if only we could get our hands on them. Oh, and apparently now the drive needs to be behind a blast shield, inside a fume hood, because who knows what’s going to happen when you power it on.



  20. Tomi Engdahl says:

    Why is Juice Jacking Suddenly Back in the News?
    The term juice jacking crept into the collective paranoia of gadget geeks in the summer of 2011, thanks to the headline for a story here about researchers at the DEFCON hacker convention in Vegas whod set up a mobile charging station designed to educate the unwary to the reality that many mobile devices connected to a computer would sync their data by default. Since then, Apple, Google and other mobile device makers have changed the way their hardware and software works so that their devices no longer automatically sync data when one plugs them into a computer with a USB charging cable. Instead, users are presented with a prompt asking if they wish to trust a connected computer before any data transfer can take place

  21. Tomi Engdahl says:

    Raspberry Robin: A global USB malware campaign providing access to ransomware operators https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html
    Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail. The main aim of this blog is to share with readers the summarized details, my thoughts and findings, and what it has been like tracking Raspberry Robin since it first emerged and continues to spread. It’s a fascinating campaign that has taught me a lot about emerging and advanced cybercriminal operations work. Additional IOCs and detection opportunities are available at the end of this blog

  22. Tomi Engdahl says:

    I wouldn’t give this cable to my worst enemy – O.MG Cable

    Kauhean tarkkoja laitespeksejä ei näy… Kehitystyökalut varmaan kertoisi tarkemmin. https://shop.hak5.org/products/omg-cable

  23. Tomi Engdahl says:


    Does a USB drive change weight as you add and remove data? It seems like a silly question, but apparently, it does — just not the way you might think. Since electrons have mass — all of 9.109×10−31 kg each — and flash memory works by storing charge, adding and removing data from a USB stick must change its weight. But interestingly, since flash memory removes the charge from the floating gate of the MOSFET to store a logical 1, that means that an empty flash drive (i.e., one storing nothing but zeros) must weigh more than a drive with nothing but ones. But by how much? Knowing that each bit in a flash memory cell holds somewhere around 100 to 1,000 electrons, a little back-of-the-envelope math shows us that a half-terabyte USB drive can vary by as much as 373 femtograms on the low end to 3.73 picograms at the upper limit. Actually measuring the weight change is left as an exercise for the reader.

    Does a USB drive get heavier as you store more files on it?

    Paradoxically, the more you save on a flash drive, the lighter it gets.

    Believe it or not, they get lighter. USB drives use Flash memory, which means the the ones and zeros of your data are stored on transistors.

    When you save data, a binary zero is set by charging the float gate of the transistor, and a binary one is set by removing the charge.

    To charge it, we add electrons, and the mass of each electron is 0.00000000000000000000000000091 grams.

    This means that an empty USB drive (which mostly holds zeros) weighs more than a full USB drive (which has ones and zeros). Add data, reduce the weight.

    However, you would need to weigh more USB drives than exist on the planet together at once before the difference in weight became easily measurable.

  24. Tomi Engdahl says:

    Diabolic Drive Stealthily Injects Keyboard Strokes While Being a Functional USB Drive
    And, an ESP8266 provides Wi-Fi access.

  25. Tomi Engdahl says:

    Wireless BadUSB With Flipper Zero’s Bluetooth — NO CABLES!

    Was feeling cute, so updated a custom firmware and badUSB-ed without a USB cable in sight. You?

  26. Tomi Engdahl says:

    Cheap USB Sniffer Has Wireshark Interface

    If you’ve done any development on USB hardware, you’ve probably wished you could peek at the bits and bytes as they pass through the data lines. Sometimes, it’s the only way to properly understand what’s going on. [ataradov]’s USB sniffer is built to do just that.

    To sniff high-speed USB communications, the device relies on a Lattice LCMXO2 FPGA and a Cypress CY7C68013A microcontroller, paired with a Microchip USB3343 USB PHY. This setup is capable of operating at data rates of up to 40-50 MB/s, more than enough to debug the vast majority of USB peripherals on the market.

    If you need this tool, spinning up your own is straightforward. Gerber files are available and the required components can be bought off the shelf. Once assembled, you can program the chips via USB, with no external hardware programmer required.


  27. Tomi Engdahl says:

    USB Drives Used as Trojan Horses By Camaro Dragon https://www.infosecurity-magazine.com/news/usb-trojan-camaro-dragon/

    New versions of Chinese espionage malware have been observed spreading rapidly through infected USB drives.

    The malicious software tools were discovered by Check Point Research (CPR) as part of an attack against a healthcare institution in Europe and described in an advisory published on Thursday.

    The Check Point Incident Response Team (CPIRT) investigated the malware attack and found that it was perpetrated by Camaro Dragon, a Chinese-based espionage threat actor also known as Mustang Panda and LuminousMoth.

  28. Tomi Engdahl says:

    Mobile PINs are a lot like passwords in that there are a number of very common ones, and has a clever proof of concept that uses a tiny microcontroller development board to emulate a keyboard to test the 20 most common unlock PINs on an Android device. The project is based on research analyzing the security of 4- and 6-digit smartphone PINs……


    Mobile PINs are a lot like passwords in that there are a number of very common ones, and [Mobile Hacker] has a clever proof of concept that uses a tiny microcontroller development board to emulate a keyboard to test the 20 most common unlock PINs on an Android device.


  29. Tomi Engdahl says:

    USB drive malware attacks spiking again in first half of 2023

    What’s old is new again, with researchers seeing a threefold increase in malware distributed through USB drives in the first half of 2023

    A new report by Mandiant outlines how two USB-delivered malware campaigns have been observed this year; one named ‘Sogu,’ attributed to a Chinese espionage threat group ‘TEMP.HEX,’ and another named ‘Snowydrive,’ attributed to UNC4698, which targets oil and gas firms in Asia.

  30. Tomi Engdahl says:

    The Spies Who Loved You: Infected USB Drives to Steal Secrets https://www.mandiant.com/resources/blog/infected-usb-steal-secrets

    In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets.
    Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally.

    Previously, we covered one of the campaigns that leverages USB flash drives as an initial infection vector and concentrates on the Philippines. In this blog post, we are covering two additional USB-based cyber espionage campaigns that have been observed by Managed Defense

  31. Tomi Engdahl says:

    New TetrisPhantom hackers steal data from secure USB drives on govt systems https://www.bleepingcomputer.com/news/security/new-tetrisphantom-hackers-steal-data-from-secure-usb-drives-on-govt-systems/

    A new sophisticated threat tracked as ‘TetrisPhantom’ has been using compromised secure USB drives to target government systems in the Asia-Pacific region.

    Secure USB drives store files in an encrypted part of the device and are used to safely transfer data between systems, including those in an air-gapped environment. Access to the protected partition is possible through custom software that decrypts the contents based on a user-provided password. One such software is UTetris.exe, which is bundled on an unencrypted part of the USB drive.

  32. Tomi Engdahl says:

    Microsoft used a ‘USB Cart of Death’ to debug early Windows PCs — the crash cart had 60 daisy-chained USB devices that would often trigger BSODs
    By Mark Tyson last updated 3 days ago
    “Is it the tea trolley? No, it’s the USB Cart of Death!”


Leave a Comment

Your email address will not be published. Required fields are marked *