Researchers: Avoid Using USB Flash Drives

Brandon Dimmel's picture

A new report suggests that most USB flash drives (also known as thumb drives) have a critical security weakness that allows them to be reconfigured, giving hackers an opportunity to silently infect targeted computer systems with malware.

The report comes from Germany's Security Research Labs, which says that most companies making USB flash drives fail to protect the firmware installed on their devices. That means attackers could easily hack and replace the firmware with a malicious version of the firmware, which is then capable of delivering a payload onto a victim's PC - usually with more malware.

The report goes on to say that malicious firmware could be programmed to deliver payloads capable of infecting other USB devices inserted into an infected machine, allowing both the malicious firmware and other forms of malware to spread to other PCs. (Source:

USB Flash Drive Malware Tough to Detect

In the most simplest sense, firmware is special software that controls a device (such as a USB flash drive, digital camera, or TV remote, etc). Typically, firmware for such devices are not in direct contact with the computer's operating system (Windows), which is why this type of attack is particularly stealthy.

As such, most antivirus programs will not be able to detect the malicious firmware, meaning that the victim won't be alerted to the problem. The researchers note that the malware can even be programmed to emulate a system's keyboard, allowing it to simulate button presses, and potentially elevate security permissions.

Security Research Labs plans to discuss its report in greater detail at this week's Black Hat security conference in Las Vegas, Nevada. "This talk introduces a new form of malware that operates from controller chips inside USB devices," Security Research Labs notes on the Black Hat website. "We [will] demonstrate a full system compromise from USB and a self-replicating USB virus [that is] not detectable with current defenses." (Source:

Safer Flash Drives a Long Ways Off

Unfortunately, it's not likely that USB devices will become safer to use in the near future. Security Research Labs chief scientist Karsten Nohl says it could be years before a more secure USB specification can be implemented, and even then, the old (and vulnerable) devices will be ubiquitous. (Source:

In the meantime, Nohl suggests using SD (Secure Digital) memory cards, which are typically used with cellphones or digital cameras. SD cards are more difficult to hack, and therefore should be used in place of USB flash drives when transporting and sharing files with multiple machines.

What's Your Opinion?

Are you leery about inserting strange USB flash drives in your system? Has your computer ever been infected by malware placed on a USB flash drive? What other methods do you use to share files with friends?

Rate this article: 
Average: 4.4 (7 votes)


gilh's picture

I'm putting my thumb drives away.

What about the cavaet
"most companies making USB flash drives fail to protect the firmware installed on their devices."?
Will we hear about some that do a reasonable job of protection?

DavidFB's picture

So who is reporting problems with this infection vector? This is not a real world threat.
This is just a potential vector thats been identified by researchers. It is presently theoretical. The infection requires access to the hardware. AV companies, if concerned about it, would (or will) add checking of USB firmware to their routines.

Flash drives are little different from the old floppies. A mobile way to move data and also infections. Thus appropriate caution should be taken.

Once again, an article that amounts to tech gossip, placed out of context. Infopackets has really gone down hill.

tcole_2974's picture

I have always said that all flash drives should have a write-protect switch. Not only would this go a long way toward preventing unauthorized firmware upgrades, but it would prevent the drive being infected by ordinary malware. If I have a known good copy of a file and can take it to another PC, I can transfer that file without being concerned that something on the client's PC is going to infect my flash drive.
In all the years I have been in business I have only owned one drive with a write-protect switch. It was a cheap 32 MB drive so I know the technology isn't cost prohibitive.

ronangel's picture

There is one thing I would like to see on modern usb drives that was on the old lower capacity types which is as on SD cards the write protect switch preventing anything being written to your drive when used with shared computers to transfer but not receive files.
An SD card can be used the same way as a usb drive without external interface on computer that have a reader built in. as above write protect switch on to prevent any transfer to your card when using to transfer pictures or files to unknown or shared computer.
This will not prevent hardware based pre programmed infections but prevent a lot of normal software nasty's being transferred to you, and not having to format your usb drive or SD card every time you return home.