Don’t buy USB gadgets this holiday season

My wife just told me about someone in her company who bought USB-powered hand-warming gloves. I cringed.

I am insanely suspicious of all USB-powered devices. I won’t let them near my computer. Why?

BadUSB, that’s why.

There’s a fun new exploit loose in the world. Some smart folks have figured out that there’s a re-writable chip inside millions (billions?) of cheap, USB devices. The devices can be re-written to do … just about anything.

Ripping from yesterday’s headlines, here’s a reddit story regarding a system administrator who tracked down a data breach to a USB-powered e-cigarette charger.

Imagine a device that behaves like a USB thumb drive one minute, then when you walk away and the computer is idle, becomes a completely different device capable of rummaging around inside all your files?

Maybe the device causes the PC to reboot, and then boots off a hidden partition on the thumb drive in order to truly ransack your PC’s contents, sending the found data off to who-knows-where.

Maybe it infects your PC with a virus that encrypts every file on your computer and ransoms you for the decryption keys. Crazy? Not at all. It’s probably happening to someone right now.

For many years, extremely security-conscious companies have had their IT staff fill in USB ports with glue guns, or disable the USB devices entirely. They used to look like crazy tinfoil hat people. Not anymore.

Bottom line, be aware and be wary of USB drives handed to you. USB sticks have been a great way to share files in the past. But with this new exploit in the wild, you should no longer trust USBs of unknown origin.