Important News about Newly Found USB Flaw

Here is our take on a newly found potential flaw in some USB devices which presents a distant but possible threat to your system:

http://www.wired.com/2014/07/usb-security/ (Article with heated discussion about if this is a serious risk or not).

https://srlabs.de/badusb/ (Seems to be the original research).

Essentially there is a flaw in some USB devices which mean the firmware in them can become changed to run malicious code.

Until this newly found flaw is fixed (it may never be, or might take 20 years for such devices to be phased out as USB is so successful a technology), our advice is to consider this: never allow anybody on your network to plug in a USB stick that has not been supplied by you as an employer or us as a supplier.

This means we recommend against any person (be they visitors, staff or contractors) being allowed to introduce their own USB devices onto the network.

This would also apply, for example,  to USB sticks which have been given to you by suppliers, customers or colleagues. You should also avoid giving your own USB devices to other individuals (at least if you plan to have them back) because (all though this appears to be a very rare possibility) one assumes that now this is in the public domain, the bad guys will jump on it as soon as they can and it could spread over time. I’d guess that this will either die a death or will be start to be a commonplace issue within a year or two.

Please do let us know if you want to take action, such as disabling USB ports on your systems either at the hardware level or as part of Windows security.