We’ve known for years that careless use of thumb drives (USB storage devices) is dangerous. Windows in particular has a bad habit of automatically running programs on thumb drives when they are plugged in.

Now researchers have found a new way to infect USB devices; not the files they contain, but the firmware that controls how they operate. All USB devices contain firmware, and while it’s not normally accessible to users, the firmware can be modified by anyone with the requisite skills and knowledge.

The researchers developed proof-of-concept malware called BadUSB. A USB device infected with BadUSB can be configured to do just about anything to a computer to which it’s connected, from redirecting network traffic to modifying files.

It remains to be seen just how easy it is for BadUSB – or any other malware that uses this technique – to spread. USB device firmware varies between brands and device types, which might necessitate infection code that’s specific to each type of device.

For now, while the researchers have created working malware that exploits this new technique, real-world exploits are likely months away, if they indeed ever appear.

Ars Technica has more, as does Wired.