Most USB devices can have their firmware updated by software. Hackers have found ways to modify the USB firmware to make the USB device (yeah, not just thumb drives, but it could be anything) malicious. For example, a buddy has malware on his PC. Plugs your USB stick into his PC. It modifies the firmware, but you can’t tell. It still just looks like a USB stick. You take your USB stick home and use it without issues. Then you reboot with the USB still hooked up. The malware on the stick sees that you are powering on your system (no OS yet) and changes itself from just a USB stick to a bootable USB stick. The malware boots before the OS, so you now have a root kit on your system.
They didn’t release a proof of concept yet, but now that people know it’s possible it’s going to be interesting to see what comes of it.
For more information go to: http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/