How can empty USB sticks contain malware?

I'm afraid this stems from a misunderstanding from the reporter:

... said a device that appeared to be empty could still contain a virus.

In the video the reporter's referring to it is clear, in fact, in the first two minutes Karsen says he's NOT talking about viruses. He then goes on to demonstrate, on screen, that the seemingly empty USB device is changing itself into a different device (e.g. emulating storage as well as a keyboard and playing keystrokes), as was alluded to in my previous answer (below), but I had not at the time reviewed the full resource to establish it as conclusive evidence.

So there you have it, the author somehow misunderstood the video presentation, and BBC published it...

---

How can "empty" USB sticks contain malware?

This question doesn't form a clear picture.

Firstly we must define "empty".

• Do you mean unformatted? If this is the case, can we just erase the first sector to unformat a storage device, leaving the rest of the bytes intact? Could there be viral code in those unerased, yet technically unformatted bytes?
• Do you mean looks empty when inserted? There have been numerous tricks for hiding files in the past, such as storing them in the recycling bin, using the 'hidden' or 'system file' attribute, using NTFS streams or even unsupported partitions. Delving further down the rabbit hole, is the drive empty but encrypted? A flaw in a major cryptographic library (we've seen those quite a lot recently) could expose the system to covert side-channel attacks, even from a seemingly empty device... Additionally, some USB sticks are bootable (on some systems; we'll get to that later), implying that you might be able to write a boot sector virus to infect them. Boot sector viruses don't really care what OS is installed, since they execute before the OS boots anyway... This leads me to your next question:

Is this only a problem for (legacy) Windows systems?

No. We should consider what constitutes "malware". It's possible for an arbitrary sequence of bytes to be considered malware because it causes damage to one system (e.g. x86/x64 machine code on an x86/x64 prcessor) but not another (e.g. the same bytecode on an ARM/SPARC). To answer this question, we only have to find (or design) a system that decodes the arbitrary sequence as malware, even though it previously wasn't.

Is there some way to use these sticks while protecting yourself?

No. Finally, consider the definition of USB stick. Is it possible that, instead of plugging in a storage device, you might be plugging in some kind of electronic bug, such as a wireless keyboard adapter or a USB thumb killer. Such devices themselves don't really constitute malware, either because they're not software or they weren't designed to be malicious... though they could nonetheless be security risks. It might also be possible for a device to access memory (e.g. by appearing as a charger for your mobile phone and then stealing all of your photos, videos, etc using the data line or a covert wifi network).

Don't insert untrusted USB devices. Period. They might not contain malware, but that isn't the only danger... especially in this day and age where competition, electronic sabotage & surveillance are all the rage.

You can hack the firmware of a USB device. With that you can tell the OS whatever you want, eg. the device is empty even it is not. Or attack the USB software stack of the OS by sending data that a normal USB device would not send (so the device could even really be empty, the attack comes from the firmware).

You can also do other funny stuff, like tell the OS that the USB device is also a keyboard, then automatically type commands that do something if it is plugged in. Or tell the OS the USB device is a network card, and redirect all traffic to a server you control.

Endless fun with hacked USB firmwares...

USB works like this, AFAIK, note where lies could lead the system astray.

1. Computer supplies +5V and GND to USB device.
2. Microcontroller in the USB device runs and transmits USB-speak for "This is a type X device" (X is disk, camera, keyboard, mouse, or any device registered with the USB Consortium).
3. Computer takes "appropriate" action.

Consider USB devices with subverted (reprogrammed) microcontroller...

Computer: +5V, GND
Microcontroller: I am a keyboard.
Computer: OK
Microcontroller: "FORMAT C:" ENTER "Y" ENTER

(Dilbert reference)

Search for the "BadUSB" vulnerability for details.

There is now a GoodUSB gadget: http://hackaday.com/2017/03/02/good-usb-protecting-your-ports-with-two-microcontrollers/