Jump to content

Why the Security of USB Is Fundamentally Broken

securitybreach

By securitybreach
in Security & Networking

 Share

Recommended Posts

securitybreach

securitybreach

Posted
Posted
Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn't just in what they carry, it's built into the core of how they work.

 

That's the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user's internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device's memory would appear to the average user to be deleted. And the two researchers say there's no easy fix: The kind of compromise they're demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.

 

These problems cant be patched, says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. We're exploiting the very way that USB is designed............

 

The problem isn't limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed in addition to USB memory sticks, Nohl and Lell say they've also tested their attack on an Android handset plugged into a PC. And once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play."

 

http://www.wired.com...7/usb-security/

  • Like 2
Link to comment
Share on other sites
securitybreach

securitybreach

Posted
  • Author
Posted
To avoid the attack, all you have to do is not connect your USB device to computers you don’t own or don’t have good reason to trust—and don’t plug untrusted USB devices into your own computer.
Link to comment
Share on other sites
Cluttermagnet

Cluttermagnet

Posted
Posted (edited)

Pretty scary all right. This is really getting out there- I first learned of this in a Yahoo article.

Gives one pause. Really need to rethink things...

 

BTW aluminum foil is not tinfoil..... B)

 

Have to make do with aluminum. Tin foil is real hard to get hold of these days.

Both are good RF shields. But tin probably shields against bad vibes much better...

:whistling:

Edited by Cluttermagnet
  • Like 2
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

The thing that scares me is that there are many technicians that don't want to do the inconvenient thing by burning a CD/DVD with the tools needed to clean an infected computer. They just use the USB.

 

To me that has always not made any sense. It is worth the time to burn a CD/DVD if you are needing to clean an infected computer.

 

 

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”

 

‘IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.’

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted (edited)

Another really scary thing is they teach kids to use USB drives like they did floppies for their documents.

 

 

Years ago, I told the story of how I got into malware fighting. My elder daughter needed to take a document to school to print it on their laser printer (at that time we only had a dot matrix printer -- should tell you how long ago this was. ;) ).

 

She was told not to turn off the write protect to protect the floppy. Just print and bring it home.

 

Despite that, I told her to put the floppy on my chair when she brought it home. She did not. She put it in the computer and I didn't realize it and turned on the computer and lost my Windows system to a boot sector virus that prevented it from booting. When I realized what happened, I queried her about the disk and why she took the write protect off. She didn't realize I would know. The reason I didn't trust it was I had heard of school networks/computers being heavily infected during that time.

 

I lost everything. And had to start all over.

 

Hopefully that has changed, but since they encourage using USB devices, I doubt it.

Edited by LilBambi
Link to comment
Share on other sites
ross549

ross549

Posted
Posted

I've been doing some research on the topic......

 

The original posting about this that everyone is yelling about leaves out one important detail.....

 

This was a particular firmware chip that was found to be vulnerable. It was one chip, from one vendor. Supposedly, other chips from other vendors could be found to be vulnerable, but that has not happened yet.

 

Using certificates and SSL will prevent this from being an issue on infected hardware. We simply have not secured the USB protocol in any conceivable way. If we do, the data channel can then be trusted. It would probably also help stop things like the Rubber Ducky USB stick (Google it, I will not link it here).

 

The reporting on this has been irresponsible, to say the least.

 

Adam

  • Like 2
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Yes, excellent Adam!

 

It could be much more but only one was tested.

 

The real problem comes in when people don't really know what chip is on their USB device.

 

Also, USB drives are not the only thing that have this potential; keyboards, mice can also have their firmware downgraded to be malicious.

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Here's the article from the developers/researchers (in English) that will be reporting on this at BlackHat 2014.

 

Turning USB peripherals into BadUSB

 

Reprogramming USB peripherals. To turn one device type into another, USB controller chips in peripherals need to be reprogrammed. Very widely spread USB controller chips, including those in thumb drives, have no protection from such reprogramming.

BadUSB – Turning devices evil. Once reprogrammed, benign devices can turn malicious in many ways, including:

  1. A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
  2. The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
  3. A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted (edited)

Yes, that would be true, *if* other firmware were found to have vulnerabilities.

 

In any case, much ado about something that really has been known for some time......

 

This from IEEE has been published for 9 years- http://ieeexplore.ie...rnumber=1392705

 

Discussion on Reddit.... http://www.reddit.co.../2c9otm/badusb/

 

Adam

 

NOTE: Anyone reading the IEEE link; be advised this is a PDF document.

 

Great info for sure. But the information isn't full available until after BlackHat 2014.

 

Mostly speculation until then.

Edited by LilBambi
Link to comment
Share on other sites
ross549

ross549

Posted
Posted

Yep, and all this hinges on the ability to compromise the chip. If the chip cannot or is not easily compromised, it's not going to be able to be used in this type of an attack.

  • Like 1
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

There is still very much up in the air.

 

We need to keep our ears/eyes/minds open.

 

This is not the first time this type of situation with USB devices in general has come up in the past. It may just be another vector of a growing problem.

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Also another possibility is that like old BIOS (I mean REALLY OLD BIOS chips) that could not be flashed, there were old USB Flash drives, USB external hard drives and other devices like keyboards and mice, etc. that could not be flashed.

 

But that has almost universally changed. Now all their chipsets can be flashed over the Internet, or the new firmware downloaded and flashed locally on the computer.

 

 

And not to down play something that could very well be important.

 

We may well have to wait till after the BlackHat 2014 to know for sure.

 

If nothing else, we should all be keeping our eyes open for the BlackHat 2014 conference where we will be given more information.

Link to comment
Share on other sites
securitybreach

securitybreach

Posted
  • Author
Posted

@Adam thanks for mentioning RubberDucky, I didn't know about them and they sound dangerous.

"If it quacks like a keyboard......." :D

 

Nah, it's from the guys/gals at Hak5, They have tons of Linux tutorials and have been around since 2005 or so. http://hak5.org/?s=linux

Link to comment
Share on other sites
crp

crp

Posted
Posted

#1: this is not new , as was mentioned above. Just go to Hak5 and look for RubberDucky

#2: There is no such thing as vulnerability that will affect all USB devices. USB devices are micro-computers, it would be like saying there was a vulnerability that would affect all pc BIOS's.

#3: even if the vulnerability is doable on one firmware, you would need someone to do so and then get it plugged into another pc. So , yeah, if a stranger gives you a USB device or you buy a used one you would look up to see if the firmware is the vulnerable one AND if the device has a write enabled ROM.

 

Finally, I do not think it does good to do chicken-little routines on pre publicity on papers for BlackHat conventions. Def-Con? okay, take those a little more seriously, but only a little. Wait for the official release of the materials. (kudos to Adam for "keeping it real")

  • Like 2
Link to comment
Share on other sites
  • 2 weeks later...
Cluttermagnet

Cluttermagnet

Posted
Posted

Here's what Leo has to say...

 

http://askleo.com/is...=JUpFRDfptJdfbL

 

Thanks, Eric. Good, short read. A lot of common sense in that article.

 

I sense a coming market opportunity- electronic devices sold as

flash drive sanitizers "If a virus was there, we guarantee it ain't after

our device is through with it..."

 

You're welcome.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...