Endpoint

8/7/2014
02:40 PM
50%
50%

When Good USB Devices Go Bad

Researchers offer more details about how USB devices can be leveraged in attacks.

BLACK HAT USA — Las Vegas — In a perfect world, that USB device you insert into your computer can be completely trusted. But the real world is this:  Reprogramming can turn a USB device into a weapon.

Security researchers Karsten Nohl and Jakob Lell demonstrated here at Black Hat USA today what they called "BadUSB." They reverse-engineered and patched the USB firmware in less than two months, and once reprogrammed, the USB can be transformed into a malicious vehicle to compromise a network.

The implications of the attack are significant. For example, a device could be made to emulate a keyboard and issue commands on behalf of the logged-in user to steal files or install malware. It could also boot a small virus prior to the operating system booting up, or be made to spoof a network card and change the computer's DNS setting to redirect traffic.

Nohl and Lell demonstrated multiple attacks, including one showing how a Google Android phone plugged into a computer could be used to essentially intercept all of that computer's web traffic.

There isn't much in the way of defense against the attack, Nohl said. Malware scanners cannot access the firmware running on the devices, and USB firewalls that block certain device classes do not yet exist. In addition, detecting BadUSB based on behavioral detection is difficult because when it changes it persona it looks like the user has plugged in a new device.

Cleaning up after an attack is difficult because reinstalling the operating system does not address the issue, the researchers said in a summary of their findings The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device could also replace the computer's BIOS by emulating a keyboard and unlocking a hidden file on the USB thumb drive.

Finding a solution is tricky. Whitelisting USB devices is an incomplete answer, Nohl explained, since not all USB devices have unique serial numbers and operating systems don't have effective whitelisting mechanisms for USBs yet. Malware scans come up short because malicious firmware can spoof legitimate firmware, and firmware can typically only be read back with the help of that firmware, he said.

"Attacks using USB flash drives are nothing new -- Stuxnet is an example of a USB-delivered virus which targeted a nuclear power plant in Iran -- what has changed with BadUSB is the level of sophistication," Ken Jones, vice president of engineering and product management Imation Mobile Security, said in a statement. "It modifies the controller firmware on the device hardware, not the data stored on the device. The infected device can then pass on that infection whether or not there is any data stored on the USB."

Preventing BadUSB from infecting a device requires that the controller firmware is locked down and not changeable by an unauthorized agent, he adds.

"In order to block BadUSB, USB storage devices need to prevent a hacker from reading or changing the firmware and ensure that the firmware is digitally signed so if it did get modified, the secure device will not operate with the modified firmware," he explained. "FIPS 140-2 Level 3 certification is validation of these benchmark mechanisms. Secure USB drives have always been an important tool for protecting and securing enterprise data. Now those same mechanisms are paramount for protecting the integrity of the USB devices themselves."

The BadUSB Black Hat presentation can be seen here.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
relmasian
50%
50%
relmasian,
User Rank: Apprentice
8/8/2014 | 8:20:15 PM
Temporary Defense
Malicious USB attacks are in difficult, and a real long term solution will take time and, most probably, changes in architecture of computers and networks.  However, let me offer two short term defenses.

1.   First store copies of all known attack points.  Then check the real drivers after USB devices are used.  Restore any that have changed while warning users and administators of potential compromise.

and/or 2.   Run a virtual machine that reinitializes all known attackpoints after USB devices are used.
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15380
PUBLISHED: 2019-02-20
A vulnerability in the cluster service manager of Cisco HyperFlex Software could allow an unauthenticated, adjacent attacker to execute commands as the root user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by connecting to the cluster serv...
CVE-2019-3474
PUBLISHED: 2019-02-20
A path traversal vulnerability in the web application component of Micro Focus Filr 3.x allows a remote attacker authenticated as a low privilege user to download arbitrary files from the Filr server. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-3475
PUBLISHED: 2019-02-20
A local privilege escalation vulnerability in the famtd component of Micro Focus Filr 3.0 allows a local attacker authenticated as a low privilege user to escalate to root. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-10030
PUBLISHED: 2019-02-20
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-10030
PUBLISHED: 2019-02-20
A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through anoth...