Endpoint
8/7/2014
02:40 PM
50%
50%

When Good USB Devices Go Bad

Researchers offer more details about how USB devices can be leveraged in attacks.

BLACK HAT USA — Las Vegas — In a perfect world, that USB device you insert into your computer can be completely trusted. But the real world is this:  Reprogramming can turn a USB device into a weapon.

Security researchers Karsten Nohl and Jakob Lell demonstrated here at Black Hat USA today what they called "BadUSB." They reverse-engineered and patched the USB firmware in less than two months, and once reprogrammed, the USB can be transformed into a malicious vehicle to compromise a network.

The implications of the attack are significant. For example, a device could be made to emulate a keyboard and issue commands on behalf of the logged-in user to steal files or install malware. It could also boot a small virus prior to the operating system booting up, or be made to spoof a network card and change the computer's DNS setting to redirect traffic.

Nohl and Lell demonstrated multiple attacks, including one showing how a Google Android phone plugged into a computer could be used to essentially intercept all of that computer's web traffic.

There isn't much in the way of defense against the attack, Nohl said. Malware scanners cannot access the firmware running on the devices, and USB firewalls that block certain device classes do not yet exist. In addition, detecting BadUSB based on behavioral detection is difficult because when it changes it persona it looks like the user has plugged in a new device.

Cleaning up after an attack is difficult because reinstalling the operating system does not address the issue, the researchers said in a summary of their findings The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device could also replace the computer's BIOS by emulating a keyboard and unlocking a hidden file on the USB thumb drive.

Finding a solution is tricky. Whitelisting USB devices is an incomplete answer, Nohl explained, since not all USB devices have unique serial numbers and operating systems don't have effective whitelisting mechanisms for USBs yet. Malware scans come up short because malicious firmware can spoof legitimate firmware, and firmware can typically only be read back with the help of that firmware, he said.

"Attacks using USB flash drives are nothing new -- Stuxnet is an example of a USB-delivered virus which targeted a nuclear power plant in Iran -- what has changed with BadUSB is the level of sophistication," Ken Jones, vice president of engineering and product management Imation Mobile Security, said in a statement. "It modifies the controller firmware on the device hardware, not the data stored on the device. The infected device can then pass on that infection whether or not there is any data stored on the USB."

Preventing BadUSB from infecting a device requires that the controller firmware is locked down and not changeable by an unauthorized agent, he adds.

"In order to block BadUSB, USB storage devices need to prevent a hacker from reading or changing the firmware and ensure that the firmware is digitally signed so if it did get modified, the secure device will not operate with the modified firmware," he explained. "FIPS 140-2 Level 3 certification is validation of these benchmark mechanisms. Secure USB drives have always been an important tool for protecting and securing enterprise data. Now those same mechanisms are paramount for protecting the integrity of the USB devices themselves."

The BadUSB Black Hat presentation can be seen here.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
relmasian
50%
50%
relmasian,
User Rank: Apprentice
8/8/2014 | 8:20:15 PM
Temporary Defense
Malicious USB attacks are in difficult, and a real long term solution will take time and, most probably, changes in architecture of computers and networks.  However, let me offer two short term defenses.

1.   First store copies of all known attack points.  Then check the real drivers after USB devices are used.  Restore any that have changed while warning users and administators of potential compromise.

and/or 2.   Run a virtual machine that reinitializes all known attackpoints after USB devices are used.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?