BLACK HAT USA — Las Vegas — In a perfect world, that USB device you insert into your computer can be completely trusted. But the real world is this: Reprogramming can turn a USB device into a weapon.
Security researchers Karsten Nohl and Jakob Lell demonstrated here at Black Hat USA today what they called "BadUSB." They reverse-engineered and patched the USB firmware in less than two months, and once reprogrammed, the USB can be transformed into a malicious vehicle to compromise a network.
The implications of the attack are significant. For example, a device could be made to emulate a keyboard and issue commands on behalf of the logged-in user to steal files or install malware. It could also boot a small virus prior to the operating system booting up, or be made to spoof a network card and change the computer's DNS setting to redirect traffic.
Nohl and Lell demonstrated multiple attacks, including one showing how a Google Android phone plugged into a computer could be used to essentially intercept all of that computer's web traffic.
There isn't much in the way of defense against the attack, Nohl said. Malware scanners cannot access the firmware running on the devices, and USB firewalls that block certain device classes do not yet exist. In addition, detecting BadUSB based on behavioral detection is difficult because when it changes it persona it looks like the user has plugged in a new device.
Cleaning up after an attack is difficult because reinstalling the operating system does not address the issue, the researchers said in a summary of their findings The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device could also replace the computer's BIOS by emulating a keyboard and unlocking a hidden file on the USB thumb drive.
Finding a solution is tricky. Whitelisting USB devices is an incomplete answer, Nohl explained, since not all USB devices have unique serial numbers and operating systems don't have effective whitelisting mechanisms for USBs yet. Malware scans come up short because malicious firmware can spoof legitimate firmware, and firmware can typically only be read back with the help of that firmware, he said.
"Attacks using USB flash drives are nothing new -- Stuxnet is an example of a USB-delivered virus which targeted a nuclear power plant in Iran -- what has changed with BadUSB is the level of sophistication," Ken Jones, vice president of engineering and product management Imation Mobile Security, said in a statement. "It modifies the controller firmware on the device hardware, not the data stored on the device. The infected device can then pass on that infection whether or not there is any data stored on the USB."
Preventing BadUSB from infecting a device requires that the controller firmware is locked down and not changeable by an unauthorized agent, he adds.
"In order to block BadUSB, USB storage devices need to prevent a hacker from reading or changing the firmware and ensure that the firmware is digitally signed so if it did get modified, the secure device will not operate with the modified firmware," he explained. "FIPS 140-2 Level 3 certification is validation of these benchmark mechanisms. Secure USB drives have always been an important tool for protecting and securing enterprise data. Now those same mechanisms are paramount for protecting the integrity of the USB devices themselves."
The BadUSB Black Hat presentation can be seen here.