Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/7/2014
02:40 PM
50%
50%

When Good USB Devices Go Bad

Researchers offer more details about how USB devices can be leveraged in attacks.

BLACK HAT USA — Las Vegas — In a perfect world, that USB device you insert into your computer can be completely trusted. But the real world is this:  Reprogramming can turn a USB device into a weapon.

Security researchers Karsten Nohl and Jakob Lell demonstrated here at Black Hat USA today what they called "BadUSB." They reverse-engineered and patched the USB firmware in less than two months, and once reprogrammed, the USB can be transformed into a malicious vehicle to compromise a network.

The implications of the attack are significant. For example, a device could be made to emulate a keyboard and issue commands on behalf of the logged-in user to steal files or install malware. It could also boot a small virus prior to the operating system booting up, or be made to spoof a network card and change the computer's DNS setting to redirect traffic.

Nohl and Lell demonstrated multiple attacks, including one showing how a Google Android phone plugged into a computer could be used to essentially intercept all of that computer's web traffic.

There isn't much in the way of defense against the attack, Nohl said. Malware scanners cannot access the firmware running on the devices, and USB firewalls that block certain device classes do not yet exist. In addition, detecting BadUSB based on behavioral detection is difficult because when it changes it persona it looks like the user has plugged in a new device.

Cleaning up after an attack is difficult because reinstalling the operating system does not address the issue, the researchers said in a summary of their findings The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device could also replace the computer's BIOS by emulating a keyboard and unlocking a hidden file on the USB thumb drive.

Finding a solution is tricky. Whitelisting USB devices is an incomplete answer, Nohl explained, since not all USB devices have unique serial numbers and operating systems don't have effective whitelisting mechanisms for USBs yet. Malware scans come up short because malicious firmware can spoof legitimate firmware, and firmware can typically only be read back with the help of that firmware, he said.

"Attacks using USB flash drives are nothing new -- Stuxnet is an example of a USB-delivered virus which targeted a nuclear power plant in Iran -- what has changed with BadUSB is the level of sophistication," Ken Jones, vice president of engineering and product management Imation Mobile Security, said in a statement. "It modifies the controller firmware on the device hardware, not the data stored on the device. The infected device can then pass on that infection whether or not there is any data stored on the USB."

Preventing BadUSB from infecting a device requires that the controller firmware is locked down and not changeable by an unauthorized agent, he adds.

"In order to block BadUSB, USB storage devices need to prevent a hacker from reading or changing the firmware and ensure that the firmware is digitally signed so if it did get modified, the secure device will not operate with the modified firmware," he explained. "FIPS 140-2 Level 3 certification is validation of these benchmark mechanisms. Secure USB drives have always been an important tool for protecting and securing enterprise data. Now those same mechanisms are paramount for protecting the integrity of the USB devices themselves."

The BadUSB Black Hat presentation can be seen here.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
relmasian
50%
50%
relmasian,
User Rank: Apprentice
8/8/2014 | 8:20:15 PM
Temporary Defense
Malicious USB attacks are in difficult, and a real long term solution will take time and, most probably, changes in architecture of computers and networks.  However, let me offer two short term defenses.

1.   First store copies of all known attack points.  Then check the real drivers after USB devices are used.  Restore any that have changed while warning users and administators of potential compromise.

and/or 2.   Run a virtual machine that reinitializes all known attackpoints after USB devices are used.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13775
PUBLISHED: 2020-06-02
ZNC before 1.8.1-rc1 allows attackers to trigger an application crash (with a NULL pointer dereference) if echo-message is not enabled and there is no network.
CVE-2020-12607
PUBLISHED: 2020-06-02
An issue was discovered in fastecdsa before 2.1.2. When using the NIST P-256 curve in the ECDSA implementation, the point at infinity is mishandled. This means that for an extreme value in k and s^-1, the signature verification fails even if the signature is correct. This behavior is not solely a us...
CVE-2020-13764
PUBLISHED: 2020-06-02
common.php in the Gravity Forms plugin before 2.4.9 for WordPress can leak hashed passwords because user_pass is not considered a special case for a $current_user->get($property) call.
CVE-2020-13760
PUBLISHED: 2020-06-02
In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.
CVE-2020-13761
PUBLISHED: 2020-06-02
In Joomla! before 3.9.19, lack of input validation in the heading tag option of the "Articles - Newsflash" and "Articles - Categories" modules allows XSS.