Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/7/2014
02:40 PM
50%
50%

When Good USB Devices Go Bad

Researchers offer more details about how USB devices can be leveraged in attacks.

BLACK HAT USA — Las Vegas — In a perfect world, that USB device you insert into your computer can be completely trusted. But the real world is this:  Reprogramming can turn a USB device into a weapon.

Security researchers Karsten Nohl and Jakob Lell demonstrated here at Black Hat USA today what they called "BadUSB." They reverse-engineered and patched the USB firmware in less than two months, and once reprogrammed, the USB can be transformed into a malicious vehicle to compromise a network.

The implications of the attack are significant. For example, a device could be made to emulate a keyboard and issue commands on behalf of the logged-in user to steal files or install malware. It could also boot a small virus prior to the operating system booting up, or be made to spoof a network card and change the computer's DNS setting to redirect traffic.

Nohl and Lell demonstrated multiple attacks, including one showing how a Google Android phone plugged into a computer could be used to essentially intercept all of that computer's web traffic.

There isn't much in the way of defense against the attack, Nohl said. Malware scanners cannot access the firmware running on the devices, and USB firewalls that block certain device classes do not yet exist. In addition, detecting BadUSB based on behavioral detection is difficult because when it changes it persona it looks like the user has plugged in a new device.

Cleaning up after an attack is difficult because reinstalling the operating system does not address the issue, the researchers said in a summary of their findings The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device could also replace the computer's BIOS by emulating a keyboard and unlocking a hidden file on the USB thumb drive.

Finding a solution is tricky. Whitelisting USB devices is an incomplete answer, Nohl explained, since not all USB devices have unique serial numbers and operating systems don't have effective whitelisting mechanisms for USBs yet. Malware scans come up short because malicious firmware can spoof legitimate firmware, and firmware can typically only be read back with the help of that firmware, he said.

"Attacks using USB flash drives are nothing new -- Stuxnet is an example of a USB-delivered virus which targeted a nuclear power plant in Iran -- what has changed with BadUSB is the level of sophistication," Ken Jones, vice president of engineering and product management Imation Mobile Security, said in a statement. "It modifies the controller firmware on the device hardware, not the data stored on the device. The infected device can then pass on that infection whether or not there is any data stored on the USB."

Preventing BadUSB from infecting a device requires that the controller firmware is locked down and not changeable by an unauthorized agent, he adds.

"In order to block BadUSB, USB storage devices need to prevent a hacker from reading or changing the firmware and ensure that the firmware is digitally signed so if it did get modified, the secure device will not operate with the modified firmware," he explained. "FIPS 140-2 Level 3 certification is validation of these benchmark mechanisms. Secure USB drives have always been an important tool for protecting and securing enterprise data. Now those same mechanisms are paramount for protecting the integrity of the USB devices themselves."

The BadUSB Black Hat presentation can be seen here.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
relmasian
50%
50%
relmasian,
User Rank: Apprentice
8/8/2014 | 8:20:15 PM
Temporary Defense
Malicious USB attacks are in difficult, and a real long term solution will take time and, most probably, changes in architecture of computers and networks.  However, let me offer two short term defenses.

1.   First store copies of all known attack points.  Then check the real drivers after USB devices are used.  Restore any that have changed while warning users and administators of potential compromise.

and/or 2.   Run a virtual machine that reinitializes all known attackpoints after USB devices are used.
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16978
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
CVE-2019-16979
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16980
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_edit.php uses an unsanitized "id" variable coming from the URL in an unparameterized SQL query, leading to SQL injection.
CVE-2019-16990
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized "file" variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it.
CVE-2019-16530
PUBLISHED: 2019-10-21
Sonatype Nexus Repository Manager 2.x before 2.14.15 and 3.x before 3.19, and IQ Server before 72, has remote code execution.