updated 11:18 am EDT, Thu July 31, 2014
New research to be published at Black Hat points out inherent insecurity of USB
A pair of researchers are going to discuss a giant security flaw that illustrates how the Universal Serial Bus (USB) firmware can be exploited. Security researchers Karsten Nohl and Jakob Lell have developed "BadUSB," a malware package resident in USB firmware that can be used as an attack vector to install any manner of software on a PC, with little or no warning to the user, and - as of now -- no effective way to stop the attack or spread of the malware.
All USB devices have firmware, which dictates how the item communicates with a host computer. The flaw isn't limited to USB mass storage, and can be implemented in nearly any USB peripheral, including input devices. The researchers have used the flaw with an Android phone plugged in through USB as a vector of attack.
According to Nohl, USB peripherals with the modified firmware can be given to "your IT security people, they scan it, delete some files, and give it back to you telling you it's 'clean.' The cleaning process doesn't even touch the files we're talking about."
The pair of researchers have a propagation scenario as well. In theory, any USB device can be reprogrammed when it is inserted into an infected computer during the initial handshake between USB device and computer, and vice versa -- in essence, a viral spread of the firmware update.
USB firmware doesn't have any inherent ability to prevent modification for dubious purposes. No manufacturer implements code signing in USB firmware, comparing the checksum of the code with that of the original, nor does the USB specification allow for such a countermeasure.
USB device firmware is generally 64KB or smaller. While small by today's standard, attackers using half of the space for malicious code could easily write exploits allowing for keystroke logging, DNS redirection, or nearly any other possible vector. Data misappropriated by the installed malware wouldn't be stored on the USB device, but sent to a remote server for storage and utilization -- diligent users could see this traffic and discover a problem, but the vast majority of computer users lack the technical savvy to do so.
The proof of concept hack is for Windows, and performed using a reverse-engineered firmware from an unknown vendor. The exploit isn't limited to Windows computers. With proper coding, OS X, iOS, or Android devices are exploitable as well, given the nature and ubiquity of USB. There is likely no "universal" version of the exploit, but how "generic" USB device firmware is between manufacturers has yet to be disclosed.
Wired spoke with the managers and maintainers of the USB standard, the USB Implementers Forum, regarding the attack vector. "Consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices," spokeswoman Liz Nardozza wrote. "Consumers safeguard their personal belongings, and the same effort should be applied to protect themselves when it comes to technology."
Nohl paints a bleak picture for current data practices on USB devices. "In this new way of thinking, you can't trust a USB device just because its storage doesn't contain a virus. Trust must come from the fact that no one malicious has ever touched it," purports Nohl. "You have to consider a USB [device] infected and throw it away as soon as it touches a non-trusted computer. And that's incompatible with how we use USB devices right now."