BadUSB – The problems with USB
Here are the primary reasons why USB is vulnerable (and easily exploited):
- The firmware code of the USB device is easily updated (flashed) without any kind of authentication (or signing)
- USB devices can change USB Class type at will from a USB hard drive to keyboard to network card.
- USB device serial numbers are not required to be unique and typically aren’t and the device can say its SN is whatever it wants it to be.
From the security researcher website:
“BadUSB – Turning devices evil. Once reprogrammed, benign devices can turn malicious in many ways, including:
- A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
- The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
- A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.”
Enterprise security software needs to start investing in protecting computers from USB peripherals. A software solution may be able to resist a USB peripheral from changing device types, for example, or detect sequences of keystrokes deemed malicious or too quick to be human-controlled.
Similarly, hardware security USB hubs may be built to enforce device types on USB ports and prevent firmware rewriting – analogous to a traditional network firewall. The USB port that each device is plugged into could define the device types allowed by the USB peripheral. Although this defeats the design advantage of USB, it partially mitigates the risk by preventing USB peripherals from arbitrarily changing their types.
In conclusion, the enterprise security surrounding USB devices is heading towards an overhaul. The process may be painful, but it is necessary.
BadUSB Exploit Code is Released
Security researchers presented on BadUSB at DerbyCon 2014 last weekend in a talk called “Making BadUSB Work For You.”
The BadUSB exploit code is now available on GitHub.
Wired has an article describing the code release:
It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer.
In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience on Friday. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
IronKey Secure USB devices are not vulnerable to BadUSB malware which was revealed at Black Hat on August 7. BadUSB is the first USB malware designed to attack the device itself instead of attacking the data on the device. IronKey’s leadership in security, including its use of digital signatures in all controller firmware, makes its products immune to this new threat. To help reduce the impact of BadUSB, the company is offering a GoodUSB Trade-Up Program that provides discounts on its secure USB products.
As revealed at the Black Hat session on BadUSB, the attack changes the firmware that controls the behavior of the USB hardware, allowing the USB device to become a host that can subsequently infect other computers and USB devices. The modified controller firmware cannot be detected by today’s anti-malware solutions, and in many cases, may remain undetectable.
As explained by the researchers, the best protection against this vulnerability is to use code signing for firmware updates. If the signed firmware is modified, the device cannot authenticate the firmware and simply will not operate. This prevents the infection from spreading but results in an unusable device. That is why in addition to using signed firmware, IronKey protects the mechanism used to update the firmware with hardware-based security keys. This prevents tampering with the signed firmware, which would leave the device unusable.
- SR Labs Research Labs (presented at Black Hat USA 2014 on BadUSB)
- Wired’s article describing BadUSB
- Microsoft Security Blog article “USB firmware: An upcoming threat for home and enterprise users”
- BadUSB Black Hat USA 2014 Presentation Slides
- BadUSB Black Hat USA 2014 Presentation Video
- Wired: The Unpatchable Malware That Infects USBs Is Now on the Loose
- DerbyCon 2014 BadUSB Presentation Slides
- DerbyCon 2014 BadUSB Presentation Video
- BadUSB Exploit Code on GitHub
- Wikipedia USB article