This thumbdrive hacks computers. “BadUSB” exploit makes devices turn “evil”

http://arstechnica.com/security/201...uters-badusb-exploit-makes-devices-turn-evil/

 

Malware: Every USB port is “defenseless” against new scam

http://www.welivesecurity.com/2014/07/31/malware/

 

Malicious USB device firmware the next big infection vector?

http://www.net-security.org/malware_news.php?id=2825

 

Hmm. How cross-(hardware-)platform is this? Does it affect obsolete architectures, e.g. Mac/PPC running OpenFirmware? Or are we talking about an attack on microcontrollers common to all USB chipsets?

If not, maybe a machine of unaffected architecture could be used to flash clean firmware to USB devices?

 

I've read through articles but there's no info about firmware and microcontrollers affected. We will probably have to wait till they give presentation on Black Hat.

 

Black Hat hackers finally drive a truck through gaping hole in USB firmware security

 

See post #8.

 

Can malicious code be contained outside the filesystem on a USB drive?

 

There was also mentioned the NSA was already using this technique. Labeled COTTONMOUTH and leaked by Snowden.

http://nsa.gov1.info/dni/nsa-ant-catalog/usb/index.html

http://en.wikipedia.org/wiki/NSA_ANT_catalog

 

"spent months analyzing the software and micro-controllers embedded in particular USB devices, and found they could hide, in the flash ROM, malware that's undetectable to today's antivirus tools – and is very, very effective." First off, ROM is read only memory unless it is Flash memory.


1. Not every USB chip
Firstly, this attack will not work on all USB chips automatically – it appears to be vendor specific, and while there are a limited number of USB silicon suppliers, there's still a lot of chip models to tackle. Every chipmaker designs their controllers differently.
For Black Hat, we're told the following three attack devices will be demonstrated; these gadgets use chips made by Phison, which typically use 8051 micro-controllers:

Then the question is do all USB sticks contain Flash ( rewriteable memory) or not. If not you would only have to use the ones that are only Read only. Right?

 

"BadUSB is a proof-of-concept attack" and so NSA was or is not using this method or a similar one?

 

It'll be interesting to see whether this results in an additional device detected notification (e.g. as a HID in the Devices section or in Device Manager). For example, I use a Yubikey which acts or can act as a USB keyboard, but that gets registered in Devices and Printers (in Windows).

 

Security researchers Karsten Nohl and Jakob Lell has found a serious flaw in the way USB devices works and they have created a collection of proof-of-concept malicious software. The malware they created, called BadUSB, resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions. So, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. It is almost impossible to find such bad firware by easy means. It requires serious reverse engineering skills to find and analyze that firmware manually.

Source: http://www.wired.com/2014/07/usb-security

The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed. Once the infected USB gets in touch with a device, PC etc. the latter gets infected too. “It goes both ways,” Nohl says. “Nobody can trust anybody.”

Type of harm

• It can replace software being installed with with a corrupted or backdoored version.
• It can even impersonate a USB keyboard to suddenly start typing commands.
• The malware can silently hijack internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases.
• If the code is planted on a phone or another device with an internet connection, it can act as a man-in-the-middle, secretly spying on communications as it relays them from the victim’s machine.

Probably NSA is already using such flaw in its spying device known as Cottonmouth, that hides in a USB peripheral plug and surreptitiously installs malware on a target’s machine.

Probable Solution

The old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against. Implementing that new security model will first require convincing device makers that the threat is real.

To stop such attack, we have to change the way we use USB devices. “In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” says Nohl. “You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer. And that’s incompatible with how we use USB devices right now.”

 

Every such panic turned out to be a massive overreaction. Firmware on its own also doesn't do anything, it needs drivers and stuff to even do anything half functional. So you can't just stuff malware into everything USB as that just isn't possible.

 

@ sg09,
Old news......
=
Thursday at 6:13 PM

 

Why not! It is a common fact that two firmwares from the same manufacturer behave differently. One can even make a system crash or become non responsive.

 

No, you can, and it can in fact do malicious things if you give it an OS to mess with.

Exhibit A: you will find little chips like these

http://www.tme.eu/html/EN/atmel-8-bit-microcontrollers-at89-series/ramka_1571_EN_pelny.html

in almost any USB device. Those are microcontrollers, which is just slang for "fully capable computers being used for some insultingly specialized purpose." Typically they have writeable firmware, which may even be flashable through the USB port.

Exhibit B: the LoJack Computrace commercial rootkit, which is used to track stolen computers, and which I have personally seen on some workstations, is BIOS based. A firmware component makes sure that a certain Windows EXE file is patched. It needs Windows to work (and won't work with Linux, etc. AFAIK) but the point is the core of it is in the firmware.

Oh, and I agree, we shouldn't be panicking, because panicking won't help at all.

 

Yes, USB device needs drivers to communicate with system. As I understand by manipulating firmware USB device can be installed as different device and then do "bad things". You can insert USB drive with manipulated firmware and it will present itself to system as USB keyboard. After drivers are installed (which is automatically in Windows) it will simulate keyboard and will give commands to your system the same way as user. For OS and security software this is not suspicious behavior and it wouldn't stop it.
But this is just POC for now and we indeed shouldn't panic.

Here is link with description how to disable driver auto installation on Windows: http://support.microsoft.com/kb/2500967

 

From BadUSB Uncovered:

 

Slides of presentation are at https://srlabs.de/badusb/.

 

Thanks @MrBrian for posting updates!

 

You're welcome .