This thumbdrive hacks computers. “BadUSB” exploit makes devices turn “evil”

Discussion in 'other security issues & news' started by Minimalist, Jul 31, 2014.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    http://arstechnica.com/security/201...uters-badusb-exploit-makes-devices-turn-evil/
     
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,952
    Location:
    U.S.A.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    Malware: Every USB port is “defenseless” against new scam
    http://www.welivesecurity.com/2014/07/31/malware/
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    Malicious USB device firmware the next big infection vector?
    http://www.net-security.org/malware_news.php?id=2825

     
  5. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,952
    Location:
    U.S.A.
     
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Hmm. How cross-(hardware-)platform is this? Does it affect obsolete architectures, e.g. Mac/PPC running OpenFirmware? Or are we talking about an attack on microcontrollers common to all USB chipsets?

    If not, maybe a machine of unaffected architecture could be used to flash clean firmware to USB devices?
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    I've read through articles but there's no info about firmware and microcontrollers affected. We will probably have to wait till they give presentation on Black Hat.
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Black Hat hackers finally drive a truck through gaping hole in USB firmware security
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    See post #8.
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  11. controler

    controler Guest

    Last edited by a moderator: Aug 1, 2014
  12. controler

    controler Guest

    "spent months analyzing the software and micro-controllers embedded in particular USB devices, and found they could hide, in the flash ROM, malware that's undetectable to today's antivirus tools – and is very, very effective." First off, ROM is read only memory unless it is Flash memory.


    1. Not every USB chip
    Firstly, this attack will not work on all USB chips automatically – it appears to be vendor specific, and while there are a limited number of USB silicon suppliers, there's still a lot of chip models to tackle. Every chipmaker designs their controllers differently.
    For Black Hat, we're told the following three attack devices will be demonstrated; these gadgets use chips made by Phison, which typically use 8051 micro-controllers:

    Then the question is do all USB sticks contain Flash ( rewriteable memory) or not. If not you would only have to use the ones that are only Read only. Right?
     
  13. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,952
    Location:
    U.S.A.
     
  14. controler

    controler Guest

    "BadUSB is a proof-of-concept attack" and so NSA was or is not using this method or a similar one?
     
  15. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    It'll be interesting to see whether this results in an additional device detected notification (e.g. as a HID in the Devices section or in Device Manager). For example, I use a Yubikey which acts or can act as a USB keyboard, but that gets registered in Devices and Printers (in Windows).
     
  16. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,713
    Location:
    Kolkata, India
    Security researchers Karsten Nohl and Jakob Lell has found a serious flaw in the way USB devices works and they have created a collection of proof-of-concept malicious software. The malware they created, called BadUSB, resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions. So, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. It is almost impossible to find such bad firware by easy means. It requires serious reverse engineering skills to find and analyze that firmware manually.

    Source: http://www.wired.com/2014/07/usb-security

    The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed. Once the infected USB gets in touch with a device, PC etc. the latter gets infected too. “It goes both ways,” Nohl says. “Nobody can trust anybody.”

    Type of harm
    • It can replace software being installed with with a corrupted or backdoored version.
    • It can even impersonate a USB keyboard to suddenly start typing commands.
    • The malware can silently hijack internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases.
    • If the code is planted on a phone or another device with an internet connection, it can act as a man-in-the-middle, secretly spying on communications as it relays them from the victim’s machine.
    Probably NSA is already using such flaw in its spying device known as Cottonmouth, that hides in a USB peripheral plug and surreptitiously installs malware on a target’s machine.

    Probable Solution

    The old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against. Implementing that new security model will first require convincing device makers that the threat is real.

    To stop such attack, we have to change the way we use USB devices
    . “In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” says Nohl. “You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer. And that’s incompatible with how we use USB devices right now.”
     
  17. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Every such panic turned out to be a massive overreaction. Firmware on its own also doesn't do anything, it needs drivers and stuff to even do anything half functional. So you can't just stuff malware into everything USB as that just isn't possible.
     
  18. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,095
  19. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,713
    Location:
    Kolkata, India
    Why not! It is a common fact that two firmwares from the same manufacturer behave differently. One can even make a system crash or become non responsive.
     
  20. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    No, you can, and it can in fact do malicious things if you give it an OS to mess with.

    Exhibit A: you will find little chips like these

    http://www.tme.eu/html/EN/atmel-8-bit-microcontrollers-at89-series/ramka_1571_EN_pelny.html

    in almost any USB device. Those are microcontrollers, which is just slang for "fully capable computers being used for some insultingly specialized purpose." Typically they have writeable firmware, which may even be flashable through the USB port.

    Exhibit B: the LoJack Computrace commercial rootkit, which is used to track stolen computers, and which I have personally seen on some workstations, is BIOS based. A firmware component makes sure that a certain Windows EXE file is patched. It needs Windows to work (and won't work with Linux, etc. AFAIK) but the point is the core of it is in the firmware.

    Oh, and I agree, we shouldn't be panicking, because panicking won't help at all.
     
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    Yes, USB device needs drivers to communicate with system. As I understand by manipulating firmware USB device can be installed as different device and then do "bad things". You can insert USB drive with manipulated firmware and it will present itself to system as USB keyboard. After drivers are installed (which is automatically in Windows) it will simulate keyboard and will give commands to your system the same way as user. For OS and security software this is not suspicious behavior and it wouldn't stop it.
    But this is just POC for now and we indeed shouldn't panic.

    Here is link with description how to disable driver auto installation on Windows: http://support.microsoft.com/kb/2500967
     
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From BadUSB Uncovered:
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    Thanks @MrBrian for posting updates!
     
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).
     
Loading...