New malware vector: USB devices

This thumbdrive hacks computers. “BadUSB” exploit makes devices turn “evil”

Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses.

Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.

The takeaway from the article?

Every time anybody connects a USB device to your computer, you fully trust them with your computer. It's the equivalent of [saying] 'here's my computer; I'm going to walk away for 10 minutes. Please don't do anything evil.'

This is a big deal.

Oh, and here's an extra-nasty proof-of-concept example:

Programming a brand-name USB stick to surreptitiously inject a payload into a legitimate Ubuntu installation file. The file is loaded onto the drive when attached to one computer. The tampering happens only after it is plugged into a separate computer that has no operating system present on it. The demo underscores how even using a trusted computer to verify the cryptographic hash of a file isn't adequate protection against the attack.

So...bluetooth everything?

It's at the hardware protocol level. Wouldn't Bluetooth be hackable in a similar fashion?

Even then who's to say that such mal-ware isn't being installed in the factory? Hacking is damn near a national industry in China.

Bluetooth, to my knowledge, doesn't give anywhere near that kind of privilege level to devices. It's built around not trusting what it's talking to, where USB just assumes that you bought it, so therefore it must be okay: give it ultimate trust.

One of the fundamental issues here is that most USB devices seem to use erasable/updatable ROMs, so that they can carry viruses, and USB itself has so much access to the system that just plugging in one of these devices can infect the computer, and then, in turn, all the other USB devices that the code recognizes... and with the sheer size of flash these days, they could probably load a hell of a lot of recognition and exploit code into a device, which would then transfer to other devices. It's very nearly the perfect virus vector, and very hard to detect if the virus is clever enough, because you have to ask the corrupted firmware about the health of the firmware. You're giving unlimited access to your system to code you cannot inspect, and which can lie about its own status.

This is a GIGANTIC problem. In the era of the NSA spying on its own citizens -- it would be much safer to never again buy a USB device through the mail. If you didn't pick it up off a store shelf with your own hands, it could be a surveillance device, whether for governments, or for criminals.

edit: and even then, it could have been bought, infected, and returned. Only buy things in factory shrink-wrap.

Clearly we all need to know then how to assemble our own USB devices from scratch.. and even then we have to buy the controller chip from someone with some level of firmware already baked in? I guess we could get blanks and flash them ourselves. wheeee! this is fun.

Well, hopefully at least, they didn't think of it yet.

edit: really, what this means is that you shouldn't use USB devices anymore. They're not safe.

Arise PS/2! Muahahaha.

The crazy thing is what this will do to authenticators...

Nevin73 wrote:

Even then who's to say that such mal-ware isn't being installed in the factory? Hacking is damn near a national industry in China.

Did you miss the last twelve months?
I really don't think we need to give the trophy to China.

I know it's probably not true but reminds me of that story (was it a reporter?) whose USB keyboard was listed as shipped to some CIA/NSA area before heading to their own town/city and people asking what the problem with that sort of mistake was with just a keyboard...

Anyway, this is pretty messed up. There's basically no way you can have any secure PC anymore unless you keep it completely disconnected from any network and do not cross-utilise USB devices with it.

fangblackbone wrote:

Arise PS/2! Muahahaha.

The crazy thing is what this will do to authenticators...

Pswh!

AT DIN is where it's at!!

Duoae wrote:

I know it's probably not true but reminds me of that story (was it a reporter?) whose USB keyboard was listed as shipped to some CIA/NSA area before heading to their own town/city and people asking what the problem with that sort of mistake was with just a keyboard...

Anyway, this is pretty messed up. There's basically no way you can have any secure PC anymore unless you keep it completely disconnected from any network and do not cross-utilise USB devices with it.

fangblackbone wrote:

Arise PS/2! Muahahaha.

The crazy thing is what this will do to authenticators...

Pswh!

AT DIN is where it's at!!

Fixed for the reality since the computer was invented.

Yeah, remember those researchers that were using inaudible beeps from mobo speakers to communicate between PCs?

So.. the movie trope of sticking a USB drive into a computer and magically hacking it is finally a reality? Thanks, Hollywood!

You can have a reasonably secure PC in the absence of USB, but ... that's a really, really bad potential virus vector, particularly because you can't clean it out. Once a USB device has been compromised, the only real option is throwing it away.

Malor wrote:

Oh, and here's an extra-nasty proof-of-concept example:

Programming a brand-name USB stick to surreptitiously inject a payload into a legitimate Ubuntu installation file. The file is loaded onto the drive when attached to one computer. The tampering happens only after it is plugged into a separate computer that has no operating system present on it. The demo underscores how even using a trusted computer to verify the cryptographic hash of a file isn't adequate protection against the attack.

Holy crap, took a reread but basically it means, if you have some virus and a scanner that could find it, the infection will show up in your brand new Ubuntu installation, but won't show up if you scan the usb stick. That is diabolical.
I'm so behind the times, didn't even realize these things had cpu's, thought it was just a dedicated chip.

And yes the irony of hollywood hacking now being more accurate is truly astounding. Quick everyone, edit the wiki!

I wonder if one of those web based malware scanners could clean it? (assuming they don't make a version that locks out IE or other browsers)

Well, it would be very difficult. The code will be running some kind of hidden test to see if it should try to exploit the OS. You would need to be able to determine what that test was, fulfill it exactly, and observe the changed behavior (the attempted exploit, or whatever) to even be certain the device was compromised. A web scanner would be exceptionally unlikely to be able to do that.

Once you did know a USB device was compromised (which is difficult, in and of itself!), the only option would likely be to throw it away. You wouldn't be able to reliably clean the firmware, because the virus is already in control of the device. It should, absent glaring bugs, be able to defeat any attempt to rewrite the firmware with a clean version.

In other words: your only method of access to the device is through the USB port, and the virus is in total control of that. It can lie about its presence, and prevent itself from being erased.

You would need some kind of alternate physical access to the device to be able to take control of it again, and I'm not aware of any USB devices that have that.

This is a GIGANTIC problem.

Can we invent some kind of USB condom that you insert between any untrusted USB devices and your computer's port that would prevent the spread of USBTIs? e-Trojans?

What about a virtual machine? The USB stick thinks it infects the OS but instead infects the virtual OS and the real OS can then clean it?

Or a boot disc / stick designed to re-program the infected USB device?

Or a boot disc / stick designed to re-program the infected USB device?

Remember, the virus is in charge of the firmware. It can pretend to accept the file, and then just not do anything with it. Further, it can report success, and then if the computer tries to read the firmware back to be sure it's valid, it can report back a clean version. "Yep, everything's just fine here! No viruses here, no sirree." (Electronic cackling optional.)

You only have the one communication channel with it. If that channel is under the control of a hostile program, unless that program has a bug you can exploit, you can never regain control of the device.

What about a virtual machine? The USB stick thinks it infects the OS but instead infects the virtual OS and the real OS can then clean it?

That might work for detection, but a compromised USB device can only be recovered in one of two ways: the virus allows it, or you have a separate, trusted communication method with the device. I'm not aware of any USB devices that will do this.

I don't think a VM would help because there's no virtual USB you can virtually plug a physical stick into without physically plugging it into your physical PC.

Is there any alternative that can replace USB physically? FireWire? eSATA? Back to SCSI chains?

Scuzzy baby!

It'll be like olden times.

And, about two months later: working exploits have been released.

It's not just academic anymore: BadUSB is out there.