USB Firmware Exploitable for Computer Malware Install – BadUSB

Posted by at 12:18 am on August 1, 2014

A pair of researchers are going to discuss a giant security exploit in how the Universal Serial Bus (USB) firmware can be exploited. Security researchers Karsten Nohl and Jakob Lell have developed “BadUSB,” a malware package resident in USB firmware that can be used as an attack vector to install any manner of software on a PC, with little or no warning to the user, and as of right now, no effective way to stop the attack.

All USB devices have firmware which dictate how the device communicates with a host computer. The flaw isn’t limited to USB mass storage, and can be implemented in any USB peripheral, including input peripherals, and other devices. The researchers have used the flaw with an Android phone plugged in through USB as a vector of attack.

According to Nohl, USB peripherals with the modified firmware can be given to ” your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean.’ The cleaning process doesn’t even touch the files we’re talking about.”

The pair of researchers have a propagation scenario as well. In theory, any USB device can be reprogrammed when it is inserted into an infected computer during the initial handshake between USB device and computer, and vice versa — in essence, a viral spread of the firmware update.

USB firmware doesn’t have any inherent ability to prevent modification for dubious purposes. No manufacturer implements code signing in USB firmware, comparing the checksum of the code with that of the original, nor does the USB specification allow for such a countermeasure.

USB device firmware is generally 64kB or smaller. While small by today’s standard, attackers using half of the space for malicious code could easily write exploits allowing for keystroke logging, DNS redirection, or nearly any other possible vector. Data misappropriated by the installed malware wouldn’t be stored on the USB device, but sent to a remote server for storage and utilization — diligent users could see this traffic and discover a problem, but the vast majority of computer users lack the technical savvy to do so.

The proof of concept hack is for Windows, and performed using a reverse-engineered firmware — it is currently unknown which vendor’s. The exploit isn’t limited to Windows computers. With proper coding, OS X, iOS, or Android devices are exploitable as well, given the nature of USB. There is likely no “universal” version of the exploit, but how “generic” USB device firmware is between manufacturers has yet to be disclosed.

Wired spoke with the managers and maintainers of the USB standard, the USB Implementers Forum regarding the attack vector. “Consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices,” spokeswoman Liz Nardozza wrote. “Consumers safeguard their personal belongings and the same effort should be applied to protect themselves when it comes to technology.”

Nohl paints a bleak picture for current data practices on USB devices. “In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” purports Nohl. “You have to consider a USB [device] infected and throw it away as soon as it touches a non-trusted computer. And that’s incompatible with how we use USB devices right now.

Leave a Reply

Sign Up For Our Newsletter

Sign up to receive breaking news
as well as receive other site updates

Enter your Email

Preview | Powered by FeedBlitz

Log in

Copyright © 2008 - 2024 · StreetCorner Media , LLC· All Rights Reserved ·