Is USB Doomed? New Firmware Exploit Cannot be Fixed

 Pages 1 2 NEXT
 

Is USB Doomed? New Firmware Exploit Cannot be Fixed

usb 3.0 type c cable

BadUSB malware has been released to the world, and it cannot be fixed.

To quote our great golden robot god: We're doomed.

Or more specifically, the USB standard could be doomed, if a new malware discovery is to be believed.

BadUSB is a form of undetectable, heinous malware that was first demonstrated during the Black Hat security conference back in August. Security researchers Karsten Nohl and Jakob Lell demoed their reverse-engineered USB firmware, then showed how malware could come into play. The malware (or BadUSB, as it's being called) resides in the standard's firmware, which means it can reside on devices like USB thumb drives, then pass from machine to machine.

Once the compromised USB devices (which would carry reprogrammed firmware) interact with a terminal, the hacking options are various -- one notable hack is taking complete control of a keyboard remotely. Due to its firmware-level nature, the exploit is nearly impossible to fix; a solution would require a redesign of the USB specification -- not an easy task for the world's most ubiquitous peripheral and storage connector.

The silver lining with BadUSB, at the time, was that Nohl and Lell did not release their findings to the world -- while they demoed their findings at Black Hat, they kept the code under wraps in order to give manufacturers time to come up with a solution. But now that the grace period is over, another security-minded duo has reverse-engineered the USB firmware, and released their findings to the world.

Speaking at Derbycon in Louisville, Kentucky last week, Adam Caudill and Brandon Wilson showed the revealed code, and have now posted it on GitHub. Caudill and Wilson published the code in order to force the hand of major USB players, as they think a legitimate solution won't come until the threat is recognized as real by hardware manufacturers.

"The belief we have is that all of this should be public. It shouldn't be held back. So we're releasing everything we've got," said Caudill during the Derbycon convention. "This was largely inspired by the fact that [Nohl and Lell] didn't release their material. If you're going to prove that there's a flaw, you need to release the material so people can defend against it."

This USB vulnerability is considered un-fixable by some (including Nohl) because of how many USB devices are out in the world. New firmware security measures can be written to patch the vulnerability, but USB devices sold over the last ten-plus years would still be at risk.

While BadUSB and the vulnerabilities in USB firmware are only now publicly known, Caudill told Wired that the flaw was likely "already available to highly resourced government intelligence agencies like the NSA." And while it's fashionable to mention the NSA whenever computer security is mentioned, Caudill is not blowing smoke here. Various security agencies in the United States, and the world over, pay good money to hackers for unknown (to the public) exploits, which can be filed away to use at a later date. Many of these exploits aren't even on a given developer or manufacturer's radar, as the NSA and others pay to keep them a secret.

Source: Wired

Permalink

You don't actually explain what BadUSB is other then Malware. What exactly does it do? Does is constantly add files until the computer is so overloaded that it's screwed over? Does it steal vital information or programs from your computer, thus making you dependent on the Bad USB? What exactly does it do?

Still, as long as people aren't buying USB's from shady back-street peddlers then the risk of BadUSB malware is significantly decreased, so this isn't as bad as your making it out to be. On top of that, I'm sure that Computer Companies will be able to eventually find a way to protect from BadUSB malware and upgrade their computers accordingly.

Finally, there is a Typo in your article:

Devin Connors:
BadUSB is a form of undetectable, heinous malware that wad first demonstrated during the Black Hat security conference back in August.

Almost certain that should be "was".

Yeah, second that it'd be nice to be told what BadUSB is or does in some kind of detail.

EDIT: After some looking round...ah. Put malicious code into how the device runs, not into its memory, and there's no way of telling if it's been affected...would it not have to be manufactured that way, though?

According to https://srlabs.de/badusb/ , these are the possiblities for BADUSB:

1. A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.

2. The device can also spoof a network card and change the computer's DNS setting to redirect traffic.

3. A modified thumb drive or external hard disk can - when it detects that the computer is starting up - boot a small virus, which infects the computer's operating system prior to boot.

In short, be worried.

From what the Article is saying it sounds like they've found a way to hide Malware inside USB firmware, making it (nearly) impossible to remove, but yeah, some clarification would help.

Thanks for the comments, guys. Added some info on the exploit, so hopefully that clears up some questions. For more detailed info on the malware, and firmware reprogramming, check out the original Wired post out of the Black Hat conference: http://www.wired.com/2014/07/usb-security/

-Devin Connors, Tech Editor

trytoguess:
According to https://srlabs.de/badusb/ , these are the possiblities for BADUSB:

1. A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.

2. The device can also spoof a network card and change the computer's DNS setting to redirect traffic.

3. A modified thumb drive or external hard disk can - when it detects that the computer is starting up - boot a small virus, which infects the computer's operating system prior to boot.

In short, be worried.

Isn't Windows Secure Boot supposed to help prevent option 3 from occurring by not allowing un-trusted execution in the pre-boot environment? I wonder if this exploit is able to bypass that.

So basically BadUSB is the Boot Sector Virus of today. For those of you who don't know.. bootsector viruses were the most heinous viruses you could get back in the day of floppy disks.

The virusresided in the fisks boot sector so just the very act of putting the disk in the drive and bringing up a directory tree was enough to infect the bootsector of the poc . From there any floppy that went into that system would have the vius transmitted to their bootsector and the cycle would continue. Very annoying.

This is about the same thing. BUt the fix is of course not the firmware but how the firmware is used by the system. Could be as simple creating a sandbox for any usb interaction.

Welp, time to start using SD cards more, I suppose...

trytoguess:
According to https://srlabs.de/badusb/ , these are the possiblities for BADUSB:

1. A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.

2. The device can also spoof a network card and change the computer's DNS setting to redirect traffic.

3. A modified thumb drive or external hard disk can - when it detects that the computer is starting up - boot a small virus, which infects the computer's operating system prior to boot.

In short, be worried.

I've been searching around and I can't seem to find any specifics on the operating systems this affects. Basically I'm curious if this is an issue that will more likely affect Windows versus Unix based systems like Linux and Mac.

Naturally, one would assume that this would have very little affect on Linux systems since permissions prevent any user other than root from making changes to the system. A super user who is listed under wheel in the sudoers file could make system related changes as well, but still requires a password.

If this exploit can be used to allow keyboard commands to be passed to the computer, then naturally whoever is using the exploit would need to have the root/super user passwords to make any significant changes to the system. In theory, could this exploit be used to see someone's keystrokes for the purposes of compromising accounts and systems as well?

Some people just want to watch the computer tech world burn.

trytoguess:
According to https://srlabs.de/badusb/ , these are the possiblities for BADUSB:

1. A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.

Well, that's a nasty virus.

trytoguess:
2. The device can also spoof a network card and change the computer's DNS setting to redirect traffic.

Out of curiosity, what would this entail? Would it give you ads from sites that are heavily infected or what?

trytoguess:
3. A modified thumb drive or external hard disk can - when it detects that the computer is starting up - boot a small virus, which infects the computer's operating system prior to boot.

That's nasty as well, but someone has mentioned that Windows apparently has a Safety measure for that.

And again, the only real way for anyone to get the BadUSB Malware is to buy a USB that is tampered with to do so. Just ignore USB's from like Craigslist and you shouldn't get said virus.

Well done guys, while we're at it let's redirect an asteroid toward the Earth so the government develops a possibly nonexistent solution more quickly. [Initiate Slow Clap Subroutines]

If the dragon's asleep, don't poke it!

What absolute cunts. Demonstrating that a hack is possible so that people can try to fix it? Fine, whatever, go for it. Releasing the code so that anybody can use it, especially when it can potentially cause serious problems that could affect a vast majority of computer users is a major dick move. Doing all that when you are fairly certain that the exploit cannot be fixed in the name of "forcing their hand" is about the highest level of dickbaggery that you can achieve in regards to hacking. Well done, and fuck you.

why doesnt microsoft just make a feature in windows that, when you first insert a clean usb drive, it copies the firmware then restores that firmware on the device each time it is inserted?

Ah balls, I've known about this exploit for some time now and was kinda hoping there was a viable low-level solution (something that preempts or scans address assignments), but that doesn't seem likely.

Mr.Mattress:
You don't actually explain what BadUSB is other then Malware. What exactly does it do? Does is constantly add files until the computer is so overloaded that it's screwed over? Does it steal vital information or programs from your computer, thus making you dependent on the Bad USB? What exactly does it do?

It's an undetectable vulnerability. Worse case scenario, someone can use this exploit to gain complete control of your system. And because it's undetectable and unfixable, you may not even be aware that your system is compromised.

ohnoitsabear:
What absolute cunts. Demonstrating that a hack is possible so that people can try to fix it? Fine, whatever, go for it. Releasing the code so that anybody can use it, especially when it can potentially cause serious problems that could affect a vast majority of computer users is a major dick move. Doing all that when you are fairly certain that the exploit cannot be fixed in the name of "forcing their hand" is about the highest level of dickbaggery that you can achieve in regards to hacking. Well done, and fuck you.

If the intelligence agencies already have something like this, and it's smart to assume that they do, than they're pretty much in control of every infected device in the world and no one can do anything about it. This is why it's a good idea to release this code to the public, so that the solution can be found.

Mr.Mattress:

trytoguess:
2. The device can also spoof a network card and change the computer's DNS setting to redirect traffic.

Out of curiosity, what would this entail? Would it give you ads from sites that are heavily infected or what?

I used this some years ago (in a safe environment with the "victims" consent of course).

There were two things I did by redirecting the user to a modified version of some popular website.

1. He went to Google, whereas I redirected him to "my own version of Google". It worked just like the real deal, except that it had a Java applet embedded, which exploited one of the many security vulnerabilities in the Java browser plugin. I used this to get a shell on his machine.
I could down- and upload files, execute commands, record sound and take videos/pictures with his webcam (he used a laptop). Basically all the nice stuff.

2. When he went to Facebook and logged in, I got his email-address and password on my terminal...in clear text. A simple MITM (man in the middle) attack, where the login-data was passed through my machine before it went to the Facebook servers.

On a side-note:
Everybody, turn the Java browser plugin OFF!
It's barely used, but extremely dangerous regardless of platform (yes, also on Linux and Mac). Make sure that you turn if off for both, 64 and 32 bit browsers.

seris:
why doesnt microsoft just make a feature in windows that, when you first insert a clean usb drive, it copies the firmware then restores that firmware on the device each time it is inserted?

Knowing Microsoft, it would say 'Windows has detected an error in this storage device and it must be formatted' while it contains anything from important work to a load of MP3s. They're dicks.

So basically BadUSB is the Boot Sector Virus of today. For those of you who don't know.. bootsector viruses were the most heinous viruses you could get back in the day of floppy disks.

The virusresided in the fisks boot sector so just the very act of putting the disk in the drive and bringing up a directory tree was enough to infect the bootsector of the poc .

Uh no, boot sector virus could only infect the computer if the disk was left in the computer and the system rebooted or shut down and restarted. They were easy to get around just make sure you had nothing in the disk drive at boot and you rendered the virus inert. Avoiding this USB flaw is just as easy don't go around letting anyone stick random USB drives in your computer it is beyond the simplest exploits to avoid because it's one that requires physical access to your computer to be initiated.

1. A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.

2. The device can also spoof a network card and change the computer's DNS setting to redirect traffic.

3. A modified thumb drive or external hard disk can - when it detects that the computer is starting up - boot a small virus, which infects the computer's operating system prior to boot.

In short, be worried.

Nope,

1. The code seems to work by simulating the activities of a legit hardware device connected to your computer, i.e no software is being used so it can by pass anti virus detection however end of the day viruses and malwares require the activation and installation of software on to the computer, deleting and changing key OS components requires the manipulation of installed files on the system or to put it another way it needs to change stuff that any component anti virus would alert the end user too. Unless the modified firmware on the drive also contains by passes that automatically trigger the right key stroke presses to alerts generated by installed anti virus products.

2. Yup and any semi competent firewall should pick up on the redirect

3. The aforementioned boot virus, totally circumvented by removing the drive from the computer prior to booting.

In short only be worried if you happen to be someone who lets random strangers come in to your house stick any old USB drive they happen to have on them in to your computer and happen to be running said computer with no anti virus, no firewall or any form of user controlled software integrity checking in progress (Window's VAC for example or Spybot's Teatime.)

If an exploit has a catchy name, chances are it's being blown out of proportion. (The same applies to media-relevant 0days, btw: If everyone knows, it's usually just a means to put PR pressure on the responsible party.)

BadUSB still requires physical access to your hardware. Be that a USB device you receive, or the PC itself. If an attacker has physical access to your hardware, you could have much worse issues than the BadUSB exploit.

Not to mention that firmware exploits are commonplace for other device types as well, and this has little to do with the USB standard. No firmware exploit can be truly prevented if you still want to be able to update the firmware.

Mr.Mattress:

And again, the only real way for anyone to get the BadUSB Malware is to buy a USB that is tampered with to do so. Just ignore USB's from like Craigslist and you shouldn't get said virus.

If it can in turn be picked up by a USB from an infected PC, then that precaution also needs to be extended to "Do not put your USB in computer's other than your own', which is a bit trickier.

And also 'don't let other people put their USB in your computer', which is often less of a big deal bit still a possible problem for many.

Jadak:
If it can in turn be picked up by a USB from an infected PC, then that precaution also needs to be extended to "Do not put your USB in computer's other than your own', which is a bit trickier.

And also 'don't let other people put their USB in your computer', which is often less of a big deal bit still a possible problem for many.

It's transmitted like an STD. We need USB condoms!

Isn't this the same exploit that the US and Israel used to infect the Iranian Nuclear Program? I mean this one has been know to government inteligence agencies for quite a bit of time. It's now a problem because it is out in the wild.

I find this practice of releasing code into the wild just to put pressure on companies to be misguided. What you're really doing is handing to the REAL criminals, the ones that have no qualms whatsoever what damage they do, the very tools that they need to harm millions of innocents, and you gave that to them FOR FREE! The criminals don't need to be smart because they have idealistic tech dumb-asses that do all the hard work for them and then release the code in the wild for free. The most work the criminals need to do is a simple Google search. Same for those who release information they hacked from various databases. Essentially, those who do such things, in my opinion, are every bit as much responsible for any criminal activity that occurs using the code or information they published, because they knowingly published such code and information with the expressed purpose of letting such criminal elements be able to easily access and use it. Simply put, it's just irresponsible, and those doing it, in my opinion, should be held equally liable for any damage that occurs.

This is NOT like handing some arbitrary person a hammer and then that person uses it to kill someone rather than the purpose for which the hammer is intended, hammering nails. Instead, this is like handing an AK-47 (a tool that's designed with the primarily intent of killing someone), to a known, unreformed sociopathic killer after he's told you he's planning to kill some people and then having the nerve to act all surprised that he went out and massacred a neighborhood. Sure, you can argue that he could have gotten the gun from anywhere, but that doesn't change the fact that it was YOU specifically that gave him the gun with the full knowledge of who he is and what he planned to do.

Now that gives me an idea of how to force the researchers to speed up their work on the Ebola vaccine...

Fulbert:
Now that gives me an idea of how to force the researchers to speed up their work on the Ebola vaccine...

Pretty much what I was thinking too. While I understand and can appreciate the sentiment of releasing the info I don't really see how that is going to help by bringing it more to the attention of those who may take advantage of it. Even if it does "force their hand" that's assuming they even can come up with a viable solution, and even if they do that they could get it out to the public in a timely fashion. Best case scenario even more people are going to get hacked while waiting for a solution that has no guarantee of even coming....*golf clap* well done guys.

Well, just like sex: do not stick your brick into holes you do not know are clean...

But seriously, call in the swan song for usb and bring us something new. ^^

TheSniperFan:
On a side-note:
Everybody, turn the Java browser plugin OFF!
It's barely used, but extremely dangerous regardless of platform (yes, also on Linux and Mac). Make sure that you turn if off for both, 64 and 32 bit browsers.

what if it's set to "ask to activate" by default on firefox?

As this requires rewritten firmware, this isn't really a threat to most people unless you regularly use unknown/untrusted USB devices.

P.S. Thanks

So, don't use college, library or any public computer of any kind. I'm glad I finished my degree because I never would've been able to pass English with this exploit around. I wrote all my essays on their computers.

Laughing Man:

So basically BadUSB is the Boot Sector Virus of today. For those of you who don't know.. bootsector viruses were the most heinous viruses you could get back in the day of floppy disks.

The virusresided in the fisks boot sector so just the very act of putting the disk in the drive and bringing up a directory tree was enough to infect the bootsector of the poc .

Uh no, boot sector virus could only infect the computer if the disk was left in the computer and the system rebooted or shut down and restarted. They were easy to get around just make sure you had nothing in the disk drive at boot and you rendered the virus inert. Avoiding this USB flaw is just as easy don't go around letting anyone stick random USB drives in your computer it is beyond the simplest exploits to avoid because it's one that requires physical access to your computer to be initiated.

1. A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.

2. The device can also spoof a network card and change the computer's DNS setting to redirect traffic.

3. A modified thumb drive or external hard disk can - when it detects that the computer is starting up - boot a small virus, which infects the computer's operating system prior to boot.

In short, be worried.

Nope,

1. The code seems to work by simulating the activities of a legit hardware device connected to your computer, i.e no software is being used so it can by pass anti virus detection however end of the day viruses and malwares require the activation and installation of software on to the computer, deleting and changing key OS components requires the manipulation of installed files on the system or to put it another way it needs to change stuff that any component anti virus would alert the end user too. Unless the modified firmware on the drive also contains by passes that automatically trigger the right key stroke presses to alerts generated by installed anti virus products.

2. Yup and any semi competent firewall should pick up on the redirect

3. The aforementioned boot virus, totally circumvented by removing the drive from the computer prior to booting.

In short only be worried if you happen to be someone who lets random strangers come in to your house stick any old USB drive they happen to have on them in to your computer and happen to be running said computer with no anti virus, no firewall or any form of user controlled software integrity checking in progress (Window's VAC for example or Spybot's Teatime.)

See, that is what I thought, but as much as I am the "Tech Guy" in my family, I really don't have a deep level of understanding about this stuff. It is good to know that there are simple precautions that we can take to prevent our computers from getting this virus.

On one hand, Micro (or was it mini? the smallest USB) can go screw itself coz of those damned delicate connectors ruining my ability to charge stuff. On the other hand I use USB a lot.

Captcha: Enjoy life
"I tell you to enjoy life I wish I could but it's too late"

Isn't this the same exploit that the US and Israel used to infect the Iranian Nuclear Program? I mean this one has been know to government inteligence agencies for quite a bit of time. It's now a problem because it is out in the wild.

A problem to the extent that you require physical access to the host computer to plug the infected USB drive in too. Or that it requires astronomical levels of stupidity from the end user as it requires someone dumb enough to just plug any old USB drives in to their computers, it also won't affect all USB devices as it will only work on USB drives that can have their firmware flashed.

What you're really doing is handing to the REAL criminals, the ones that have no qualms whatsoever what damage they do, the very tools that they need to harm millions of innocents

This is quite literally the worst possible way for cyber criminals to infect a target computer as these sorts usually prefer to do their work from afar behind the anonymity afford them by performing their actions over the internet. So yes unless millions of innocents are letting strange men in to their houses to plug in random USB drives to their computers I can't really see how this is a major problem.

Thankfully most modernized countries have the ability to bypass this problem for the most part with Bluetooth. Otherwise ya, USB is on its way out with this sort of problem. Then again Bluetooth isn't exactly bullet proof either. This will mostly be a boon for BotNet creators.

 Pages 1 2 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here