Researchers push for signed firmware updates

Oct 3, 2014 23:19 GMT  ·  By

Two security researchers replicated the code for BadUSB malware and released it to the public, putting USB makers in the difficult position of finding a quick solution for protecting the device firmware against manipulation.

BadUSB has been first presented at the Black Hat security conference in Las Vegas this year by SR Labs researchers Karsten Nohl and Jakob Lell.

They showed the audience how an USB thumb drive with mal-crafted firmware could be used to impersonate different devices, from keyboards to Ethernet adapters, in order to compromise the target system through different methods of attack.

At the Derbycon hacker conference last week, Adam Caudill and Brandon Wilson also demonstrated how an USB device can be used for malicious purposes and made available the code for some of the attacks.

Firmware used for millions of devices is modified for different functions

Researchers reverse-engineered firmware for microcontrollers made by Phison company in Taiwan, which are integrated in the majority of USB devices currently sold around the globe.

Given their large popularity, the functionality of hundreds of millions of USB devices can be modified.

Caudill and Wilson showed the audience at the conference that USB devices with Phison 2251-03 microcontrollers can be altered to cater for different applications.

In one example the two researchers demonstrated that a hidden storage area can be created on the USB unit, and accessed upon a specific command, like ejecting the device.

The duo said that the hidden partition is not visible even when dedicated analysis tools are employed; this type of set-up would allow an attacker to easily exfiltrate data from a company.

The firmware patch developed by the two “divides the NAND space into two partitions, and the firmware lies about the size, to indicate that only half of the space is there. The “public” section is the first that’s mounted, and only a specific action will cause the second, hidden partition to become visible,” Caudill said in a blog post.

Current defense options cannot be applied to all USBs users have

All tools and documentation used for the research has been made public, in the hope that device manufacturers will hurry and deliver safer devices.

Protecting the firmware against modifications can be done in two ways. One involves digital signing so that the device can authenticate new firmware being applied as coming from a trusted source.

Another method consists in locking up the device so that it does not accept new firmware once it leaves the factory.

At the moment there are some manufacturers that deliver devices with one of these solutions implemented; but the majority of the USB units already available to users lack both of them.

“We really hope that releasing this [tools and instructions to modify firmware] will push device manufactures to insist on signed firmware updates, and that Phison will add support for signed updates to all of the controllers it sells,” Caudill wrote.

Products from other manufacturers than Phison can be abused in this way, but they are not as widespread, said Caudill.