14 DAY TRIAL // The BadUSB talk at the Black Hat security conference and the media coverage of the subject, before and after the event, sure stirred up the spirits of the regular users, who have been seeded the idea that malware in the firmware can propagate from one USB device to another without options to prevent infection.
Each USB device is powered by a micro-controller chip, programmed to identify its type and functionality, allowing the system to load whatever drivers are needed.
SR Labs researchers Karsten Nohl and Jakob Lell demonstrated at the Las Vegas conference how easy it is for a USB storage device, reprogrammed as a keyboard or as a portable network adapter, to compromise the computer; the malicious code would be present in the firmware and executed when the gadget is plugged in.
In one example, the duo demonstrated on stage how a regular thumb drive was passed to the system as a keyboard. In another, they showed a device of the same class posing as an Ethernet adapter; in both cases, the end result would be compromising the systems.
The implications of this discovery bring even more bad news because there is the possibility for the malicious firmware to spread to other USB controllers, which would make the infection persistent; basically, any USB device (mass storage, webcam, mobile phone) hooked to that machine should be considered compromised.
At a first look, there does not seem to be too much to be done to protect against attacks perpetrated this way, especially since even the BIOS of the computer may be replaced in this manner.
On the same note, malware scanners are useless because they cannot check the firmware without its help, and malicious firmware could impersonate a legitimate one, making security products useless.
Indeed, a USB device reprogrammed for malicious purposes would be serious pain to deal with, but there is some silver lining.
The two researchers went through plenty of difficulties to complete their study and demonstrate the dangers of tampering with the firmware of USB controller chips.
They did not come up with this security glitch overnight. To reflect such digital apocalypse where there is no apparent line of defense, save for not using USB devices at all, against threat actors taking control over users’ computers, Nohl, Lell and their colleague Sascha Krißler chose to reprogram a type of USB controller chips that is widely used in USB gadgets.
Months were required to reverse engineer the firmware for the devices used in the demonstration, showing that the task is not easy to carry out.
However, before this can be done, a version of the firmware is required and the tool for flashing the controller. Neither of them is readily available on the Internet. Understanding how the firmware works and being able to alter it to add different functionality to the device is also work that requires time and effort.
Apart from this, distributing BadUSB malware can be done only to compatible items. Using different products with different controller chips should ensure a higher degree of protection against this threat.
But one solution that stands out is relying on secure USB devices that have the controller firmware locked and protected against unauthorized modifications. This is achievable through a tamper-proof mechanism.
“In order to block BadUSB, USB storage devices need to prevent a hacker from reading or changing the firmware and ensure that the firmware is digitally signed so if it did get modified, the secure device will not operate with the modified firmware,” said via email Ken Jones, vice president of engineering and product management Imation Mobile Security.
Cryptographic code-signing is not an approach that can be easily adopted by all manufacturers. At the moment, only devices aimed at professionals and for enterprise environment provide this sort of security.
IronKey from Imation relies on FIPS 140-2 Level 3 certification for ensuring the integrity of the product; products from Spyrus adopted the same standard and also make available selective hardware disabling of update processes.
Jones also said that because of the challenges posed by securing firmware in the device, USB manufacturers will start to “differentiate themselves by offering secure solutions.”
Another solution against BadUSB is to rely on simpler hardware that does not need firmware updates after leaving the factory. “Note however, that unless a device is tamper-proof/tamper-evident, there may still be the possibility that a device can be compromised physically and firmware modified,” says Jones.
On the same note, Bogdan Botezatu, senior threat analyst at Bitdefender, said that there is no guarantee that the USB device has not been tampered with in the production or delivery chain.
In the Black Hat presentation, the researchers say that USB devices can be built with some sort of software lock that prevents reprogramming it.
However, this type of attack has just been made public and this may have already sparked a few wrong ideas. Because most (read “billions”) of the USB devices on the market do not enforce any type of protection against firmware tampering, cybercriminals will, at some point, take advantage of this slip-up.
But this won't happen too soon – finding the tools and understanding how everything works is a long-term investment not many will be ready to make right now.
Replacing the vulnerable devices requires both time and an alternative that is both secure and cheap, in order to be adopted en masse.