14 DAY TRIAL // When news about BadUSB came out this summer, the threat was presented as having no fix, not just for the millions of USB drives already sold but also for those that were still being purchased.
Nothing has changed since SR Labs researchers Karsten Nohl and Jakob Lell made the attack method known at the Black Hat security conference in Las Vegas this year.
Hundreds of millions of devices can be reprogrammed
The duo showed the audience a set of attacks leveraging modified firmware for the micro-controllers made by a particular company. They demonstrated that a USB thumb drive, which is generally regarded only as a storage device, can change its profile to appear as a different type of device and carry out malicious actions on the computer it is plugged into.
Scenarios included making the USB drive spoof an Ethernet adapter, which could be used to hijack Windows DNS settings and run queries through the attacker’s server, or to emulate a keyboard to execute commands.
The researchers' presentation (available in full below) and the demonstration they made is particularly important because it revealed that a device already used by hundreds of millions can be reprogrammed to work against us.
However, despite this, the fact that the researchers spent months finding and reverse-engineering the firmware to create the attack scenarios was comforting in the way that we knew that this could not be pulled off overnight by just about anyone.
Instructions for BadUSB have been released
Also contributing to the feeling of apparent safety was the fact that knowledge of exploiting insecure firmware was limited to the researchers, as they did not release any of the custom tools they created to modify the firmware and apply it, or the code used for the attack (except for a proof-of-concept for Android that is more difficult to leverage).
Well, this is no longer the case, because two different security researchers, Adam Caudill and Brandon Wilson, managed to replicate BadUSB and made available for the public the custom tools they used for modifying the firmware.
More than this, they provided firmware patches that can change the behavior of the USB drive, along with documentation on how this can be done.
As such, the apparent safety bubble around us has been broken, as any skilled programmer now has the means to re-purpose a USB thumb drive to use it for anything they want, including nefarious activities.
Attack vector is difficult to detect
Motivated wrong-doers with sufficient skill to dissect the firmware and modify it for their intent have been offered new means of attack.
How many people take a USB drive laying on the floor to the “lost and found” and not pick it up to use it for their own benefit? I doubt there are too many of them; and this scenario is one of the simplest to make sure that a malicious USB reaches a victim.
BadUSB attacks can lead to compromising other USB devices. Since they are generally used on at least two computers, they can distribute the malicious code and lead to the infection of a large amount of systems in a relatively short period of time.
Detecting this type of attack is not something that can be done by malware scanners because the infection is in a place they cannot access; and there is no method (physical or otherwise) to prevent compromising other devices.
A tampered device can thus pass security screening from IT administrators and compromise computers in a company.
Until instructions on how to prepare a USB drive to do more than it was initially purposed for have been released, the danger of this type of attack was limited to organizations with a large budget allotted to research into new attack methods. NSA might have been using this vector even before Nohl and Lell presented their work at Black Hat.
USB makers need to improve firmware security
The reason behind publishing the tools and the code for running BadUSB attacks is the belief that “all of this should be public, it shouldn’t be held back,” Caudill said at the end of the Derbycon presentation.
This can have a double impact: users will be more cautious with thumb drives from unknown sources and manufacturers may start paying more attention to the security of their products, because this could make them stand out in the crowd.
Caudill and Wilson modified the firmware for the Phison controller, which is available in most USB devices, but others can be changed too.
“Phison isn’t the only player here, though they are the most common - I’d love to see them take the lead in improving security for these devices. They have an opportunity to stand up and protect users - as the most common provider of these controllers, I’d truly love to see them take this as an opportunity to lead the industry,” the security researcher said.
Digitally signed firmware is one solution to the problem
One defense against BadUSB consists in using devices with digitally signed firmware, which would prevent the drive from operating with a different piece of code; there are plenty of vendors that offer this possibility, although these are more expensive than the regular USBs.
Another way for manufacturers to prevent threat actors from altering their firmware for malicious attacks is to make sure that the code cannot be changed once the device is out of the factory.
At the Derbycon hacker conference last week, Caudill and Wilson made three demonstrations using USB storage drives with modified firmware (either completely or partially) for different purposes they were intended for.
They showed scenarios that involved impersonation of a keyboard, completely hiding storage space and accessing it only when the “eject” command was given, and bypassing the protection of a partition secured with a password.
One important aspect to keep in mind is that BadUSB is not a vulnerability or a flaw, because all the alterations presented by all researchers are compliant to USB specifications; the devices are simply re-programmed to become something else.
In the end, the availability of the tools and code necessary to run BadUSB attacks should raise awareness among users about working with unknown thumb drives, as well as make manufacturers step up with security measures.
Karsten Nohl and Jakob Lell BadUSB presentation at Black Hat USA 2014:
BadUSB demonstration by Adam Caudill and Brandon Wilson, at Derbycon security conference in Louisville, Kentucky:
