USB Vulnerabilities: Not a New Concept

A couple weeks ago, Las Vegas hosted the annual Black Hat hacker convention.  One of the more publicized presentations that came out of this event was the disclosure that USB devices have security flaws (gasp).  Researchers Karsten Nohl and Jacob Lell from SR Labs hosted a discussion entitled “BadUSB-On accessories that turn evil.”  In the presentation, Nohl and Lell demonstrated “a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken.”  They accomplished this exploit with a homemade piece of malware which they call BadUSB.  Once installed on a USB device, BadUSB has the ability to “completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic” (Greenberg, 2014).  Perhaps the most damaging aspect of this exploit is that the program resides in the firmware of a device not the flash memory storage.  This allows BadUSB to remain virtually undetectable to traditional antivirus programs.  Nohl and Lell were able to accomplish this feat over the course of a couple months by reverse engineering USB device firmware.  Using this technique, the SR Lab researchers were able to affect a proof of concept attack which could be applied to any number of devices from USB drives to mice and keyboards. Nohl and Lell have personally carried out this attack on USB memory sticks and an Android handset.  BadUSB has the potential to allow an attacker to replace software, impersonate a USB keyboard, change a computer’s DNS settings, or even act as a covert listening device.

Interestingly enough, firmware attacks against USB devices is not a new concept.  Sean Kalinich (2014) from the website Decrypted Tech mused about the lack of memory in the technical press.  In 2009 an exploit was discovered which infected the firmware of Mac keyboards and in 2011, Mac Hacker Charlie Miller carried out a similar attack against Macintosh batteries.  Miller’s attack, which was carried out through the firmware update process, could actually physically damage a Mac by maliciously altering a computer's charging system.  Given Kalinich’s comments about the lifespan of the tech industry I decided to do a little more research and found an even earlier example of firmware attacks from Black Hat 2005.  At this earlier convention, Darrin Barrall and David Dewey from SPI Dynamics gave a demo entitled “Plug and Root, the USB key to the kingdom.”  Ten years ago Barrall and Dewey illustrated the dangers of hardware Trojans by re-flashing USB devices.  

Although this concept isn’t new, the one constant that has existed since 2005 is the threat this exploit represents and the challenge to defend against it.  When editors from Wired contacted the USB Implementers Forum about this vulnerability, a spokesperson for the organization told the magazine that “consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices” (Greenberg, 2014).  Given the lack of a more permanent fix, this short-term solution seems to be the most popular consensus.  Rather than hardening firmware or hardware, the easiest solution is a fundamental shift in how USB devices are employed.  Individuals and organizations alike must change their mindset to increase awareness of the dangers malware like BadUSB represents.  USB drives that touch an untrusted computer should never be plugged back into a trusted one.  Similarly, system administrators must enforce stricter USB policies to eliminate the use of outside peripherals on their networks.  Perhaps the most disturbing part of this entire story is the realization that this exploit may have been a flaw exploited by the NSA and other international spy agencies.  University of Pennsylvania computer science professor Matt Blaze theorized this after reading information disclosed in the Edward Snowden Leaks.  An internal document from the NSA details a device known as Cottonmouth, which hid inside a USB peripheral plug and surreptitiously installed malware on a target’s machine (Greenberg, 2014). 

Sound familiar?

References

Barrall, D. and Dewey, D. (2005). “Plug and Root,” the USB key to the kingdom. 2005 Black Hat. Retrieved from https://www.blackhat.com/presentations/bh-usa-05/BH_US_05-Barrall-Dewey.pdf

Greenberg, A. (2014). Why the security of USB is fundamentally broken.  Wired.  Retrieved from http://www.wired.com/2014/07/usb-security/

Kalinich, S. (2014). BadUSB not really all that new, but still very bad indeed.  Decrypted Tech. Retrieved from http://www.decryptedtech.com/news/badusb-exploit-not-really-all-that-new-but-still-very-bad-indeed