August 9th, 2014

USB Ports Are No Longer Your Friend (If They Ever Were)

Just because the good guys have discovered a new security risk doesn’t mean the bad guys haven’t known about it forever. The risk is only new to us. It’s actually been there for a long time, maybe forever. Who knows how long everyone from the black hats in Moscow to the NSA in bucolic Maryland have been taking advantage of what appears to us to be a “new” exploit?

The USB security hole recently unveiled by Berlin based Security Research Labs (SRL) seems to be of those that’s been around “forever.”

While it shouldn’t be news to anybody that caution should be exercised when using USB devices, the new exploit would seem to indicate that even the most draconian security measures, short of doing away with USB devices entirely, might not be enough. The recently revealed problem has to do with the USB controller chip found in most, if not all, USB devices. The chip basically identifies the device type to the computer.

The trouble is, most of these chips are relatively easy to reprogram.

An article published yesterday on the BBC’s website, illustrated how this exploit can be used to hijack a computer:

“In one demo, shown off at the Black Hat hackers conference in Las Vegas, a standard USB drive was inserted into a normal computer. “Malicious code implanted on the stick tricked the machine into thinking a keyboard had been plugged in. “After just a few moments, the ‘keyboard’ began typing in commands – and instructed the computer to download a malicious program from the internet.”

In another demonstration for the BBC, a researcher with SRL, Karsten Nohl, was able to use the exploit to create a fake version of the PayPal website to steal log-in credentials.

“Unlike other similar attacks, where simply looking at the web address can give away a scam website, there were no visible clues that a user was under threat. “The same demo could have been carried out on any website, Mr Nohl stressed.”

According to an article on the SRL website, little can be done to protect against such an attack at this time. Also, cleaning up after such an attack may be next to impossible.

“No effective defenses from USB attacks are known. Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as though a user has simply plugged in a new device. “To make matters worse, cleanup after an incident is hard: Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root. The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive. “Once infected, computers and their USB peripherals can never be trusted again.”

Sean Michael Kerner writing on eWeek, downplayed these warnings:

“A reprogrammed USB device can have certain privileges that give it access to do things it should not be able to do, but the bottom line is about trust. On a typical Windows system, USB devices are driven by drivers that are more often than not signed by software vendors. If a warning pops up on a user’s screen to install a driver, or that an unsigned driver is present, that should be a cause for concern. “As a matter of best practice, don’t plug unknown USB devices into your computing equipment. It’s just common sense, much like users should not open attachments that look suspicious or click on unknown links.”

That’s great for those tied to Windows, but doesn’t offer much help to those using Linux or OS X. As for the call for users to use good computer hygiene, most of us are doing that anyway — it’s not like this is the first security risk that’s arisen around the USB port.

For the time being, being careful might be enough, but probably not for long. Although the people at SRL are not yet releasing their modified USB controller firmwares, it’s only a matter of time before the black hats figure it out, now that the existence of the bug has been made public. So far, the USB Working Party, the organization behind the USB standard, is not commenting specifically about this exploit but is pointing to additional USB security measures that OEMs can choose to use. Hopefully, however, they’re frantically working behind the scenes to find a way to nullify this threat.

Related