Black Hat 2014 session debuts BadUSB

Do USB drives pose a major threat to enterprise security? Experts at a recent A Black Hat 2014 session have unveiled a new threat -- dubbed BadUSB -- that could infiltrate your network using common USB devices.

LAS VEGAS -- This past Thursday was a bad day for USB users. Odds are, this means you, even if you don't use those ubiquitous thumb drives, given that all sorts of devices -- including the built-in cameras in some laptops, plug-in network cards and the occasional auxiliary display -- use the protocol.

With an attack approach they've dubbed BadUSB (after BadBIOS), Jakob Lell, security researcher at SRLabs in Berlin, and independent security researcher Karsten Nohl, threw USB security and just about everything USB-related (including your computer with USB ports in it) into a profoundly untrustworthy state as a result of their presentation at the Black Hat USA 2014 conference in Las Vegas.

Unreadable badness

BadUSB depends on the way USB thumb drive devices are built, typically with a large, rewritable memory chip for the actual data storage, plus a separate controller chip. The picture below shows the memory chip on an opened USB thumb drive; the controller chip is on the other side of the circuit board.

guts of a USB thumbdrive
The guts of a USB thumbdrive showing memory chip. The brains of the operation is a chip on the other side.

The controller chip is effectively a low-power computer and, just like your notebook or desktop computer, it starts up by loading a rudimentary boot program from the memory chip. Similar to the way a notebook computer's hard drive contains a hidden Master Boot Record, the first range of memory locations on the memory chip contain the programming that makes the USB device tick.

Taking this to an extreme, we can have one USB device infect a computer, and the computer then infect other USB devices.
Karsten Nohlsecurity researcher

There are two important things keep in mind about that startup program: it can be rewritten and there's no practical way to tell what's currently on the hidden part of the memory chip where it resides. Short of de-soldering the memory chip and examining it using very sophisticated microelectronics equipment, there's no way to check whether you've got the correct code or some devious replacement. "To detect an infected USB, you have to look for symptoms that indicate the infection," Nohl said. "You can't directly scan the USB."

Because the USB standard is so versatile, your options as an attacker are various and fascinating. One proof-of-concept attack shown by Nohl and Lell reprograms the USB device as if it were a USB-connected network card. The attack resets the address the computer is using for DNS resolution of Web URLs. Because the USB isn't actually connected to the network in its supposed network card role, traffic won't actually be sent to the USB. But, Web requests passed through the normal, pre-existing network or wireless card will use the malicious DNS server, so that requests to banks and the like can be redirected to hacker copies of those sites. Lell and Nohl showed a live infection, in which a browser request to eBay.com was redirected to another site.

Reloading doesn't help

Even if you throw away the infected USB drive, a smart attacker will spread the infection through the victim PC's USB ports, perhaps lingering in less-than-obvious, USB-driven components in the system. Even if you completely wipe and reload the machine, other PCs will remain infected -- and ready to spread further infection -- when you reboot.

"Taking this to an extreme, we can have one USB device infect a computer, and the computer then infect other USB devices," Nohl said. Any particular virus of the BadUSB-type is dependent on the chip used to control the USB device, and not all devices use the same chips. But, Nohl said approximately half of the thumb drives in the market today use the same chip set, which also happens to be a chip set they've written three proof-of-concept attacks for.

Karsten NohlKarsten Nohl
talks about BadUSB.

"It's important to say that nobody did anything wrong," Nohl said in a press conference following the conference presentation. "USB was designed to work exactly like this. You're able to put all different kinds of devices into the port, and they all just work. So there's no way you can fix it, either. As long as we have USB, we will have devices that masquerade as other devices. It's the only reason that USB is so popular and other standards are not."

Because USB is ubiquitous, "we'll have this problem with us for 10 years or so, as long as we are using USB devices in our computers. It's not something you can patch and reboot. It's a structural security issue," Nohl said.

And while the Black Hat session only showed proof-of-concept attacks, one important element of the USB security discussion that may have been downplayed is that this style of attack may already be out there in the wild. Asked at the press conference whether this might be the case, Nohl said that everything they've ever presented at Black Hat -- including this -- has shown up in the leaked NSA "shopping list." More importantly, it all showed up before they made the same discoveries. Including this.

Next Steps

Learn about the ongoing effects of the NSA leaks

Tips for developing a USB security policy

Dig deeper on Emerging Information Security Threats

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Related Discussions

Robert Richardson, Editorial Director asks:

Will this new attack change your use of USB?

0  Responses So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close