LAS VEGAS -- This past Thursday was a bad day for USB users. Odds are, this means you, even if you don't use those ubiquitous thumb drives, given that all sorts of devices -- including the built-in cameras in some laptops, plug-in network cards and the occasional auxiliary display -- use the protocol.
With an attack approach they've dubbed BadUSB (after BadBIOS), Jakob Lell, security researcher at SRLabs in Berlin, and independent security researcher Karsten Nohl, threw USB security and just about everything USB-related (including your computer with USB ports in it) into a profoundly untrustworthy state as a result of their presentation at the Black Hat USA 2014 conference in Las Vegas.
BadUSB depends on the way USB thumb drive devices are built, typically with a large, rewritable memory chip for the actual data storage, plus a separate controller chip. The picture below shows the memory chip on an opened USB thumb drive; the controller chip is on the other side of the circuit board.
The controller chip is effectively a low-power computer and, just like your notebook or desktop computer, it starts up by loading a rudimentary boot program from the memory chip. Similar to the way a notebook computer's hard drive contains a hidden Master Boot Record, the first range of memory locations on the memory chip contain the programming that makes the USB device tick.
Karsten Nohlsecurity researcher
There are two important things keep in mind about that startup program: it can be rewritten and there's no practical way to tell what's currently on the hidden part of the memory chip where it resides. Short of de-soldering the memory chip and examining it using very sophisticated microelectronics equipment, there's no way to check whether you've got the correct code or some devious replacement. "To detect an infected USB, you have to look for symptoms that indicate the infection," Nohl said. "You can't directly scan the USB."
Because the USB standard is so versatile, your options as an attacker are various and fascinating. One proof-of-concept attack shown by Nohl and Lell reprograms the USB device as if it were a USB-connected network card. The attack resets the address the computer is using for DNS resolution of Web URLs. Because the USB isn't actually connected to the network in its supposed network card role, traffic won't actually be sent to the USB. But, Web requests passed through the normal, pre-existing network or wireless card will use the malicious DNS server, so that requests to banks and the like can be redirected to hacker copies of those sites. Lell and Nohl showed a live infection, in which a browser request to eBay.com was redirected to another site.
Reloading doesn't help
Even if you throw away the infected USB drive, a smart attacker will spread the infection through the victim PC's USB ports, perhaps lingering in less-than-obvious, USB-driven components in the system. Even if you completely wipe and reload the machine, other PCs will remain infected -- and ready to spread further infection -- when you reboot.
"Taking this to an extreme, we can have one USB device infect a computer, and the computer then infect other USB devices," Nohl said. Any particular virus of the BadUSB-type is dependent on the chip used to control the USB device, and not all devices use the same chips. But, Nohl said approximately half of the thumb drives in the market today use the same chip set, which also happens to be a chip set they've written three proof-of-concept attacks for.
"It's important to say that nobody did anything wrong," Nohl said in a press conference following the conference presentation. "USB was designed to work exactly like this. You're able to put all different kinds of devices into the port, and they all just work. So there's no way you can fix it, either. As long as we have USB, we will have devices that masquerade as other devices. It's the only reason that USB is so popular and other standards are not."
Because USB is ubiquitous, "we'll have this problem with us for 10 years or so, as long as we are using USB devices in our computers. It's not something you can patch and reboot. It's a structural security issue," Nohl said.
And while the Black Hat session only showed proof-of-concept attacks, one important element of the USB security discussion that may have been downplayed is that this style of attack may already be out there in the wild. Asked at the press conference whether this might be the case, Nohl said that everything they've ever presented at Black Hat -- including this -- has shown up in the leaked NSA "shopping list." More importantly, it all showed up before they made the same discoveries. Including this.
Learn about the ongoing effects of the NSA leaks
Tips for developing a USB security policy