Jump to content

Massive, undetectable security flaw found in USB


Matsuda

Recommended Posts

chipsbank_usb_drives.jpg

Security researchers have found a fundamental flaw that could affect billions of USB devices. This flaw is so serious that, now that it has been revealed, you probably shouldn’t plug a USB device into your computer ever again. There are no known effective defenses against this variety of USB attack, though in the future (months or years, not days) some limited defenses might be possible.

This vulnerability, which allows any USB device to take over your computer, mostly exists due to the USB Implementers Forum (the USB standards body) eschewing security in favor of maximizing the versatility, and thus the massively successful adoption, of USB. The USB IF itself notes that your only defense against this new attack vector is to only use USB devices that you 100% trust — but even then, as we’ll outline below, this won’t always protect you.

This flaw, dubbed BadUSB by Security Research Labs in Berlin, leverages the fact that every USB device has a controller chip. Whether it’s your PC, smartphone, external hard drive, or an audio breakout box, there’s a USB controller chip in every device that controlsthe USB connection to other devices. It turns out, according to SR Labs, that these controllers have firmware that can be reprogrammed to do a whole host of malicious things — and, perhaps most importantly, this reprogramming is almost impossible to detect.

This vulnerability mostly stems from the fact that USB, by design, is incredibly versatile. USB can be used to connect just about any kind of peripheral to a host machine — an ability that is only possible because of USB classes and class drivers. Basically, every USB device under the sun has a class — a classification that defines the device’s function. Some common classes are human-interface devices (HIDs; keyboards, mice), wireless controller (Bluetooth dongles), and mass storage (thumb drives, digital cameras). On the host (your PC, your smartphone) there are class drivers that manage the functions of that particular class of devices. This is why you can plug a USB keyboard into just about any device and it’ll work flawlessly.

The problem, according to SR Labs, is that these USB controllers can have their firmware reprogrammed so that they announce themselves as a different class. For example, you could reprogram a mass storage device so that it masquerades as a network controller, so that all of your network communications (websites, passwords) get redirected to the device. Or, even worse, you could reprogram the firmware of a thumb drive so that it becomes a HID, and can thus issue keyboard and mouse commands to the host machine. These commands might be used to install malware, or to rewrite the firmware of other attached USB devices. Suddenly you are sitting on a computer worm of Conficker proportions that could take down most of the world’s devices.

While finding a security hole in USB isn’t exactly a surprise, the main issue here is that there’s no immediate fix. As of today, there could be billions of USB devices out there with firmware that could be reprogrammed by a computer virus — and, according to SR Labs, it’s impossible to spot the modified firmware unless you know exactly where to look. (It took months for SR Labs to reverse engineer the controller firmware, and it doesn’t sound like they’re giving up their secrets any time soon.) The security researchers also say that malware scanners can’t access the firmware of a USB device — so you can forget about that angle, too. SR Labs says it will release more details and proof-of-concept tools at Black Hat 2014 on August 7.

It would be possible to mitigate against this attack in the future if every device maker signed their firmware, and then your computer checked that signature every time you plugged the device in — but I suspect, given the scale of the USB device ecosystem, such a change would take months or years to adopt. Another option would be designated USB ports on your computer — so, you might have a port that only accepts mass storage devices, and is completely incapable of handling other classes of USB device.

Ultimately, though, the only real mitigation is ensuring you only use USB devices that you trust. It’s basically like unprotected sex: If you plug your USB memory stick into another computer, you should then assume that your memory stick is forever compromised. The problem with this approach, though, is that your own computer could infect your USB devices without you knowing — and unless you’re a very careful surfer, it’s very hard to keep your computer completely malware-free. Which brings us back to the beginning of the story: Maybe it’s just best if you don’t use USB for a while.

Fortunately my cupboard is full of PS/2 keyboards, parallel printers, and stacks of rewritable DVDs for exactly this kind of apocalyptic occasion…




Source: http://www.extremetech.com/computing/187279-undetectable-indefensible-security-flaw-found-in-usb-its-time-to-get-your-ps2-keyboard-out-of-the-cupboard

Link to comment
Share on other sites


  • Replies 13
  • Views 1.9k
  • Created
  • Last Reply
stylemessiah

This one goes straight into the same Thats Nucking Futs, Stop Eating The Lead Paint You Paranoid Assclown file that currently has the previously seen on here stories about The Terrible Threat Where Computers Can Be Accessed Via WiFi Even When Powered Off (submitted twice, and mercilessly ridiculed, quite rightly as utter bull$hit twice), at least 2 other tin-foil hat brigade level tech paranoia theories i cant remember fully off the top of my head, and any posting by Ambrocious.....

Honestly, exactly no one in their fricking right mind is going to stop using USB ever again after reading this, so....as i often say...the forum wants its wasted space back....

EDIT: I just remembered one of the other Paranoid nutjob stories... The Put Tape Over The Lens Of Your Webcam Because ANYONE Could Be Watching You story

For those who dont remember, this one originated about Apple devices which were in SERIOUS danger because LITERALLY ANYONE could access their webcam remotely and it wouldnt give any sign the camera was on. This spread to just about every other Brand of PC ever made. The NSA were said to have the ability to remotely install it on anyones laptop without their knowledge. The reality was that a user would have to physically click and agree to replace the webcam driver with a hacked one...apparently that equates to being remotely hacked now....

This "hacked" webcam scenario has never been seen by anyone i know in IT in about 15 countries where i know people in IT, ever.

Also worth mentioning is that the most common thing in IT regarding webcams is just how hard it is to get the bloody things working, finding a working driver for the webcam in your Toshiba/Acer/HP laptop...if youve ever had a laptop with a Chicony webcam in it, you'll know what im talking about, theres entire messageboards dedicated to getting webcams working...usually because even the manufacturer supplied drivers wont work, yet somehow some spotty kid or the NSA has a better and stealth installing driver? Get your hand off it, as we say here in Australia

Honestly, could the people who believe these types of crap "stories" passed off as fact and are paranoid nutbars please do the world a favour and put two rounds into the backs of your own heads and remove yourself from the human gene pool. Normally id be happy to do this, but im currently swamped removing people from the gene pool for watching the crap reality chick shit thats passed off as TV entertainment these days, and those using "social media" and actually believe they have 10,000 friends or followers, and i may not be able to get round to you as well....

Society is doomed <- that should really be in my signature. i say it often enough

Link to comment
Share on other sites


Wouldn't be too concerned - we have a thread discussing mitigation at various levels. EcSzyhn.gif

Where? :unsure:

Link to comment
Share on other sites


stylemessiah

Wouldn't be too concerned - we have a thread discussing mitigation at various levels. EcSzyhn.gif

Where? :unsure:

You had to go and remind me of that stuff...

Im pretty sure i was in one of those threads extolling the simplicity of creating a folder named autorun.inf in the root of your USB device as the easiest (and Free) solution to stopping USB viruses and malware in its tracks, but i was amazed (and still am) at just how many people ignored it and continued looking for bloody software to provide the answer.

It was astounding to see so many people convinced they had to install something.....instead of investing a little time and a few brain cells into realising and if necessary learning how their PC and its filesystem actually works.

Society is doomed <- there, you made me say it again dcs18 :)

Link to comment
Share on other sites


If this is the real deal you can forget all about autorun.inf things.

This is on the level of having your BIOS flashed with malware inside, at a much lower level than some file sitting on the drive.

If the firmware is coded enough it would just talk to OS drivers when plugged in and that'd be it.

Link to comment
Share on other sites


If this is the real deal you can forget all about autorun.inf things.

This is on the level of having your BIOS flashed with malware inside, at a much lower level than some file sitting on the drive.

If the firmware is coded enough it would just talk to OS drivers when plugged in and that'd be it.

if it got that big of a deal ,just throw your PC or MAC in the trash and be done with computers altogether

Link to comment
Share on other sites


Wouldn't be too concerned - we have a thread discussing mitigation at various levels. EcSzyhn.gif

Where? :unsure:

You had to go and remind me of that stuff...

Im pretty sure i was in one of those threads extolling the simplicity of creating a folder named autorun.inf in the root of your USB device as the easiest (and Free) solution to stopping USB viruses and malware in its tracks, but i was amazed (and still am) at just how many people ignored it and continued looking for bloody software to provide the answer.

It was astounding to see so many people convinced they had to install something.....instead of investing a little time and a few brain cells into realising and if necessary learning how their PC and its filesystem actually works.

Society is doomed <- there, you made me say it again dcs18 :)

I've a question... how can this folder prevent any infections? It's not clear to me although I'm an IT/programmer...

Damn... I'm feeling really really stupid...

Link to comment
Share on other sites


Researchers say they have managed to reprogram the firmware within some flash drives with malicious code – code executed by the gadget's micro-controller to ultimately install malware on a PC or redirect network traffic without a victim knowing.

Karsten Nohl and Jakob Lell, from German security skunkworks SR Labs, spent months analyzing the software and micro-controllers embedded in particular USB devices, and said they have found they could reliably hide, in the flash ROM, malware that's undetectable to today's antivirus tools – and it's very, very effective.

We're told their software nasty, which they call BadUSB, can be installed not just in certain thumb drives, but in anything sporting a supported or compatible micro-controller. It is impossible to remove from the device, unless you too have tools and skills to reprogram the firmware.

USB thumb drives are typically a block of flash memory with a micro-controller attached to it; this controller chip has its own RAM scratch pad, and a tiny operating system in the firmware telling it how to interface the flash with the outside world via USB. This firmware can be reprogrammed to do unintended stuff – if you've worked out how to do so.

For a few years now, this sort of attack has been known to be possible: infosec types even dubbed malicious USB devices "plug and prey."

Now we're told it's a reality.

"No effective defenses from USB attacks are known," claimed SR Labs.

"Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as though a user has simply plugged in a new device."

How it's supposed to work

The two, who will present a full technical talk and proof-of-concept code at next week's Black Hat conference in Las Vegas, designed BadUSB to convince the target computer that a USB thumb drive is also a USB keyboard – which quickly feeds a string of characters to the computer as if typed by the user.

This string could, on Windows, open a cmd.exe box, run an executable on the flash drive that installs further malware, or open an Internet Explorer window and surf to a website that exploits a vulnerability in IE or Adobe Flash to inject malware. The drives can also be configured to impersonate a network card and redirect traffic.

It's all possible because USB devices can be multi-function: when they are plugged into a computer, they announce to the operating system, via the USB protocol, what kind of device they are so that the correct drivers are loaded and the gadget is usable.

Usually, a thumb drive announces itself as mass storage. If it also announces itself as a keyboard, today's desktop operating systems play along and attach it as another keyboard source to cause mischief.

Before you start panicking and throwing away your peripherals, there are a few caveats to the research.

1. Not every USB chip

Firstly, this attack will not work on all USB chips automatically – it appears to be vendor specific, and while there are a limited number of USB silicon suppliers, there's still a lot of chip models to tackle. Every chipmaker designs their controllers differently.

For Black Hat, we're told the following three attack devices will be demonstrated; these gadgets use chips made by Phison, which typically use 8051 micro-controllers:

  • A USB thumb drive that rapidly injects key-presses to download and run malicious software before the user can stop it. This is triggered by plugging the device into the PC.
  • A USB thumb drive that boots the PC, tampers with the operating system installation to cause further misery, and then boots the machine proper.
  • A USB thumb drive that announces itself as a network card, allowing it to reconfigure the machine's DNS settings to redirect internet traffic into hackers' hands.

Earlier this year, at Shmoocon 2014, Richard Harmamn gave a presentation on his research into analyzing USB micro-controllers and studying their firmware and security features. Phison, he pointed out, has a tool called MPAll which allows firmware to be rewritten – although it's hard work crafting a working rogue firmware as the chip internals aren't documented.

2. Security versus cost

Secondly, it may be possible for device manufacturers to deal with these problems themselves. Controllers could be designed to only accept new firmware that is cryptographically proven to be legit, for example, but that would increase the complexity and the cost of these cheap-as-pennies chips.

There is, though, room for increased security, we're told.

"The USB specifications support additional capabilities for security, but original equipment manufacturers (OEM’s) decide whether or not to implement these capabilities in their products. OEMs develop products based on consumer demand," a spokeswoman from the USB Implementers Forum told El Reg in an email.

"Greater capabilities of any product likely results in higher prices, and consumers choose on a daily basis what they are willing to pay to receive certain benefits. If consumer demand for USB products with additional capabilities for security grows, we would expect OEMs to meet that demand."

At the moment it's unlikely that manufacturers are going to do anything that would drive up the price of USB devices. (Operating system developers could, of course, consider rejecting bizarre USB function combinations.)

If someone were to develop malware that infected PCs from thumb drives and then silently reprogrammed other connected thumb drives to spread again, it's unlikely that anyone's going to whine about paying a few pennies more for something that's locked down. ®

Source : http://www.theregister.co.uk/2014/07/31/black_hat_hackers_drive_truck_through_hole_in_usb_security/

Link to comment
Share on other sites


@stylemessiah....that's telling them!! Well said.

Err,...what's a USB device???? :lol: :lol: :lol:

Link to comment
Share on other sites


  • 1 month later...

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...