Researchers uncover fundamental USB security flaw, no fix in sight

Shawn Knight

Posts: 15,240   +192
Staff member

usb fundamental security flaw detect

A pair of security researchers from SR Labs have uncovered a fundamental flaw in the way USB devices work. It affects every single USB device out there and worse yet, there's no line of defense short of prohibiting USB stick sharing or filling your USB ports with superglue.

The flaw that security researchers Karsten Nohl and Jakob Lell plan to present next week at the Black Hat security conference in Las Vegas runs deeper than simply loading a USB drive with malware. Instead, it's built into the core of how the technology works.

After spending several months reverse engineering the firmware that handles the basic communications functions of USB devices, they were able to reprogram the firmware to hide malicious code. This firmware is present on every USB device within the controller chip - the component that facilitates communication between the USB device and the computer it's plugged in to.

By loading malicious code on the firmware, it's essentially hidden from sight. Anti-virus scanners can't pick it up and formatting won't help, either.

To prove their point, the team created a piece of malware called BadUSB that can be used to completely take over a PC, alter files invisibly and even redirect a user's Internet traffic.

And just to be clear, we aren't talking about just USB flash drives but any device that connects via USB: keyboards, mice, smartphones, tablets, you name it. Worst yet, it's nearly impossible to determine if a device has been tampered with. The researchers say there isn't even any trusted USB firmware to compare code against.

Matt Blaze, a computer science professor at the University of Pennsylvania, speculates the attack may already be common practice for the NSA. He points to a spying device called Cottonmouth that was mentioned in one of Edward Snowden's many leaks. Exact details of the device weren't mentioned but the leak claimed the tool hid in a USB peripheral plug.

Permalink to story.

 
The flaw that security researchers Karsten Nohl and Jakob Lell plan to present next week at the Black Hat security conference in Las Vegas runs deeper than simply loading a USB drive with malware.

Oh good... maybe they can include instructions on how to use it so everyone can be a crook.

Why is the first thing these security guys do when they find a flaw is show everyone how it works. Shouldn't they quietly go to the USB commission or whatever and tell them about it so it can be fixed in the future?

Oh, right... then we'd have never heard of Karsten and Jakob and they wouldn't get to stand on a stage and tell everyone how smart they are....
 
By letting everyone know about the problem it'll ensure that the issue is seen to quickly and not just ignored.
 
Ok, so I don't understand exactly how this works. Does one need physical access to the device to corrupt it or a trojan could do that when the pen drive is plugged in ?

In any case, it's bad news for everyone.
 
"It affects every single USB device out there"... im not so sure about that,
most USB firmware is read-only. this only affects USB devices that can receive firmware updates.
 
"It affects every single USB device out there"... im not so sure about that,
most USB firmware is read-only. this only affects USB devices that can receive firmware updates.

Shhhh! You're wrecking our doomsday panicking!

Seriously though... you could corrupt a drive when it's manufactured though, right? So say a country who's government has their hands in manufacturing like *cough* CHINA *cough* could make USB devices that contained malware.
 
"It affects every single USB device out there"... im not so sure about that,
most USB firmware is read-only. this only affects USB devices that can receive firmware updates.

What does this mean? My keyboard is safe, but my mouse isn't? My mouse is a Razer that can take firmware updates, as you might know...

This is a mess, the entire world with any kind of USB devices can't do anything atm. Only to buy new devices when revised ones will be out, lol. In that case -well, understand it's impossible, but shouldn't the company behind USB pay? Pay for the whole world!
 
The flaw that security researchers Karsten Nohl and Jakob Lell plan to present next week at the Black Hat security conference in Las Vegas runs deeper than simply loading a USB drive with malware.

Oh good... maybe they can include instructions on how to use it so everyone can be a crook.

Why is the first thing these security guys do when they find a flaw is show everyone how it works. Shouldn't they quietly go to the USB commission or whatever and tell them about it so it can be fixed in the future?

Oh, right... then we'd have never heard of Karsten and Jakob and they wouldn't get to stand on a stage and tell everyone how smart they are....

like out of the kindness of their heart?

The way some think the poor freeload is analogous to this.
 
Shouldn't they quietly go to the USB commission or whatever and tell them about it so it can be fixed in the future?
The transformation of cycads and dinosaurs into oil was a rapid process in comparison to the speed that the USB-IF work at, so I'm guessing that (and bearing in mind just how many USB devices are in circulation) this could be some kind of public airing to light a life under the standards organization.
The only time I've ever witnessed the organization move with any speed is when they've been threatened with competition (DisplayPort, Thunderbolt)
I say lets just all revert to pen and paper
The way things are going, we all will, eventually.
The way things are going, humans will end up carving pictograms into cave walls using flint :eek:
 
USB devices havnt been allowed to be plugged into a gov. computer since Ive been in the AF.. about 4yrs. The ports have been taped over or what not on every computer.
 
Some people seem to not understand the severity of this. Manufacturers can include malware in their devices. Of course the NSA would never force companies to do their bidding... The only way around this would be using an unknown operating system so the malware couldn't execute. Clearly it could affect all the major players: Microsoft, Apple, and even Linux distros (Android, Ubuntu, etc). :/
 
The bug has to be loaded physically. Once it is loaded into the firmware, any device that it is connected to, can be controlled/manipulated.
 
Right letting everyone know dont prod them into fixing the flaw or anything or let you take action, there may well be machines of such importance that filling the usb port with epoxy or superglue a clean bluetooth dongle in it.
If you were an activist in China I am sure you would want to know this.
 
I prefer to know what NSA or anyone else can do to my systems soo I can take measures to protect myself.

I have a home network thats NOT connected to Internet or wireless at all.

Im not paranoid but had a severe infection moving around in my LAN almost impossible to stop.
Had to replace lot of stuff with boxes I could control everything on.
Using openBSD and minimum of services.

For internet I have one computer where I can write a fresh Image to the HDD whenever I want and I administer my networks using old laptop without HDD and boot from DVD.

Im just being realistic about controlling access to my network and my stuff!
 
Wouldn't it be relatively easy for HIPS to catch the monkey business and automatically stop the USB controller?
 
The researchers are quoted further on ZDNet:
"Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as though a user has simply plugged in a new device."
 
Back