'BadUSB' malware lives in USB firmware to remain undetected, unfixable
A pair of researchers has discovered a flaw in the USB protocol's basic architecture that allows for malware to be programed into a device's firmware, making it nearly undetectable and impossible to patch.

To demonstrate the ubiquitous vulnerability, SR Labs security researchers Karsten Nohl and Jakob Lell created a proof-of-concept called "BadUSB" that can be installed on any universal serial bus device, including memory sticks, keyboards, smartphones and more, to take over a victim's PC, insert or change files, modify DNS settings and otherwise play havoc with host hardware, reports Wired.
BadUSB is not a common piece of malware that can simply be copied onto a USB drive's flash memory. Nohl and Lell reverse engineered the standard USB firmware in charge of transporting files on and off a device, finding that malicious code can be inserted and hidden within through a bit of reprograming.
"These problems can't be patched," Nohl said. "We're exploiting the very way that USB is designed."
Unless the tainted firmware is itself reverse engineered, the malware is protected from being discovered and will remain on a device even after a disk erasure is performed, a routine process for clearing suspected malicious software.
Further, BadUSB is bidirectional. In other words, if a malware's payload is coded to do so, a thumb drive can infect a computer's USB firmware, which in turn reprograms the firmware of yet another connected USB device, spreading the code silently across any and all systems. In testing, Nohl and Lell found that basically any USB device is vulnerable to the exploit.
As there is no easy fix to malware like BadUSB, the researchers suggest users adopt a new way of thinking about USB hardware. Instead of thoughtlessly transporting files and other data back and forth between machines, Nohl and Lell recommend connecting only to known devices that are user-owned or trusted.
"In this new way of thinking, you can't trust a USB just because its storage doesn't contain a virus. Trust must come from the fact that no one malicious has ever touched it," Nohl said. "You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer."
Nohl and Lell will present their findings, as well as proof-of-concept software, at the Black Hat conference in Las Vegas this August.

To demonstrate the ubiquitous vulnerability, SR Labs security researchers Karsten Nohl and Jakob Lell created a proof-of-concept called "BadUSB" that can be installed on any universal serial bus device, including memory sticks, keyboards, smartphones and more, to take over a victim's PC, insert or change files, modify DNS settings and otherwise play havoc with host hardware, reports Wired.
BadUSB is not a common piece of malware that can simply be copied onto a USB drive's flash memory. Nohl and Lell reverse engineered the standard USB firmware in charge of transporting files on and off a device, finding that malicious code can be inserted and hidden within through a bit of reprograming.
"These problems can't be patched," Nohl said. "We're exploiting the very way that USB is designed."
Unless the tainted firmware is itself reverse engineered, the malware is protected from being discovered and will remain on a device even after a disk erasure is performed, a routine process for clearing suspected malicious software.
Further, BadUSB is bidirectional. In other words, if a malware's payload is coded to do so, a thumb drive can infect a computer's USB firmware, which in turn reprograms the firmware of yet another connected USB device, spreading the code silently across any and all systems. In testing, Nohl and Lell found that basically any USB device is vulnerable to the exploit.
As there is no easy fix to malware like BadUSB, the researchers suggest users adopt a new way of thinking about USB hardware. Instead of thoughtlessly transporting files and other data back and forth between machines, Nohl and Lell recommend connecting only to known devices that are user-owned or trusted.
"In this new way of thinking, you can't trust a USB just because its storage doesn't contain a virus. Trust must come from the fact that no one malicious has ever touched it," Nohl said. "You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer."
Nohl and Lell will present their findings, as well as proof-of-concept software, at the Black Hat conference in Las Vegas this August.
Comments
Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?
Thirdly, this doesn't apply to cable's I take it, even though there is a cable shown in the article. Personally I'd use a memory stick or something that has firmware embedded.
"proof-of-concept"
That just may work as a company name.
Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?
I read that as impossible to patch the vulnerability, not the rewritten firmware.
Ah, ok. But if the malware rewrites your DNS settings, can't one simply restore their hosts file from backup or simply change their DNS settings? On second thought, I presume 'the damage' has already been done by making people go to a website they didn't intend to go to. If so, I wonder where all these hackers want people to go to. TOR? Or some sleazy weazy nudity webby site? Convincing men to use their Credit Card for a lifetime subscription of...whatever.
Yeah, whatever. Period.
Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?
Thirdly, this doesn't apply to cable's I take it, even though there is a cable shown in the article. Personally I'd use a memory stick or something that has firmware embedded.
1. It's impossible to patch because [You don't have access firmware in normal USB access].
It's hide in the transportation layer, and to detect malicious code, you need to get access to it.
Unless Windows/Mac has the same feature as iOS (iOS flash firmware to lightning accessories at every connection)
2. Have you seen the inside of lightning cable?
It's basically a chip for proxy, and proxy means you can add/remove message by code.
And by the way? Do you know many card readers run on USB?
The virtually all statement is crap. Not all USB devices can be reprogrammed over USB.
My reading of this is that it is writing to the firmware of the USB controller which would be standard across the board no matter what the device. So in theory at least ALL devices would be vulnerable.
Hmm, interesting info, thanks. Yes, I have seen the inside of the Lightning cable over here:
http://appleinsider.com/articles/12/10/16/lightning-cables-authentication-chip-found-to-offer-just-enough-security
Also may have been reversed-engineered:
http://appleinsider.com/articles/12/10/09/apples-lightning-authentication-chip-may-have-been-reverse-engineered
As for Card Readers, can one write malicious code on a Card and thusly insert code on the Reader?
Last year I listened to a tech guy who is familiar with much of the things done by the covert spy agencies of the USA. He said that for more than a decade these alphabet agencies have been using programmed hardware bits installed in computers to have full access to them. This included iPhones. They grab devices before or after they are sold to certain people and install the bug. Unless somebody opened up the machines and had full knowledge of what belonged on those mother boards the device would go undetected. Whenever these devices connected to the internet they would report home. The cell phone bugs would radio home whenever they received the proper signal to transmit.
It is possible that this "vulnerability" was engineered into USB from the start.
http://www.androidauthority.com/millionaire-poker-player-arrested-android-malware-249838/
A DNS infection over USB could similarly send people to ad sites.
This is one area where iOS and other devices lacking these ports helps them to be more secure. The same goes for not having 3rd party runtimes like Flash, Java etc. The extra functionality is nice to have but with such a high volume of users, more people are protected without the functionality most of them don't miss. Surface's USB ports are ok as they don't have a high volume of users.
All of this is very much true, I learned about it during security training for my job just over a year ago. I bought it was already commonplace knowledge (among security types, anyway), but maybe this is the first time someone has published a complete how-to and proof-of-concept.
Remember when that Iranian nuclear enrichment center got owned a couple years ago? It's widely believed that was accomplished through this technique.
@wizard69: you're reading it wrong. Even usb mice can be used as a vector.
You might be thinking "okay but in windows it asks if I want to install drivers for [some device], can't you approve access at that point?" The device is already on the bus with full access, without that windows can't even get as far as asking if you want to deny access.
I would worry less about blank USB keys from factories than I would USB keys from strangers, but again, even a usb mouse could install a Trojan or a key logger or whatever.
Although Lightning uses another connector which includes additions on top of usb it still uses USB 2.0 internally so I don't think it is exempt from this vulnerability.
I have no idea if iDevices are exempt or not either. Let's hope the chip in the lightning cable disrupts the exploit. As I read the story, it appears the weakness is built into the UBS protocol which would be hard to protect against if the device meats the UBS standards.
As far as I know that chip only authenticates the cable to an iDevice, but it is always possible that it has another function we aren't aware of yet. It looks indeed to be the case, as you say, if it's in the USB protocol all devices that implement it would be vulnerable.
Edit: maybe this will spur on Apple to release a Lightning to Thunderbolt cable.