'BadUSB' malware lives in USB firmware to remain undetected, unfixable

Posted:
in General Discussion edited August 2014
A pair of researchers has discovered a flaw in the USB protocol's basic architecture that allows for malware to be programed into a device's firmware, making it nearly undetectable and impossible to patch.




To demonstrate the ubiquitous vulnerability, SR Labs security researchers Karsten Nohl and Jakob Lell created a proof-of-concept called "BadUSB" that can be installed on any universal serial bus device, including memory sticks, keyboards, smartphones and more, to take over a victim's PC, insert or change files, modify DNS settings and otherwise play havoc with host hardware, reports Wired.

BadUSB is not a common piece of malware that can simply be copied onto a USB drive's flash memory. Nohl and Lell reverse engineered the standard USB firmware in charge of transporting files on and off a device, finding that malicious code can be inserted and hidden within through a bit of reprograming.

"These problems can't be patched," Nohl said. "We're exploiting the very way that USB is designed."

Unless the tainted firmware is itself reverse engineered, the malware is protected from being discovered and will remain on a device even after a disk erasure is performed, a routine process for clearing suspected malicious software.

Further, BadUSB is bidirectional. In other words, if a malware's payload is coded to do so, a thumb drive can infect a computer's USB firmware, which in turn reprograms the firmware of yet another connected USB device, spreading the code silently across any and all systems. In testing, Nohl and Lell found that basically any USB device is vulnerable to the exploit.

As there is no easy fix to malware like BadUSB, the researchers suggest users adopt a new way of thinking about USB hardware. Instead of thoughtlessly transporting files and other data back and forth between machines, Nohl and Lell recommend connecting only to known devices that are user-owned or trusted.

"In this new way of thinking, you can't trust a USB just because its storage doesn't contain a virus. Trust must come from the fact that no one malicious has ever touched it," Nohl said. "You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer."

Nohl and Lell will present their findings, as well as proof-of-concept software, at the Black Hat conference in Las Vegas this August.
«134

Comments

  • Reply 1 of 68
    philboogiephilboogie Posts: 7,671member
    Stories like these make sense when they can show proof that a person's computer has been infected by this malware instead of some theoretic firmware re-write.

    Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?

    Thirdly, this doesn't apply to cable's I take it, even though there is a cable shown in the article. Personally I'd use a memory stick or something that has firmware embedded.




    "proof-of-concept"

    That just may work as a company name.
  • Reply 2 of 68
    hmmhmm Posts: 3,405member
    Quote:

    Originally Posted by PhilBoogie View Post







    Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?

    I read that as impossible to patch the vulnerability, not the rewritten firmware.

  • Reply 3 of 68
    philboogiephilboogie Posts: 7,671member
    hmm wrote: »
    philboogie wrote: »
    Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?
    I read that as impossible to patch the vulnerability, not the rewritten firmware.

    Ah, ok. But if the malware rewrites your DNS settings, can't one simply restore their hosts file from backup or simply change their DNS settings? On second thought, I presume 'the damage' has already been done by making people go to a website they didn't intend to go to. If so, I wonder where all these hackers want people to go to. TOR? Or some sleazy weazy nudity webby site? Convincing men to use their Credit Card for a lifetime subscription of...whatever.

    Yeah, whatever. Period.
  • Reply 4 of 68
    Quote:

    Originally Posted by PhilBoogie View Post



    Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?



    Thirdly, this doesn't apply to cable's I take it, even though there is a cable shown in the article. Personally I'd use a memory stick or something that has firmware embedded.

    1. It's impossible to patch because [You don't have access firmware in normal USB access]. 

    It's hide in the transportation layer, and to detect malicious code, you need to get access to it. 

    Unless Windows/Mac has the same feature as iOS (iOS flash firmware to lightning accessories at every connection)

    2. Have you seen the inside of lightning cable? 

    It's basically a chip for proxy, and proxy means you can add/remove message by code. 

    And by the way? Do you know many card readers run on USB? 

  • Reply 5 of 68
    My God it's happening. Just like the old gypsy woman said.
  • Reply 6 of 68
    mofromofro Posts: 10member
    Okay, so does this mean I should no longer purchase thumb drives as I have no idea if said manufacturer decided to install said malware on the device?
  • Reply 7 of 68
    sporlosporlo Posts: 143member
    This is interesting.
  • Reply 8 of 68
    wizard69wizard69 Posts: 13,377member
    The virtually all statement is crap. Not all USB devices can be reprogrammed over USB.
  • Reply 9 of 68
    Quote:

    Originally Posted by wizard69 View Post



    The virtually all statement is crap. Not all USB devices can be reprogrammed over USB.

    My reading of this is that it is writing to the firmware of the USB controller which would be standard across the board no matter what the device. So in theory at least ALL devices would be vulnerable.

  • Reply 10 of 68
    philboogiephilboogie Posts: 7,671member
    philboogie wrote: »
    Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?


    Thirdly, this doesn't apply to cable's I take it, even though there is a cable shown in the article. Personally I'd use a memory stick or something that has firmware embedded.
    1. It's impossible to patch because [You don't have access firmware in normal USB access]. 

    It's hide in the transportation layer, and to detect malicious code, you need to get access to it. 

    Unless Windows/Mac has the same feature as iOS (iOS flash firmware to lightning accessories at every connection)
    2. Have you seen the inside of lightning cable? 

    It's basically a chip for proxy, and proxy means you can add/remove message by code. 

    And by the way? Do you know many card readers run on USB? 


    Hmm, interesting info, thanks. Yes, I have seen the inside of the Lightning cable over here:

    http://appleinsider.com/articles/12/10/16/lightning-cables-authentication-chip-found-to-offer-just-enough-security

    1000

    Also may have been reversed-engineered:

    http://appleinsider.com/articles/12/10/09/apples-lightning-authentication-chip-may-have-been-reverse-engineered

    As for Card Readers, can one write malicious code on a Card and thusly insert code on the Reader?
  • Reply 11 of 68
    palegolaspalegolas Posts: 1,342member
    Perhaps a thunderbolt to USB breakout box could patch it, theoretically? Or block it, rather. More thunderbolt to the people anyways.
  • Reply 12 of 68

    Last year I listened to a tech guy who is familiar with much of the things done by the covert spy agencies of the USA. He said that for more than a decade these alphabet agencies have been using programmed hardware bits installed in computers to have full access to them. This included iPhones. They grab devices before or after they are sold to certain people and install the bug. Unless somebody opened up the machines and had full knowledge of what belonged on those mother boards the device would go undetected. Whenever these devices connected to the internet they would report home. The cell phone bugs would radio home whenever they received the proper signal to transmit.

     

    It is possible that this "vulnerability" was engineered into USB from the start.

  • Reply 13 of 68
    MarvinMarvin Posts: 14,757moderator
    This sort of thing is more likely to be exploited by government agencies but if it's easy enough to setup, I could see it being used by inexpensive USB webcams, card readers and storage pens and other things that would come from China on eBay or Amazon. Malware authors these days just want to get click revenue. They don't need to snoop on users or anything like that, the following person made millions from infecting Android devices and harvesting email addresses to invite 37 million people to a dating site, where they'd have ad banners and other revenue generating things:

    http://www.androidauthority.com/millionaire-poker-player-arrested-android-malware-249838/

    A DNS infection over USB could similarly send people to ad sites.

    This is one area where iOS and other devices lacking these ports helps them to be more secure. The same goes for not having 3rd party runtimes like Flash, Java etc. The extra functionality is nice to have but with such a high volume of users, more people are protected without the functionality most of them don't miss. Surface's USB ports are ok as they don't have a high volume of users.
  • Reply 14 of 68
    iDevices are worthless because they don't have a UBS connector like android of Surface devices. Yeah...
  • Reply 15 of 68
    No, you would put the code in the firmware of the card reader.

    All of this is very much true, I learned about it during security training for my job just over a year ago. I bought it was already commonplace knowledge (among security types, anyway), but maybe this is the first time someone has published a complete how-to and proof-of-concept.

    Remember when that Iranian nuclear enrichment center got owned a couple years ago? It's widely believed that was accomplished through this technique.

    @wizard69: you're reading it wrong. Even usb mice can be used as a vector.
  • Reply 16 of 68
    Think of it this way: the usb bus is like this computer lab full of computers that have no passwords whatsoever. When you add another computer to the LAN, every computer has complete access to every other computer. There is no authentication or security system -- by design.

    You might be thinking "okay but in windows it asks if I want to install drivers for [some device], can't you approve access at that point?" The device is already on the bus with full access, without that windows can't even get as far as asking if you want to deny access.

    I would worry less about blank USB keys from factories than I would USB keys from strangers, but again, even a usb mouse could install a Trojan or a key logger or whatever.
  • Reply 17 of 68
    chipsychipsy Posts: 287member
    [
    iDevices are worthless because they don't have a UBS connector like android of Surface devices. Yeah...

    Although Lightning uses another connector which includes additions on top of usb it still uses USB 2.0 internally so I don't think it is exempt from this vulnerability.
  • Reply 18 of 68
    chipsy wrote: »
    [
    iDevices are worthless because they don't have a UBS connector like android of Surface devices. Yeah...

    Although Lightning uses another connector which includes additions on top of usb it still uses USB 2.0 internally so I don't think it is exempt from this exploit.

    I have no idea if iDevices are exempt or not either. Let's hope the chip in the lightning cable disrupts the exploit. As I read the story, it appears the weakness is built into the UBS protocol which would be hard to protect against if the device meats the UBS standards.
  • Reply 19 of 68
    longpathlongpath Posts: 382member
    It seems to me that the solution to this is nonwritable firmware. Since this exploit only talks to an immediately connected device, firmware that either can't be written to at all (ROM) or can only be written to from a secured connection (i.e. the OS) should insulate against this.
  • Reply 20 of 68
    chipsychipsy Posts: 287member
    I have no idea if iDevices are exempt or not either. Let's hope the chip in the lightning cable disrupts the exploit. As I read the story, it appears the weakness is built into the UBS protocol which would be hard to protect against if the device meats the UBS standards.

    As far as I know that chip only authenticates the cable to an iDevice, but it is always possible that it has another function we aren't aware of yet. It looks indeed to be the case, as you say, if it's in the USB protocol all devices that implement it would be vulnerable.
    Edit: maybe this will spur on Apple to release a Lightning to Thunderbolt cable.
Sign In or Register to comment.