Now that a working exploit of the USB vulnerability that’s baked-in to the USB standard has been released, it might be a prudent move to no longer employ any USB devices that aren’t already under your control until this situation has been fixed.
The exploit was first made public two months ago at the Black Hat conference in Las Vegas when Karsten Nohl and Jakob Lell of Berlin based Security Research Labs (SRL) demonstrated an attack they called BadUSB to a standing-room-only crowd.
In one demonstration, the pair used a USB memory stick loaded with malware that caused the computer to think it was a keyboard. According to the BBC: “After just a few moments, the ‘keyboard’ began typing in commands – and instructed the computer to download a malicious program from the internet.”
The exploit works by taking advantage of the controller chip found in nearly all USB devices, which is relatively easy to reprogram. The chip identifies the device type to the computer.
The code used to pull off the demo attack wasn’t released at that time, given the grave severity of the problem and because, according to Nohl, the problem is unpatchable. According to SRL, a machine infected through such a USB attack has pretty much been bricked.
“Simply reinstalling the operating system –- the standard response to otherwise ineradicable malware –- does not address BadUSB infections at their root,” the company states on its website. “… A BadUSB device may even have replaced the computer’s BIOS –- again by emulating a keyboard and unlocking a hidden file on the USB thumb drive.
“Once infected, computers and their USB peripherals can never be trusted again.”
On Monday we learned that two computer security researchers — Adam Caudill and Brandon Wilson — have picked up the baton and made the code public on GitHub, in an attempt to force electronics firms to improve defenses against attack.
Caudill and Wilson gave a talk at last week’s Derbycon in Louisville, Ky., and provided information about how to reverse engineer the firmware.
“We’re releasing everything we’ve done here, nothing is being held back,” the BBC quoted Wilson from his presentation at DerbyCon. “We believe that this information should not be limited to a select few as others have treated it. It needs to be available to the public.”
The pair said that publicly releasing the USB attack code “will allow penetration testers to use the technique, all the better to prove to their clients that USBs are nearly impossible to secure in their current form,” according to an article on Wired. “And they also argue that making a working exploit available is the only way to pressure USB makers to change the tiny devices’ fundamentally broken security scheme.”
According to the Wired article, Caudill and Wilson reverse engineered the firmware of USB microcontrollers sold by Phison, one of the world’s top USB makers. Then they reprogrammed that firmware to perform disturbing attacks. They even replicated the earlier demonstration at Black Hat by exhibiting a USB device that impersonated a keyboard to input text on a victim machine.
Yesterday, in another article, Wired reported that the pair has published a firmware patch that “is far from universal: it only works for one version of USB code, the latest USB 3.0 firmware distributed by the Taiwanese firm Phison….” The patch has numerous other limitations as well. For example, with physical access the firmware can still be modified through a process called “pin shorting,” which can best be prevented by applying glue to the device.
“There’s a tough balance between proving that it’s possible and making it easy for people to actually do it,” Caudill told Wired, speaking of the publication of the exploit code. “There’s an ethical dilemma there. We want to make sure we’re on the right side of it.”
There are already programmable devices on the market that can act as USB slaves, so the only thing new here is the ability for a third party to modify an innocent-looking memory stick.
In other words, we go from “having to trust the manufacturer of the device” to “having to trust the manufacturer and everyone who has handled the device”. That’s quite a difference, and worth knowing about, but if you buy equipment from an untrusted source (like the USA, for example), you should probably be taking precautions against this kind of behaviour already. Of course, “should” is a big word…
On the other hand, I wonder how many people will use this exploit to really hide a partition full of games on their employers’ USB sticks…
As far as I’m concerned I don’t like using USB’s that don’t come freom someplace I trust…and since that’s not anywhere…I’ll stick with the three USB’s I have and my 1TB external HD..and that’s it! Although I’m a confessed distro-hopper, I don’t think its worth losing the OS’es or the files and folders I have on my drives just to tryout the latest and greatest…I’ll just backup my data to my HD, and wait for updates from the developers. Guess until this little snafu is handled the party’s over foir a bit!!