Slashdot Mirror

← Back to Stories (view on slashdot.org)

"BadUSB" Exploit Makes Devices Turn "Evil"

Posted by timothy on from the thinkgeek-had-something-funnier-years-ago dept.

An anonymous reader writes with a snippet from Ars Technica that should make you (even more) skeptical about plugging in random USB drives, or allowing persons unknown physical access to your computer's USB ports: When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses. Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.

13 of 205 comments (clear)

  1. USB 4.x to offer signed USB device signatures??? by Anonymous Coward · · Score: 5, Interesting

    Here comes the digitially signed / encrypted usb dongles for USB 4.x, where every device has a firmware signature encrypted within the device and part of the usb handshake will be to read the entire firmware to re-calc the signature to make sure it matches, with a 3rd comparison via the internet to a usb device registry.

    Then the criminals will figure out how to falsify the signature with the bad firmware anyway.

  2. Re:How is this viable as an attack medium? by gstoddart · · Score: 4, Interesting

    The most I can see happening with this is someone putting bad firmware onto a USB device and selling them on EBay or similar as a means of stealing people's data, but I think that would be pretty easy to track

    Really? Because the worst I can imagine is the NSA or another spy agency getting a shipment of devices from the manufacturer so that when you get it delivered new and in the box it's already compromised. Your brand new shiny Dell or HP would be compromised from the factory.

    Think I've not got enough layers of tinfoil? Google for "Cisco NSA routers".

    At this point, if it can be exploited by these clowns, it will be.

    law enforcement will figure out the trick pretty quickly

    Unless, of course, it's law enforcement who have done it.

    --
    Lost at C:>. Found at C.
  3. Re:and this is news why? by Canth7 · · Score: 5, Insightful

    I thought it was common sense not to plug in untrusted devices to your computer. Especially unknown thumb drives, unless you can use them in a read only device.

    The problem at hand is that you can take a trustworthy device, plug it into an infected computer and then your trustworthy device becomes compromised and not easily detectably so, infecting your formerly clean PC. So far, no comments on mitigating procedures or OS specific circumstances. Most OSes will automatically load USB devices so in theory this could affect just about every OS whereby a compromised phone decides to become a keyboard and starts typing keystrokes and sending data to a 3rd party. Scary, at least in theory.

  4. Re:Do I need to be concerned about this? by thieh · · Score: 4, Funny

    Nah, we are already screwed beyond help.

  5. Old attack by robmv · · Score: 4, Insightful

    This kind of attack is not new, the new part are the examples of generic devices with hacked firmware to do that. This can be solved easily requesting user autorization before activating any USB device type, for example, before telling the system that there is a new USB network device, ask the user for confirmation. The trick is with input devices, where the new device could be replacing a broken one (keyboard or mouse), the confirmation can be done requesting the user to type a code displayed on screen or using the mouse to use a on screen keyboard in order to accept the input device for general usage. The other problem is with devices permanently attached, assume that any attached device at boot time is trusted, If someone replaced your USB device when you weren't present other more awful things couls have been done.

  6. Re:How is this viable as an attack medium? by blueg3 · · Score: 4, Interesting

    1. A ton of USB devices are actually implemented as general-purpose components with programmable firmware (attached to whatever support hardware, like a network card or a webcam, is necessary). So they're more common than you think.

    2. Smartphones are an excellent reprogrammable USB device that lots of individuals have.

    3. This is difficult enough to really engineer well that it is probably a bigger threat as a targeted attack against a big organization for now. Until someone does the engineering to make it easy to deploy widely. Then, it'll be a threat for everyone. Kind of like automated hacking of consumer-grade routers to modify the firmware to participate in an Internet-wide portscan. It's the Metasploit effect: it's not a big problem until someone makes it automated, then it is.

  7. Re:Simple by stewsters · · Score: 5, Funny

    "Click OK to connect mouse"

    It leave a bit of a chicken and egg problem for normal users of systems without a keyboard built in.

  8. Safety first, kids... by blueshift_1 · · Score: 5, Funny

    Just another reason why you shouldn't stick foreign objects in your orifices...

  9. Re:and this is news why? by NMBob · · Score: 4, Interesting

    Or they could already come programmed from a "trusted" factory. It's not like that hasn't happened before. Yikes!

  10. Re:How is this viable as an attack medium? by Anonymous Coward · · Score: 5, Interesting

    Smartphones is the big problem. People think it is acceptable to just plug them in everywhere to "just charge them".

    I can go to a train-station or another reasonable public spot. Look for a power outlet and plug in my "charging station" that turn a smartphone into a malicious device.
    This will infect devices from a very diverse group that will travel around and connect their devices to whatever USB-port they can find.

  11. Re:and this is news why? by janoc · · Score: 4, Insightful

    I would love to see malware that will reprogram a mask-programmed blob in a common throwaway hardware. Or a microcontroller in a webcam that doesn't even have the programming pins (typically some sort of ISP or JTAG) connected to anything USB accessible (or not even connected at all, at best to some test pads).

    A typical USB stick or a webcam don't have hardware to permit firmware upgrades, even though the silicon inside could be theoretically upgradable. Not to mention that the exploit would have to be written specifically for the target hardware - different processors, memory layout, USB interface, etc - all that would make it really hard to produce a generic malware. If you want to see what is involved in something like that, look at the article on hacking HDD controllers:
    http://spritesmods.com/?art=hd... And that is a harddrive, which are produced by only few manufacturers, have relatively standardized interfaces and controllers. Now imagine having to do that sort of reverse engineering on every type of harddrive in common use if you wanted to write a reasonably effective malware (e.g. a data stealing worm). It is much easier to exploit some Windows bug or use a phishing scam than this.

    So yes, this is potentially a threat, but panicking over your USB sticks or webcams going rogue on you is vastly overblown. This could be an issue for a very targeted attack where the benefits of compromising e.g. a keyboard of a high value target will outweigh the effort required, but not really anything else. And that assumes that the keyboard is actually able to be updated! It would be probably simpler to just send an operative in and install e.g. a keylogger ...

    Oh and they mention the "BadBios" story ... Nobody was ever able to confirm that apart from the original very confused researcher.

  12. Re:Do I need to be concerned about this? by EvilSS · · Score: 4, Insightful

    Are you:
    * A bank?
    * A utility?
    * A large corporation?
    * A defense contractor?
    * A military?
    * A government?
    * A "whistlebower" (in the figurative sense, not someone who just blows a literal whistle)?
    * A journalist?
    * A civil rights/government abuse/environmental/economic activist?
    * Are you a member of an "anti-government" group or movement?
    * Are you Muslim?
    * Are you or have you ever been brown?
    * Now or will you in the future travel through a customs inspection area of any country?
    * Under active investigation by a law enforcement agency?
    * A rabble-rouser?
    * A person with opinions that are counter to those of your government?
    * A sentient artificial lifeform?

    If you answered yes to any of the above, then yes you need to be worried. If you did not, then no, you probably don't need to be worried.

    --
    I browse on +1 so AC's need not respond, I won't see it.
  13. Re:Do I need to be concerned about this? by Anonymous Coward · · Score: 4, Funny

    Negative, I am a meat popsicle.