Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking USB Firmware

Posted by timothy on from the fun-profit-what's-the-difference dept.

An anonymous reader writes Now the NSA isn't the only one who can hack your USB firmware: "In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they've reverse engineered the same USB firmware as Nohl's SR Labs, reproducing some of Nohl's BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable." Personally, I always thought it was insane that USB drives don't come with physical write-protect switches to keep them from being infected by malware. (More on BadUSB here.)

70 of 97 comments (clear)

  1. back in my day... by Anonymous Coward · · Score: 5, Funny

    we used black tape over the write protect notch on our floppy disks and we LIKED IT THAT WAY

    1. Re:back in my day... by Anonymous Coward · · Score: 5, Informative

      Back in my day we used to cut another write enable notch on the opposite side of floppy disks so we could write data on both sides.

    2. Re:back in my day... by UnknownSoldier · · Score: 1

      Ah the days of double sided floppy disks where you could get another 140K on Apple ][. :-)
      140K = 35 tracks * 16 sectors * 256 bytes/sector

      Of course the coolest hack was to add a "write-protect" switch to the drive :-)
      http://apple2online.com/web_do...

      ---
      Grumpy gamer: Get off my LAN

    3. Re:back in my day... by Anonymous Coward · · Score: 3, Funny

      How would that work? Unless you removed the metal cover that protects the disk.

    4. Re:back in my day... by Anonymous Coward · · Score: 1

      Back in my day we cut or own notches on the disk to make them double sided. Still today buying the 5v version of the USB to serial converter simply requires popping open the shell (no glue - that's another expense), and soldering the lead to the 3v strip. I used to be able to do about a dozen per hour once I got rolling. I'm pretty sure a switch would be harder. Of course I could mount the file sytem read only. But for maximum protection, you should make it WRITE only. Go ahead and dump whateVEr virus you please on my system. You'll never see it again. Hahaha, bwahahahaha, Bwaaaahaaaaahaaaaaahaaaaaa!

    5. Re:back in my day... by Anonymous Coward · · Score: 2, Interesting

      Personally, I always thought it was insane that USB drives don't come with physical write-protect switches to keep them from being infected by malware.

      When they first came out, they had them. I think manufacturers started leaving them off because they could save a tenth of a cent on their cost. I still have a couple of old ones laying around with a switch, though they are small (like 128mb).

    6. Re:back in my day... by UnknownSoldier · · Score: 1

      Indeed. :-)

    7. Re:back in my day... by K.+S.+Kyosuke · · Score: 4, Funny

      You need a bigger tool - once you go big black eight inches, you never go back.

      --
      Ezekiel 23:20
    8. Re:back in my day... by ogdenk · · Score: 2

      As if no other folks thought of this..... except every geek with a TRS-80, Atari 400/800/XL/XE, Apple II and Osborne I.....

    9. Re:back in my day... by Anonymous Coward · · Score: 1

      older tech

    10. Re:back in my day... by jjbenz · · Score: 1

      I have a couple usb drives that have write protect switches, I use them to clean malware off machines at work. I haven't looked lately, but I am sure somebody still makes them.

    11. Re:back in my day... by davester666 · · Score: 1

      back in my day, we used to hole-punch the disk and then rotate it a little in the shell so you wouldn't see the hole, and then wait for the next person to try to use it.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. yaay! by Anonymous Coward · · Score: 1

    Finally I can run a beowulf cluster of usb sticks!

    wait... C#. Does that run on linux? Has mono added .Net UI yet?

    1. Re: yaay! by GWBasic · · Score: 1

      It has for years.

      --
      No, I will not work for your startup
  3. Locking USB... by ftolar69 · · Score: 1

    And either the Government would break it, or make it illegal. Never mind the other malevolent people.

    1. Re:Locking USB... by Marillion · · Score: 4, Informative

      Lock Switch? Then you don't understand the problem. The problem is that in many USB Flash are two chips: a computer and memory. The host PC communicates with the USB controller and the controller talks to the memory. Most controllers are just a version of the 8051 CPU with USB logic bolted on. The lock switch would be a high-level function that returns an error on a generic block device write command. Hacking the USB device isn't hacking the flash memory, it's hacking the firmware on the 8051. The Device Firmware Update function of USB that allowed that 8051 computer to be reprogrammed should be disabled.

      --
      This is a boring sig
    2. Re:Locking USB... by drinkypoo · · Score: 2

      Lock Switch? Then you don't understand the problem.

      Right back at you.

      The lock switch would be a high-level function that returns an error on a generic block device write command. Hacking the USB device isn't hacking the flash memory, it's hacking the firmware on the 8051.

      I downloaded the first flash datasheet I could google, by way of proving that you have not the first clue what you are on about. It was for the Hynix HY27UF084G2M (512Mx8bit) NAND Flash chip. On page 6 I find out that the write enable signal is called WE, like always. And on page 7 I find out that it's on pin 18. What do you suppose happens if I switch open pin 18?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Locking USB... by drinkypoo · · Score: 1

      You are forgetting that controller chips have their own flash too, on the same chip as the controller itself. This often can be modified from the program running on the controller. Fuses may be able to disable this.

      Sure, I'm aware of that. But if they don't have a WE pin for their firmware flash, that's because someone involved in their design and production is a massive asshole.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Locking USB... by BadDreamer · · Score: 2

      You can lock the flash memory as much as you like. The PRAM on the Phison chip is unaffected.

      What is being reprogrammed is the Phison control chip. There is no write enable pin on the Phison chip. It has a pin to control the write lock of the flash memory, but that has no effect on the Phison PRAM where the firmware resides.

    5. Re:Locking USB... by AmiMoJo · · Score: 4, Informative

      On page 6 I find out that the write enable signal is called WE, like always. And on page 7 I find out that it's on pin 18. What do you suppose happens if I switch open pin 18?

      Most likely the whole device would stop working completely. You probably wanted the WP (write protect) line. The WE line is used for other functionality, as explained on page 9.

      Even then, you are looking at the wrong flash memory. You are looking at the bulk memory used for storing user data. The microcontroller that handles the USB interface has its own internal flash memory, typically quite small at less than 1M words. That is where it's program code is stored, and microcontrollers rarely have an external write protect pin. Sometimes there is memory protection built in, but typically it only prevents you reading the program code and doesn't stop you erasing and replacing it with your own. Besides which, many deliberately include a handy bootloader so that the manufacturer can easily write their firmware over the USB interface without special tools.

      Even if you somehow did secure the microcontroller it wouldn't be hard to replace with a hot air gun. Basically, no matter what you do, USB devices can't be trusted.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. Signed Firmware by Microlith · · Score: 4, Insightful

    A write-protect switch won't help you here, Timothy. They're going and reflashing the microcontroller, which means vendors will probably just burn a public key into the microcontroller and refuse to boot if the image signature doesn't match. They'll still have the firmware update capability they'll never use, but won't have to worry about attacks like this - short of someone stealing their private key.

    1. Re:Signed Firmware by amiga3D · · Score: 1

      How about mounting the filesytem read-only?

    2. Re:Signed Firmware by Anonymous Coward · · Score: 4, Insightful

      Firmware signing will help that vector but that's only one type of threat.

      Your average USB/SD/whaterver flash storage device contains an interface/flash controller SoC that has 100(ish)mhz 32bit arm/mips core, some ram, and it's own embeded flash.

      These things are made by the millions every day, as cheaply as possible. They then go in to devices users jam in to every available port on their computers without a second thought.

      Anyone who's remotely aware of what computing security is all about knows what this means. You can't trust USB devices. Your hardware and OS /must/ treat them as hostile. You are effectively interfacing unknown/untrusted/un-auditable computer systems with trusted ones.

      Any flash device could carry hidden code you can't audit, and it's being given physical access to user's computers as a matter of of course. A few changed lines of code could turn a factory programming process in to a mass exploit vector.

      How secure do you think your OS's USB stack is? How will it behave if, say, that flash drive re-initializes itself as a composite device with an HID keyboard/mouse and starts spitting out commands? How do your tell your computer to only obey input from authorized keyboards and mice? A USB device can present itself as just about anything. Input, network interface, storage device...

    3. Re:Signed Firmware by DMUTPeregrine · · Score: 3, Informative

      They're not writing to the filesystem, so that won't help.

      --
      Not a sentence!
    4. Re:Signed Firmware by jafac · · Score: 3, Funny

      Well, back in my day, you used to have to expose the IC to a UV light to get it to clear the registers so you could even install a new firmware. These young kids with their newfangled firmware flash images! (get off my lawn)

      --

      These are my friends, See how they glisten. See this one shine, how he smiles in the light.
    5. Re:Signed Firmware by Anonymous Coward · · Score: 1

      Where have all the nerds gone that we're left with people posting who don't know the difference between writing data onto a drive and updating its firmware? I feel like I died and woke up on a movie set.

    6. Re:Signed Firmware by Anonymous Coward · · Score: 1

      Even then, that's of limited help. A lot of microcontroller security features can be bypassed, that's not always so easy. And having the bootloader only accept signed images is also exploitable. Just look at the gaming consoles developped with budgets of hundreds of millions (xbox360, PS3, wii...), even if they all have those security "features", *all* of them still got hacked. Now we're taking about a for a low-price item with razor thin profit margins, with a nearly non-existent development budget. This would also raise the price and lower their sales significantly, save for a handful of slashdotters who might care. Not gonna happen, sorry.

    7. Re:Signed Firmware by FatdogHaiku · · Score: 2

      I feel like I died and woke up on a movie set.

      No, I'm sure that didn't happen. Here there a low ratio of women and not a lot of good looking people period.
      Congress maybe...

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    8. Re:Signed Firmware by Chuckstar · · Score: 1

      The nerds are all off typing two-at-a-time on their keyboards. :)

    9. Re:Signed Firmware by matthekc83 · · Score: 1

      Yeah but after a few hacks high security installations and sensitive corporations will require "certified" usb controllers, keyboards, mice, usb stick, etc. They will pay for the development and eventually we will have a choice 6 dollar mouse or 30 dollar security mouse. It doesn't have to be fool proof just hard enough most people are not hacking their consoles.

    10. Re:Signed Firmware by storkus · · Score: 1

      [quote]short of someone stealing their private key.[/quote]

      And there you go. Hence why this is ultimately unfixable.

    11. Re:Signed Firmware by TheRaven64 · · Score: 4, Informative

      You're completely misunderstanding the problem. It has nothing to do with flash drives, it has to do with USB devices, some of which happen to appear as block devices. Every USB device that you plug in has a controller chip, which runs a small program (the firmware) that implements the client part of the USB specification. Some of these are quite complex. There was an attack a few years ago on USB keyboards: some models come with 128KB of flash but only use 65KB for the firmware. You can replace the firmware with something malicious and have 31KB to cache keylog data for emptying when you plug in a specific device.

      The firmware on the controller chips is not public, not audited, and generally written by people who have no idea about security. If there's a bug in it that allows a compromise, then you can use the controller to attack the host system. Lots of USB drivers behave poorly in the presence of malformed USB protocol messages, so all you need is to find one buffer overflow and you've got a kernel-mode exploit. Worse, some of the vulnerabilities are not in the drivers, but in the firmware of the USB host controller chip on the motherboard. If you can compromise that, then you can sniff a load of messages going across the bus in a way that's completely undetectable from the OS.

      --
      I am TheRaven on Soylent News
    12. Re:Signed Firmware by drinkypoo · · Score: 1

      A write-protect switch won't help you here, Timothy.

      Why not?

      They're going and reflashing the microcontroller, which means

      ...that if the WP switch is physically connected to the WE line on the flash modules, that it will still work just fine.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    13. Re:Signed Firmware by fuzzyf · · Score: 1

      And when a system is compromised all internal usb controllers can be infected (Webcam, SD card reader, etc).
      So reinstalling a system after a breach is not enough anymore...

    14. Re:Signed Firmware by AmiMoJo · · Score: 1

      Realistically the damage that a USB device can do is fairly limited. If it set itself up as a keyboard and tried to execute commands you would very quickly notice what was happening on the screen in front of you. If you are really worried it isn't hard to lock most operating systems down to prevent new USB devices being auto-configured. Here's a guide for Windows: http://msdn.microsoft.com/en-u...

      Of more concern are Thunderbolt, Firewire and PC Card, because they both allow devices DMA access to your computer's entire RAM. Worse still Thunderbold and PC Card allow devices to execute code on the host, via an option ROM in the same way that internal PCIe/PCI cards do.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    15. Re:Signed Firmware by AmiMoJo · · Score: 1

      Most operating systems moved the USB stack out of the kernel long ago.

      Also, compromised USB firmware won't let you sniff the entire bus, only messages sent to and from the compromised device. USB doesn't use a shared bus for all devices, each device instead only gets messages directed to itself. I suppose if you compromised a hub's firmware you could see all traffic to devices connected to the hub, but hubs usually don't have flashable firmware as the ICs are dedicated single purpose devices.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    16. Re:Signed Firmware by kenshin33 · · Score: 1

      well, he did say "the USB host controller chip on the motherboard."

    17. Re:Signed Firmware by Grog6 · · Score: 1

      The UV light damages the silicon over time, degrading the oxide layer.

      It will fail to some other structure, and stick high or low eventually.

      A good cosmic ray strike while you're programming at 21V can make one popcorn open, lol.

      --
      Truth isn't Truth - Guliani
  5. Re:How does this affect me? by danceswithtrees · · Score: 1

    Do I care?

    Don't know.

    Would I care?

    Don't know.

    Should I care?

    Sounds like you should if you care about security/privacy. But since, I don't know what is going through your head, I don't know.

    Could I care less?

    Once again, don't know.

  6. Punch cards! by Anonymous Coward · · Score: 1

    I'm going back to punch cards!!!

    1. Re:Punch cards! by Em+Adespoton · · Score: 1

      I'm going back to punch cards!!!

      http://ask.metafilter.com/1430...

    2. Re:Punch cards! by fizzer06 · · Score: 1
      https://www.census.gov/history/www/innovations/technology/the_hollerith_tabulator.html/

      In use since 1890!

  7. Re:Write protect switch. by Anonymous Coward · · Score: 1

    With these tools in the wild, that switch better protect against firmware updates as well, or the first firmware reflashing botnet will get your system too.

  8. Re:Write protect switch. by Anonymous Coward · · Score: 3, Insightful

    placebos are great aren't they

    that write protect switch is likely something enforced by the firmware, and likely not something that can enforce writing to the firmware

  9. Wired shouldn't write tech articles by Anonymous Coward · · Score: 3, Interesting

    TFA's author lazily uses the term "USB" to mean "USB storage device" as in USB flash sticks, hard disks and optical drives. But in reality this firmware issue affects all USB devices including mice, keyboard, printers. This is not a security flaw in the USB protocol, per-se, it's the retarded approach taken by the device hardware manufacturers to secure their firmware (read: no security at all). The same lack-of security issues affect devices on any kind of bus like SCSI, SATA, Firewire and Thunderbolt/Lightning.

    1. Re:Wired shouldn't write tech articles by fuzzyfuzzyfungus · · Score: 1

      It isn't USB specific(indeed, firewire and thunderbolt have rather juicier access to the system); but it is a bit of an issue because USB is the cheap, ubiquitous, externally exposed, bus for which all common OSes will happily support a fair variety of useful device types (USB HID, MSC, etc.) by default and without much user interaction.

      The others tend to be less common, more expensive, and/or much less often externally exposed. None are innocent; but USB certainly looks like the most dangerous culprit.

  10. Re:Write protect switch. by QuantumLeaper · · Score: 2

    I have a 32 Meg USB flash drive that has a switch also. The problem I had was the switch was the first thing that died on it, and it was in Write Protect mode.

  11. Write-protect the microcontroller firmware, silly. by Chirs · · Score: 1

    What we need is a physical switch that write-protects the microcontroller firmware. Most people would never want to update the firmware on their USB controller so it can default to "off".

  12. physical write protect for the firmware by Chirs · · Score: 1

    What we need is a physical write-protect switch for the firmware itself, as well as for the contents of the drive.

    It wouldn't be hard to have a single pin control whether or not the microcontroller firmware can be written to.

  13. It's the September thing again, lol. by Grog6 · · Score: 1

    lol.

    --
    Truth isn't Truth - Guliani
  14. Those little windows... by Grog6 · · Score: 4, Informative

    ...were made of fused quartz, because UV wont go thru normal glass.

    That's why the erasable ones were so expensive.

    --
    Truth isn't Truth - Guliani
  15. Re:Write-protect the microcontroller firmware, sil by Anonymous Coward · · Score: 1

    No, what we need is an OS that doesn't just assume that any commands given by any random thing that claims to be a keyboard have come from the user of the computer.

  16. portability and HID by raymorris · · Score: 1

    Scsi and sata devices aren't typically carried around being connected to different computers, so there's a much lower risk of them spreading an infection. The other interconnects also aren't used for keyboards, so any action by the device can be confirmed or denied by the user, if they have the ability to take those actions at all. For example , there's no sata command an esata drive can issue for "erase the boot drive" or "log the user's keystrokes ". Since a USB device can represent itself as the keyboard, it effectively IS thw user, as far as the rest of the system is concerned. Pop-up a confirmation dialog? The usb "keyboard" can press enter to confirm it's own actions.

    1. Re:portability and HID by Anonymous Coward · · Score: 1

      Since a USB device can represent itself as the keyboard, it effectively IS thw user, as far as the rest of the system is concerned. Pop-up a confirmation dialog? The usb "keyboard" can press enter to confirm it's own actions.

      Why not just make the confirmation dialog require a different (or different type of) input device to confirm a newly-connected one? E.g., a 'new keyboard' connection would have to be verified via mouse gesture and vice versa, or keyboard2 would need input from keyboard1 (if no other type of device was present), etc. After all, it's probably slightly less likely that ALL of a user's connected USB devices are malicious...

  17. Re:Write-protect the microcontroller firmware, sil by mythosaz · · Score: 1

    That's the problem. We certainly want to just be able to plug in a HID and have it work. How do you propose that a keyboard be distinguished from an evil_keyboard?

    http://en.wikipedia.org/wiki/E... ?

  18. Re:Write-protect the microcontroller firmware, sil by RandomAdam · · Score: 2

    Well obviously we just ignore anything that has the evil bit set!

    --
    @Random_Adam

    Sometimes a sig doesn't have to be funny!!
  19. Easy solution by Anonymous Coward · · Score: 1

    Just make the "firmware" on the usb devices non-re-writable/non-upgradeable. These USB devices don't need firmware upgrades at all, and they are so inexpensive these days that they are easily replaceable. Problem solved!

  20. Re:Write-protect the microcontroller firmware, sil by Pastis · · Score: 2

    The same way a smartphone doesn't allow you to expose its internals to a connected computer without requiring user authorisation. From the OS: you've connected a new keyboard. Do you want to accept this device?

    --
    Sneak teach kids Algebra using a game
  21. Re:Write-protect the microcontroller firmware, sil by Anonymous Coward · · Score: 1

    I propose all devices which are not evil sets a good bit, since we can not trust the evil devices to set the evil bit. then it is a simple matter of blindly trusting the good bit, i dont see what could go wrong.

  22. Re:Write-protect the microcontroller firmware, sil by Anonymous Coward · · Score: 1

    Keyboard not found, press enter to continue.

  23. Re:Write-protect the microcontroller firmware, sil by Anonymous Coward · · Score: 1

    Do not forget that on each reboot of the device you will have to re-authorize each device again, on your regular desktop pc that is a keyboard, mouse and probably a user password before you get to do anything...

    You can not store this information for reboots (or returning from sleep/hibernation for that matter) since the device could be unplugged and replaced with a fake one that spoofs the old device and adds a little extra fun.

    There is also nothing that prevents a keyboard from working like a normal keyboard for a while, then if it detects inactivity for a period it will try to send an evil command. You authorized it when you plugged it in, then went for coffee...

  24. Re:Been there, seen that, done that. by jones_supa · · Score: 1

    Neither Win, Linux or AIO printer can write to it when the slider is under the closed padlock symbol, so I think the protection is electric airgap based, not just software magic.

    It probably controls the write protect pin of the USB flash controller. For example pin 7 in UT163.

  25. keyboard breaks = computer trashed, ANY compromise by raymorris · · Score: 2

    An obvious problem with requiring the old hid to validate the new one is that a broken keyboard can't be replaced . Many times, there is no mouse (servers, ada, atm, etc) or the keyboard and mouse are one usb plug (wireless keyboard and mouse) . So you have one hid device and when it breaks you have no known hid device.

    > as long as at least one isn't compromised

    A compromised hid can trivially infect the computer. Wait until 3AM when nobody is looking, then echo the keyboard shortcut to open IE and download badusb.exe. Badusb.exe then infects any new USB devices connected. Therefore, this is the opposite of diverse double- if ANY are infected, they'll all get infected.

  26. Severity not understood by media or most people by fuzzyf · · Score: 3, Insightful

    This is slashdot and even here many people do not understand what this is all about.
    People tend to think it's only a virus that is written to a flashdrive and it's not really that new or big of a threat, or that someone will create a usb-"firewall".

    The fact that this vulnerability can be exploited in so many different ways, and even be persistent on a computer after infection (internal usb devices like webcam can be infected) makes it almost impossible to mitigate

  27. Re:Write-protect the microcontroller firmware, sil by AmiMoJo · · Score: 1

    Dangerously close to "Keyboard error. Press any key to continue."

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  28. Re:Write-protect the microcontroller firmware, sil by plover · · Score: 1

    Maybe, just like with CD-ROMs, the OS should ignore the new keyboard until it is explicitly told what to do with it. Sure, it'd be a pain in the ass, but it's also a pain in the ass that my Linux system wants my password for every trivial thing I decide to do. Just add "plug in a new keyboard" to that list.

    That's particularly tricky with keyboards. I still remember booting a computer with no keyboard, and a BIOS error message telling me "Keyboard not detected. Press F1 to continue."

    --
    John
  29. Re:Write-protect the microcontroller firmware, sil by LihTox · · Score: 1

    Or even just "You have attached a keyboard," and delay 3 seconds before the keyboard is active. If you see that message when you plug in a USB drive or printer or something, you say "Oh crap!" and unplug it quick.

  30. Re:Write-protect the microcontroller firmware, sil by mythosaz · · Score: 1

    That still doesn't stop evil_keyboard.

    evil_keyboard looks like a normal keyboard but waits until there's no activity for 2 hours and then sends a series of keystrokes.

  31. Re:Write-protect the microcontroller firmware, sil by zwarte+piet · · Score: 1

    I usually only see stars from bumping my head on the bottom of my desk after inserting a usb device. Takes a bit more than 3 seconds to have the eyes back on the screen.

  32. I have always disliked USB drives by hexchaimen · · Score: 1

    Since NYBV I have mistrusted any media that can be be shared like a floppy disk. I have one USB drive with a live version of SuSE for non networked devices. Other than that, boot from network, and using the network to move files has always been my favorite way. I wonder if this could affect eSATA devices??