Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking USB Firmware

Posted by timothy on from the fun-profit-what's-the-difference dept.

An anonymous reader writes Now the NSA isn't the only one who can hack your USB firmware: "In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they've reverse engineered the same USB firmware as Nohl's SR Labs, reproducing some of Nohl's BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable." Personally, I always thought it was insane that USB drives don't come with physical write-protect switches to keep them from being infected by malware. (More on BadUSB here.)

24 of 97 comments (clear)

  1. back in my day... by Anonymous Coward · · Score: 5, Funny

    we used black tape over the write protect notch on our floppy disks and we LIKED IT THAT WAY

    1. Re:back in my day... by Anonymous Coward · · Score: 5, Informative

      Back in my day we used to cut another write enable notch on the opposite side of floppy disks so we could write data on both sides.

    2. Re:back in my day... by Anonymous Coward · · Score: 3, Funny

      How would that work? Unless you removed the metal cover that protects the disk.

    3. Re:back in my day... by Anonymous Coward · · Score: 2, Interesting

      Personally, I always thought it was insane that USB drives don't come with physical write-protect switches to keep them from being infected by malware.

      When they first came out, they had them. I think manufacturers started leaving them off because they could save a tenth of a cent on their cost. I still have a couple of old ones laying around with a switch, though they are small (like 128mb).

    4. Re:back in my day... by K.+S.+Kyosuke · · Score: 4, Funny

      You need a bigger tool - once you go big black eight inches, you never go back.

      --
      Ezekiel 23:20
    5. Re:back in my day... by ogdenk · · Score: 2

      As if no other folks thought of this..... except every geek with a TRS-80, Atari 400/800/XL/XE, Apple II and Osborne I.....

  2. Signed Firmware by Microlith · · Score: 4, Insightful

    A write-protect switch won't help you here, Timothy. They're going and reflashing the microcontroller, which means vendors will probably just burn a public key into the microcontroller and refuse to boot if the image signature doesn't match. They'll still have the firmware update capability they'll never use, but won't have to worry about attacks like this - short of someone stealing their private key.

    1. Re:Signed Firmware by Anonymous Coward · · Score: 4, Insightful

      Firmware signing will help that vector but that's only one type of threat.

      Your average USB/SD/whaterver flash storage device contains an interface/flash controller SoC that has 100(ish)mhz 32bit arm/mips core, some ram, and it's own embeded flash.

      These things are made by the millions every day, as cheaply as possible. They then go in to devices users jam in to every available port on their computers without a second thought.

      Anyone who's remotely aware of what computing security is all about knows what this means. You can't trust USB devices. Your hardware and OS /must/ treat them as hostile. You are effectively interfacing unknown/untrusted/un-auditable computer systems with trusted ones.

      Any flash device could carry hidden code you can't audit, and it's being given physical access to user's computers as a matter of of course. A few changed lines of code could turn a factory programming process in to a mass exploit vector.

      How secure do you think your OS's USB stack is? How will it behave if, say, that flash drive re-initializes itself as a composite device with an HID keyboard/mouse and starts spitting out commands? How do your tell your computer to only obey input from authorized keyboards and mice? A USB device can present itself as just about anything. Input, network interface, storage device...

    2. Re:Signed Firmware by DMUTPeregrine · · Score: 3, Informative

      They're not writing to the filesystem, so that won't help.

      --
      Not a sentence!
    3. Re:Signed Firmware by jafac · · Score: 3, Funny

      Well, back in my day, you used to have to expose the IC to a UV light to get it to clear the registers so you could even install a new firmware. These young kids with their newfangled firmware flash images! (get off my lawn)

      --

      These are my friends, See how they glisten. See this one shine, how he smiles in the light.
    4. Re:Signed Firmware by FatdogHaiku · · Score: 2

      I feel like I died and woke up on a movie set.

      No, I'm sure that didn't happen. Here there a low ratio of women and not a lot of good looking people period.
      Congress maybe...

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    5. Re:Signed Firmware by TheRaven64 · · Score: 4, Informative

      You're completely misunderstanding the problem. It has nothing to do with flash drives, it has to do with USB devices, some of which happen to appear as block devices. Every USB device that you plug in has a controller chip, which runs a small program (the firmware) that implements the client part of the USB specification. Some of these are quite complex. There was an attack a few years ago on USB keyboards: some models come with 128KB of flash but only use 65KB for the firmware. You can replace the firmware with something malicious and have 31KB to cache keylog data for emptying when you plug in a specific device.

      The firmware on the controller chips is not public, not audited, and generally written by people who have no idea about security. If there's a bug in it that allows a compromise, then you can use the controller to attack the host system. Lots of USB drivers behave poorly in the presence of malformed USB protocol messages, so all you need is to find one buffer overflow and you've got a kernel-mode exploit. Worse, some of the vulnerabilities are not in the drivers, but in the firmware of the USB host controller chip on the motherboard. If you can compromise that, then you can sniff a load of messages going across the bus in a way that's completely undetectable from the OS.

      --
      I am TheRaven on Soylent News
  3. Re:Write protect switch. by Anonymous Coward · · Score: 3, Insightful

    placebos are great aren't they

    that write protect switch is likely something enforced by the firmware, and likely not something that can enforce writing to the firmware

  4. Wired shouldn't write tech articles by Anonymous Coward · · Score: 3, Interesting

    TFA's author lazily uses the term "USB" to mean "USB storage device" as in USB flash sticks, hard disks and optical drives. But in reality this firmware issue affects all USB devices including mice, keyboard, printers. This is not a security flaw in the USB protocol, per-se, it's the retarded approach taken by the device hardware manufacturers to secure their firmware (read: no security at all). The same lack-of security issues affect devices on any kind of bus like SCSI, SATA, Firewire and Thunderbolt/Lightning.

  5. Re:Write protect switch. by QuantumLeaper · · Score: 2

    I have a 32 Meg USB flash drive that has a switch also. The problem I had was the switch was the first thing that died on it, and it was in Write Protect mode.

  6. Those little windows... by Grog6 · · Score: 4, Informative

    ...were made of fused quartz, because UV wont go thru normal glass.

    That's why the erasable ones were so expensive.

    --
    Truth isn't Truth - Guliani
  7. Re:Write-protect the microcontroller firmware, sil by RandomAdam · · Score: 2

    Well obviously we just ignore anything that has the evil bit set!

    --
    @Random_Adam

    Sometimes a sig doesn't have to be funny!!
  8. Re:Locking USB... by Marillion · · Score: 4, Informative

    Lock Switch? Then you don't understand the problem. The problem is that in many USB Flash are two chips: a computer and memory. The host PC communicates with the USB controller and the controller talks to the memory. Most controllers are just a version of the 8051 CPU with USB logic bolted on. The lock switch would be a high-level function that returns an error on a generic block device write command. Hacking the USB device isn't hacking the flash memory, it's hacking the firmware on the 8051. The Device Firmware Update function of USB that allowed that 8051 computer to be reprogrammed should be disabled.

    --
    This is a boring sig
  9. Re:Write-protect the microcontroller firmware, sil by Pastis · · Score: 2

    The same way a smartphone doesn't allow you to expose its internals to a connected computer without requiring user authorisation. From the OS: you've connected a new keyboard. Do you want to accept this device?

    --
    Sneak teach kids Algebra using a game
  10. Re:Locking USB... by drinkypoo · · Score: 2

    Lock Switch? Then you don't understand the problem.

    Right back at you.

    The lock switch would be a high-level function that returns an error on a generic block device write command. Hacking the USB device isn't hacking the flash memory, it's hacking the firmware on the 8051.

    I downloaded the first flash datasheet I could google, by way of proving that you have not the first clue what you are on about. It was for the Hynix HY27UF084G2M (512Mx8bit) NAND Flash chip. On page 6 I find out that the write enable signal is called WE, like always. And on page 7 I find out that it's on pin 18. What do you suppose happens if I switch open pin 18?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  11. keyboard breaks = computer trashed, ANY compromise by raymorris · · Score: 2

    An obvious problem with requiring the old hid to validate the new one is that a broken keyboard can't be replaced . Many times, there is no mouse (servers, ada, atm, etc) or the keyboard and mouse are one usb plug (wireless keyboard and mouse) . So you have one hid device and when it breaks you have no known hid device.

    > as long as at least one isn't compromised

    A compromised hid can trivially infect the computer. Wait until 3AM when nobody is looking, then echo the keyboard shortcut to open IE and download badusb.exe. Badusb.exe then infects any new USB devices connected. Therefore, this is the opposite of diverse double- if ANY are infected, they'll all get infected.

  12. Severity not understood by media or most people by fuzzyf · · Score: 3, Insightful

    This is slashdot and even here many people do not understand what this is all about.
    People tend to think it's only a virus that is written to a flashdrive and it's not really that new or big of a threat, or that someone will create a usb-"firewall".

    The fact that this vulnerability can be exploited in so many different ways, and even be persistent on a computer after infection (internal usb devices like webcam can be infected) makes it almost impossible to mitigate

  13. Re:Locking USB... by BadDreamer · · Score: 2

    You can lock the flash memory as much as you like. The PRAM on the Phison chip is unaffected.

    What is being reprogrammed is the Phison control chip. There is no write enable pin on the Phison chip. It has a pin to control the write lock of the flash memory, but that has no effect on the Phison PRAM where the firmware resides.

  14. Re:Locking USB... by AmiMoJo · · Score: 4, Informative

    On page 6 I find out that the write enable signal is called WE, like always. And on page 7 I find out that it's on pin 18. What do you suppose happens if I switch open pin 18?

    Most likely the whole device would stop working completely. You probably wanted the WP (write protect) line. The WE line is used for other functionality, as explained on page 9.

    Even then, you are looking at the wrong flash memory. You are looking at the bulk memory used for storing user data. The microcontroller that handles the USB interface has its own internal flash memory, typically quite small at less than 1M words. That is where it's program code is stored, and microcontrollers rarely have an external write protect pin. Sometimes there is memory protection built in, but typically it only prevents you reading the program code and doesn't stop you erasing and replacing it with your own. Besides which, many deliberately include a handy bootloader so that the manufacturer can easily write their firmware over the USB interface without special tools.

    Even if you somehow did secure the microcontroller it wouldn't be hard to replace with a hot air gun. Basically, no matter what you do, USB devices can't be trusted.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC