Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking USB Firmware

Posted by timothy on from the fun-profit-what's-the-difference dept.

An anonymous reader writes Now the NSA isn't the only one who can hack your USB firmware: "In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they've reverse engineered the same USB firmware as Nohl's SR Labs, reproducing some of Nohl's BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable." Personally, I always thought it was insane that USB drives don't come with physical write-protect switches to keep them from being infected by malware. (More on BadUSB here.)

15 of 97 comments (clear)

  1. back in my day... by Anonymous Coward · · Score: 5, Funny

    we used black tape over the write protect notch on our floppy disks and we LIKED IT THAT WAY

    1. Re:back in my day... by Anonymous Coward · · Score: 5, Informative

      Back in my day we used to cut another write enable notch on the opposite side of floppy disks so we could write data on both sides.

    2. Re:back in my day... by Anonymous Coward · · Score: 3, Funny

      How would that work? Unless you removed the metal cover that protects the disk.

    3. Re:back in my day... by K.+S.+Kyosuke · · Score: 4, Funny

      You need a bigger tool - once you go big black eight inches, you never go back.

      --
      Ezekiel 23:20
  2. Signed Firmware by Microlith · · Score: 4, Insightful

    A write-protect switch won't help you here, Timothy. They're going and reflashing the microcontroller, which means vendors will probably just burn a public key into the microcontroller and refuse to boot if the image signature doesn't match. They'll still have the firmware update capability they'll never use, but won't have to worry about attacks like this - short of someone stealing their private key.

    1. Re:Signed Firmware by Anonymous Coward · · Score: 4, Insightful

      Firmware signing will help that vector but that's only one type of threat.

      Your average USB/SD/whaterver flash storage device contains an interface/flash controller SoC that has 100(ish)mhz 32bit arm/mips core, some ram, and it's own embeded flash.

      These things are made by the millions every day, as cheaply as possible. They then go in to devices users jam in to every available port on their computers without a second thought.

      Anyone who's remotely aware of what computing security is all about knows what this means. You can't trust USB devices. Your hardware and OS /must/ treat them as hostile. You are effectively interfacing unknown/untrusted/un-auditable computer systems with trusted ones.

      Any flash device could carry hidden code you can't audit, and it's being given physical access to user's computers as a matter of of course. A few changed lines of code could turn a factory programming process in to a mass exploit vector.

      How secure do you think your OS's USB stack is? How will it behave if, say, that flash drive re-initializes itself as a composite device with an HID keyboard/mouse and starts spitting out commands? How do your tell your computer to only obey input from authorized keyboards and mice? A USB device can present itself as just about anything. Input, network interface, storage device...

    2. Re:Signed Firmware by DMUTPeregrine · · Score: 3, Informative

      They're not writing to the filesystem, so that won't help.

      --
      Not a sentence!
    3. Re:Signed Firmware by jafac · · Score: 3, Funny

      Well, back in my day, you used to have to expose the IC to a UV light to get it to clear the registers so you could even install a new firmware. These young kids with their newfangled firmware flash images! (get off my lawn)

      --

      These are my friends, See how they glisten. See this one shine, how he smiles in the light.
    4. Re:Signed Firmware by TheRaven64 · · Score: 4, Informative

      You're completely misunderstanding the problem. It has nothing to do with flash drives, it has to do with USB devices, some of which happen to appear as block devices. Every USB device that you plug in has a controller chip, which runs a small program (the firmware) that implements the client part of the USB specification. Some of these are quite complex. There was an attack a few years ago on USB keyboards: some models come with 128KB of flash but only use 65KB for the firmware. You can replace the firmware with something malicious and have 31KB to cache keylog data for emptying when you plug in a specific device.

      The firmware on the controller chips is not public, not audited, and generally written by people who have no idea about security. If there's a bug in it that allows a compromise, then you can use the controller to attack the host system. Lots of USB drivers behave poorly in the presence of malformed USB protocol messages, so all you need is to find one buffer overflow and you've got a kernel-mode exploit. Worse, some of the vulnerabilities are not in the drivers, but in the firmware of the USB host controller chip on the motherboard. If you can compromise that, then you can sniff a load of messages going across the bus in a way that's completely undetectable from the OS.

      --
      I am TheRaven on Soylent News
  3. Re:Write protect switch. by Anonymous Coward · · Score: 3, Insightful

    placebos are great aren't they

    that write protect switch is likely something enforced by the firmware, and likely not something that can enforce writing to the firmware

  4. Wired shouldn't write tech articles by Anonymous Coward · · Score: 3, Interesting

    TFA's author lazily uses the term "USB" to mean "USB storage device" as in USB flash sticks, hard disks and optical drives. But in reality this firmware issue affects all USB devices including mice, keyboard, printers. This is not a security flaw in the USB protocol, per-se, it's the retarded approach taken by the device hardware manufacturers to secure their firmware (read: no security at all). The same lack-of security issues affect devices on any kind of bus like SCSI, SATA, Firewire and Thunderbolt/Lightning.

  5. Those little windows... by Grog6 · · Score: 4, Informative

    ...were made of fused quartz, because UV wont go thru normal glass.

    That's why the erasable ones were so expensive.

    --
    Truth isn't Truth - Guliani
  6. Re:Locking USB... by Marillion · · Score: 4, Informative

    Lock Switch? Then you don't understand the problem. The problem is that in many USB Flash are two chips: a computer and memory. The host PC communicates with the USB controller and the controller talks to the memory. Most controllers are just a version of the 8051 CPU with USB logic bolted on. The lock switch would be a high-level function that returns an error on a generic block device write command. Hacking the USB device isn't hacking the flash memory, it's hacking the firmware on the 8051. The Device Firmware Update function of USB that allowed that 8051 computer to be reprogrammed should be disabled.

    --
    This is a boring sig
  7. Severity not understood by media or most people by fuzzyf · · Score: 3, Insightful

    This is slashdot and even here many people do not understand what this is all about.
    People tend to think it's only a virus that is written to a flashdrive and it's not really that new or big of a threat, or that someone will create a usb-"firewall".

    The fact that this vulnerability can be exploited in so many different ways, and even be persistent on a computer after infection (internal usb devices like webcam can be infected) makes it almost impossible to mitigate

  8. Re:Locking USB... by AmiMoJo · · Score: 4, Informative

    On page 6 I find out that the write enable signal is called WE, like always. And on page 7 I find out that it's on pin 18. What do you suppose happens if I switch open pin 18?

    Most likely the whole device would stop working completely. You probably wanted the WP (write protect) line. The WE line is used for other functionality, as explained on page 9.

    Even then, you are looking at the wrong flash memory. You are looking at the bulk memory used for storing user data. The microcontroller that handles the USB interface has its own internal flash memory, typically quite small at less than 1M words. That is where it's program code is stored, and microcontrollers rarely have an external write protect pin. Sometimes there is memory protection built in, but typically it only prevents you reading the program code and doesn't stop you erasing and replacing it with your own. Besides which, many deliberately include a handy bootloader so that the manufacturer can easily write their firmware over the USB interface without special tools.

    Even if you somehow did secure the microcontroller it wouldn't be hard to replace with a hot air gun. Basically, no matter what you do, USB devices can't be trusted.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC