USB thumb drives have made people nervous for some time. We worry about hostile data lurking in their VFAT file systems. Data loss prevention (or DLP) struggles to keep sensitive data from leaking out of organizations on the convenient tiny devices. But now we’ve learned over the past few months that USB devices pose even worse threats.
Worse in two ways — the problem cannot be solved by a software patch, and the very existence of the problem cannot be seen by the operating system. How can this be?
Security researchers Karsten Nohl and Jakob Lell presented work they named BadUSB at the Black Hat security conference in early August. They reverse engineered the firmware residing within the chips inside the USB devices. The design intends for the firmware to provide a standardized interface to the operating system. For a thumbdrive, the operating system sees a mass storage device. The operating system doesn’t have to deal with the lowest level details of communicating with the flash memory. Whether it’s a simple thumbdrive, or your camera, or one of those little thumbdrive-like memory chip adapters, the computer sees a common mass storage interface.
The problem demonstrated by BadUSB is that you can change the firmware and trick the operating system. The firmware is proprietary and so we have no “known good” copies with this to make comparisons. A hostile USB device could covertly move data on and off the platform. It could subvert other USB devices by modifying their firmware. A hostile thumbdrive might provide its expected function of mass storage so as to avoid discovery, but it could also masquerade as any other USB-connected device.
That last one is the big one. A hostile USB device could masquerade as a keyboard and inject keystrokes. It could also masquerade as a network device, either wired Ethernet or wireless, and modify the system’s routing table and DNS resolution.
In Learning Tree’s System and Network Security Introduction course we emphasize the importance of prompt patching. Unfortunately, this isn’t a patchable problem. We need to change the way we use USB devices.
Malware can move both directions between USB devices and systems. So, we shouldn’t plug an untrusted device into our computer, nor should we plug our device into an untrusted computer.
Practical exploit code has been posted on Github, so behavior needs to change now. Be careful!