Your USB device could be harboring dangerous software that’s difficult to detect or remove. At least, it is possible to create such software. A talk at Black Hat 2014 explained how it works.
Researchers Karsten Nohl, Sascha Krißler, and Jakob Lell of Security Research Labs in Berlin discovered a design issue with USB devices. They call it BadUSB. I’ll summarize, but you can watch the complete session here.
The basic idea is that USB devices, including popular “thumb” flash drives have what are called embedded processors in them. Those processors need software (called “firmware”) to operate and that firmware can be changed. The goal was that the software could be updated to fix bugs or whatever, but it can also be updated maliciously. It’s kind of like an operating system for the device.
The researchers discovered how to do the upgrade and how to control the device through the firmware. In doing so they learned how to reprogram a device to claim it was something it was not when it was connected to a computer. That is, a flash drive could say it was a keyboard, for example, and then send commands to the system. Yes, it is as dangerous as it sounds – they’ve demonstrated how to take over a Windows PC and control it remotely. The attack could also be used from other USB devices.
Part of the issue is the way USB works. When a device is connected to a system, it says to the computer hardware “Hi, I am a disk.” or “Hi, I am a sound card.” or whatever. The computer trusts the device and tells the operating system (e.g. MS Windows) to load the appropriate driver. A mobile phone will sometimes show up as a camera and a storage device, for instance, when connected to a PC. This kind of blind trust is at the center of this attack.
There are two issues here worth discussing: blind trust and the ability of the devices to be upgraded. As the researchers pointed out, the latter can really only be managed by disabling it in hardware. Ideally, vendors could use some sort of signed updates, but as the researchers note, it just isn’t feasible in such an embedded environment. That environment also makes it likely infeasible to solve the blind trust issue with some kind of authentication scheme.
This is a significant issue and likely impacts other non-USB embedded systems, too. Wherever there is the ability to update firmware, either through direct or wireless or other connection, this might be an issue. For now, avoid loaning your USB device to others or plugging it into computers you don’t control. That should significantly reduce the likelihood of infection.
We don’t talk directly about embedded systems much in Learning Tree’s System and Network Security Introduction course. We do talk about the issues of trust and authentication, though because they apply in lots of places.
I’d like to know what you think about this. If you watched the video, did the presentation make sense? Let us know in the comments below.
To your safe computing,