Equipo Nizkor
        Bookshop | Donate
Derechos | Equipo Nizkor       


BadUSB returns: Hackers publish code that could infect millions of USB devices

Back in July, we wrote about a massive security hole -- BadUSB -- that potentially gave hackers the ability to hijack or subvert billions of USB devices, from keyboards to printers to thumb drives. At the time, due to the severity of the issue, the researchers who discovered the flaw didn't publish their BadUSB exploit code. Now, however, two other hackers have worked out how to exploit BadUSB -- and they've published their code on Github for all to see. The pressure is now on device makers to actually fix the flaw before millions of users have their USB devices and peripherals exploited -- which is a problem, because there's really no easy fix for BadUSB.

For the full low-down on BadUSB, I suggest you read our original story from July. In short, though, every USB device has a microcontroller -- a small chip that acts as an interface between the device (a keyboard, a flash drive) and the host (your PC). This chip often has software (firmware) that can be reprogrammed to do nefarious things, such as logging your keystrokes, infecting your PC with malware, or something much worse. BadUSB is highly dangerous for one key reason: It's very hard to detect, even for virus scanners.

The guys who originally discovered BadUSB -- Karsten Nohl and friends at SR Labs -- announced that the bug's existence in July, and presumably shared more details with device makers and the USB Implementers Forum, but they did not share actual proof-of-concept code for fear that other, slightly-less-benevolent hackers would use this zero-day vulnerability for nefarious purposes. Now, however, two hackers at Derbycon in Kentucky have discovered the same BadUSB flaw -- and, more importantly, they've published their proof-of-concept on Github. If you know what you're doing, you can grab the code and start exploiting USB devices straight away. Go wild: The first person to write a self-replicating worm that key logs passwords and other sensitive data stands to make millions -- nay, billions -- of dollars.

The two security researchers - Adam Caudill and Brandon Wilson -- justified their release to the Derbycon audience with the following: "The belief we have is that all of this should be public. It shouldn't be held back. So we're releasing everything we've got. This was largely inspired by the fact that [SR Labs] didn't release their material. If you're going to prove that there's a flaw, you need to release the material so people can defend against it." Their rationale, while somewhat reckless, isn't entirely misguided: BadUSB is potentially a huge issue, and someone needs to light a fire under the collective derriere of USB device makers so that they actually try to fix it. As always with vulnerabilities like this, it's impossible to say how long it's been used -- by black hat hackers, by the NSA -- before someone like Kohl, Caudill, or Wilson publicly discloses it.

Caudill and Wilson succeeded in reprogramming the firmware of a Phison USB microcontroller, so that when it's plugged into a host computer it impersonates a keyboard that types whatever keystrokes the attacker wants. This hacked USB microcontroller could be inside a thumb drive, mouse, printer -- it doesn't matter. Phison is one of the world's largest makers of USB microcontrollers -- and it's important to note that, at least as far as we know, it's only Phison microcontrollers that have had their firmware reprogrammed by hackers. Other microcontrollers are probably vulnerable in a similar way, but no one has published any vulnerabilities… yet.

Moving forward, the problem with BadUSB -- other than the fact that it's very hard to detect -- is that it's almost impossible to plug the hole. Short of the host (your PC) ensuring that the USB device hasn't had its firmware meddled with -- something that would require the host to check with a global database of firmware cryptographic signatures -- there isn't really a solution. Future devices could avoid using reprogrammable USB microcontrollers, instead opting for hard-coded ASICs or ROMs -- but in many cases that might not be financially possible.

For the time being, the best mitigation against BadUSB and other similar exploits is to maintain good security practices: Keep your software up-to-date, don't open any files you don't recognize, and -- a bit like safe sex - don't plug any devices into your computer unless you know where they've been.

[Source: By Sebastian Anthony, Extreme Tech, 03Oct14]

Tienda de Libros Radio Nizkor On-Line Donations

Privacy and counterintelligence
small logoThis document has been published on 07Oct14 by the Equipo Nizkor and Derechos Human Rights. In accordance with Title 17 U.S.C. Section 107, this material is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes.