​

Security researchers have found a fundamental flaw that could affect billions of USB devices. This flaw is so serious that, now that it has been revealed, you probably shouldn’t plug a USB device into your computer ever again. There are no known effective defenses against this variety of USB attack, though in the future (months or years, not days) some limited defenses might be possible. This vulnerability, which allows any USB device to take over your computer, mostly exists due to the USB Implementers Forum (the USB standards body) eschewing security in favor of maximizing the versatility, and thus the massively successful adoption, of USB. The USB IF itself notes that your only defense against this new attack vector is to only use USB devices that you 100% trust — but even then, as we’ll outline below, this won’t always protect you.

This flaw, dubbed BadUSB by Security Research Labs in Berlin, leverages the fact that every USB device has a controller chip. Whether it’s your PC, smartphone, external hard drive, or an audio breakout box, there’s a USB controller chip in every device that controls the USB connection to other devices. It turns out, according to SR Labs, that these controllers have firmware that can be reprogrammed to do a whole host of malicious things — and, perhaps most importantly, this reprogramming is almost impossible to detect.


The USB controller chip is the big chip in the middle (they don’t usually have a skull silkscreened onto them though).

This vulnerability mostly stems from the fact that USB, by design, is incredibly versatile. USB can be used to connect just about any kind of peripheral to a host machine — an ability that is only possible because of USB classes and class drivers. Basically, every USB device under the sun has a class — a classification that defines the device’s function. Some common classes are human-interface devices (HIDs; keyboards, mice), wireless controller (Bluetooth dongles), and mass storage (thumb drives, digital cameras). On the host (your PC, your smartphone) there are class drivers that manage the functions of that particular class of devices. This is why you can plug a USB keyboard into just about any device and it’ll work flawlessly.

USB hacking isn’t a new thing — but this is the first time that an attack vector hasn’t required extra chips and circuit boards, making a whole lot more dangerous.

The problem, according to SR Labs, is that these USB controllers can have their firmware reprogrammed so that they announce themselves as a different class. For example, you could reprogram a mass storage device so that it masquerades as a network controller, so that all of your network communications (websites, passwords) get redirected to the device. Or, even worse, you could reprogram the firmware of a thumb drive so that it becomes a HID, and can thus issue keyboard and mouse commands to the host machine. These commands might be used to install malware, or to rewrite the firmware of other attached USB devices. Suddenly you are sitting on a computer worm of Conficker proportions that could take down most of the world’s devices.

USB hacking isn’t a new thing — but this is the first time that an attack vector hasn’t required extra chips and circuit boards, making a whole lot more dangerous.​

While finding a security hole in USB isn’t exactly a surprise, the main issue here is that there’s no immediate fix. As of today, there could be billions of USB devices out there with firmware that could be reprogrammed by a computer virus — and, according to SR Labs, it’s impossible to spot the modified firmware unless you know exactly where to look. (It took months for SR Labs to reverse engineer the controller firmware, and it doesn’t sound like they’re giving up their secrets any time soon.) The security researchers also say that malware scanners can’t access the firmware of a USB device — so you can forget about that angle, too. SR Labs says it will release more details and proof-of-concept tools at Black Hat 2014 on August 7.

PS/2 mouse and keyboard sockets: Still safe​

It would be possible to mitigate against this attack in the future if every device maker signed their firmware, and then your computer checked that signature every time you plugged the device in — but I suspect, given the scale of the USB device ecosystem, such a change would take months or years to adopt. Another option would be designated USB ports on your computer — so, you might have a port that only accepts mass storage devices, and is completely incapable of handling other classes of USB device.

Ultimately, though, the only real mitigation is ensuring you only use USB devices that you trust. It’s basically like unprotected sex: If you plug your USB memory stick into another computer, you should then assume that your memory stick is forever compromised. The problem with this approach, though, is that your own computer could infect your USB devices without you knowing — and unless you’re a very careful surfer, it’s very hard to keep your computer completely malware-free. Which brings us back to the beginning of the story: Maybe it’s just best if you don’t use USB for a while.

Fortunately my cupboard is full of PS/2 keyboards, parallel printers, and stacks of rewritable DVDs for exactly this kind of apocalyptic occasion…

Source: ExtremeTech

 

whoa this looks a way too dangerous, i know for sure that nobody will plug anything to my computer anymore !

thank for the information tho!

 

Great article. I'm amused however how this story is apparently propagated as a new finding. It's been a well-known fact to USB device developers for years and you don't have to reverse-engineer controller firmware to build a custom mass storage stick that doubles as a hidden keyboard HID, bluetooth device or whatever. You can download appropriate pic or atmel code from many forums and build one at home.

What does come into my mind while reading this is that we can expect more "malicious manufacturers" building "badUSB" devices, and signing the firmware will not prevent that, it'll only prevent modifying it, at best.
USB devices also serve as an obvious platform for espionage devices, so the best bet might be the implementation of usb data monitoring plus some kind of usb firewall and 100% RF shielding of these devices so they cannot communicate over the air ... a fairly odd approach, I admit
Maybe I should start selling nifty USB stick shielding boxes with built-in firewall and LEDs showing which classes the stick has been trying to register as

Remember when many years ago, some chinese manufacturer modified the USB controller code to make 1GB flash memory report as 2GB to the OS?
Only after crossing the 1GB capacity limit, the user would notice and overwrite other data previously written onto the stick.
What a lame short-term revenue-boosting trick

Ah, BTW, how are PS/2 sockets safe if you can purchase tiny adapters to plug in-between the socket and the keyboard cable for sniffing and recording everything that is typed on the victim machine, including all logins and passwords? How often would you turn to the back side of your PC to check if such a dongle is attached?
Again, such gadgets exist since years.
Dutch Elektuur electronics magazine once sketched a similar DIY circuit that would be powered directly off the PS/2 supply, although its main purpose was to receive IR transmitter codes and translate into keyboard keys or key combinations.

 

Oh well I'm screwed either way, not backing up is a bad option and now backing up is a bad option

 

hahaha that's funny

 

OK, this all sounds bad but *please* guys, don't be too paranoid about it!
Plugging in an unknown USB stick you found somewhere left on a café table is certainly a bad idea, but backing up your data into some cloud service is still 200 times more insecure than saving your files to the USB hard drive you purchased from Amazon last month.

Just think of all the people and machines and software involved in handling your (confidential?) data.
And think about how at least one of them might not be able to resist selling that data for maybe a small amount of money, or companies granting access to your data for government institutions, where even more people have access to your data.

OK ok, I'll stop here *yes*

 

Oh yes. USB is a lot safer than all this cloud sh*t.
How many Cloud users encrypt their datas ? How many know if they encrypt, they are tracked because they are more suspicious ?
How many Cloud users still have a REALLY safe copy ? There are already countless history of Apple account hacking with security questions and such.

Facebook, Google and more already sell your data content stats.

Cut your internet connection NOW ! and backup your datas in your friend or family's house

I'm paranoid...but frankly i don't care. If all those sh*ts bore me too much...i will simply drop them.

 

I probably should NOT mention it here due to the chance that EVIL PEOPLE MAY BE READING THIS !!!!

But...

This has been known in Asia for quite some time - the EVIL people simply use it differently here....

for YEARS the EVIL have sold EXTERNAL USB HARD DRIVES that are merely paperweights... and inside a small (perhaps 1gig USB drive) posing as a 2TB hard drive, etc...


If a buyer MEETS from craigslist or the sorts and plugs it to their laptop... they reformat it and it looks like a 2TB drive.... thats USUALLY when most people pay and walk away - never to see the seller again...


Those who KNOW this.. simply move a metric arseton of data to a potential buy... to make sure it actually HOLDS THAT MUCH DATA...

 

Sounds like all these companies will have to dump iLok and other dongles

Oh Well :dancing:

 

fiction
It's not a new problem but it's because of the attack vector that there's so much fuss about it now.

Everyone
I wanted to make a comment when I posted that I think the article is somewhat sensationalism. Yes people should be careful but there will no doubt be a million firmware flaws discovered in just about every device or technology you use. People are a lot less careful about their internet footprint like Pip pointed out. I just wanted to put it out there so people are aware, what you decide to do with that information is up to you.

 

humm
in the old times I have panic when a client comes with 5.25 or 3.5 writable disc (if it works).
Today they came with usbs but with OSX no worries for now *no*

 

Not very likely though. I think those companies are more interested in revenue than in the user.

 

Ilok 2, here we go

Also... Is "Watchdogs" video game a coincidence regarding our future's real world?

 

we worked out such stuff with a friend... keylogger keyboard... in... 2009... inspired by some work from... 2007.

Good FUD. Almost a decade old. But still good.
You need physical access to use USB as an attack vector. If a malicious 3rd party can get in your house, your usb port is the least of your concern.

 

@Catalyst: Your post made many of us re-think about what we do, and that's a good thing.

@Ovalf: The USB class hack will work on any system that supports auto-detection of such devices, like Windows, Linux, MacOSX, ...

@PMS:

That's very true - who cares if someone has stolen your problems

What the article states however, is that you do *not* need physical access to the computer. A virus or trojan, for example, might be able to re-program the USB controller chip so the USB device is turned to the dark side


For the techies:
Want to DIY such a USB stick easily? Check the USB Rubber Ducky
This needn't necessarily be used for bad - You could let the stick execute a combination of scripts and commands to control machines without monitor or keyboard attached.

Want to hack an off-the-shelf stick? Check Richard Harman's presentation which goes one step further by considering infection of your host BIOS. (also shows how to sniff USB at home using Wireshark)

I especially like the AUDIO-based bridging of air gaps idea! Tweeting in its best shape

 

Yeah but, again, if they can already run malicious code on your computer then you have bigger problems.

 

somebody ask the meaning of "Ironic"????

 

The cue is the name "universal serial bus"

 

This is interesting. I've made usb game controllers, opened them up and put a usb splitter inside, then soldered the controllers wires to the usb splitter and put a flash drive in the other usb port. This was to be able to carry a game controller that doubled as a portable (emulated) game console (with all the old school games up to the Playstation 1 and N64). This was made as a christmas gift for my 10 year old brother. The one thing that windows would not let me do was make it plug and play however, because windows (as far back as Vista) doesn't allow any USB device to auto boot any program when plugged in (for valid security reasons). My desire was to plug the device in and have it pull up all the arcade frontend software from the get go, without having to go in and manually open the software.

If all this is true, then there must be a way to do it. Which makes me want to figure it out for sure.

 

You can make a shortcut to run whatever the file on that drive is from your desktop. Or you can remove the Windows Update KB971029 that restricted this functionality to only CD and DVD drives if you're using Windows 7 but that will be system wide. You can also make a quick change to the registry but I believe that is system wide as well. Or you can use this simple utility that requires no changes to your USB drive and runs in your system tray to restore that functionality: APUSB 47