Bad
USB meaning bad not in a good way, is a critical security flaw
detected last year has
become a main point of interest for users.Security
researchers Karsten Nohl and Jakob Lell first presented the concept,
demonstrating a collection of proof-of-concept malicious software
that highlights how the security of USB devices has long been
fundamentally broken. The malware they created, called BadUSB, can be
installed on a USB device to completely take over a PC, invisibly
alter files installed from the memory stick, or even redirect the
user’s internet traffic. Since BadUSB resides not in the flash
memory storage of USB devices, but in the firmware that controls
their basic functions, the attack code can remain hidden long after
the contents of the device’s memory would appear to the average
user to be deleted.
The
problem isn’t limited to thumb drives. All manner of USB devices
from keyboards and mice to smartphones have firmware that can be
reprogrammed, in addition to USB memory sticks, Nohl and Lell say
they’ve also tested their attack on an Android handset plugged into
a PC. And once a BadUSB-infected device is connected to a computer,
Nohl and Lell describe a grab bag of evil tricks it can play. It can,
for example, replace software being installed with a corrupted or
backdoored version. It can even impersonate a USB keyboard to
suddenly start typing commands.
The
element of Nohl and Lell’s research that elevates it above the
average theoretical threat is the notion that the infection can
travel both from computer to USB and vice versa. Any time a USB stick
is plugged into a computer, its firmware could be reprogrammed by
malware on that PC, with no easy way for the USB device’s owner to
detect it. And likewise, any USB device could silently infect a
user’s computer. “It goes both ways,” Nohl says. “Nobody can
trust anybody”.
We
know that every USB device has a microcontroller which acts as
an interface between the device (a keyboard, a flash drive) and the
host (your PC). This contains software that can be reprogrammed to do
nefarious things, such as logging your keystrokes, infecting your PC
with malware, or something much worse. This makes BadUSB highly
dangerous; very hard to detect, even for virus scanners.
This occasional reformatting keeps our thumbdrives from becoming
the carrier of the malware epidemic.
BadUSB
potentially gave hackers the ability to hijack or subvert billions of
USB devices, from keyboards to printers to thumb drives. At the time,
due to the severity of the issue, the researchers who discovered the
flaw didn’t publish their BadUSB exploit code. Now, however, two
other hackers have worked out how to exploit BadUSB and they’ve
published their code on Github for
all to see. The pressure is now on device makers to actually fix the
flaw before millions of users have their USB devices and peripherals
exploited, which is a problem, because there’s really no easy fix
for BadUSB.
IMPACT
OF BadUSB ATTACK
Once
reprogrammed, devices can turn malicious in many ways, including:
1.A
device can emulate a keyboard and issue commands on behalf of the
logged-in user, for example to exfiltrate files or install malware.
Such malware, in turn, can infect the controller chips of other USB
devices connected to the computer.
2.The
device can also spoof a network card and change the computer’s DNS
setting to redirect traffic.
3.A
modified thumb drive or external hard disk can, when it detects that
the computer is starting up, boot a small virus, which infects the
computer’s operating system prior to boot.
4.No
effective defences from USB attacks are known. Malware scanners
cannot access the firmware running on USB devices. Behavioural
detection is difficult since behaviour of an infected device may look
as though a user has simply plugged in a new device. Blocking or
allowing specific USB device classes and device IDs is possible,
however generic lists can easily be bypassed. Pre-boot attacks may be
prevented by use of a BIOS password and booting only to the hard
drive.
5.Simply
reinstalling the operating system, the standard response to otherwise
ineradicable malware, does not address BadUSB infections at their
root. The USB thumb drive, from which the operating system is
reinstalled, may already be infected, as may the hardwired webcam or
other USB components inside the computer. A BadUSB device may even
have replaced the computer’s BIOS – again by emulating a keyboard
and unlocking a hidden file on the USB thumb drive.
6.Once
infected, computers and their USB peripherals can never be trusted
again.
Implementing
that new security model will first require convincing device makers
that the threat is real. The alternative, Nohl says, is to treat USB
devices like hypodermic needles that can’t be shared among users, a
model that sows suspicion and largely defeats the devices’ purpose.
Also, USB chipset manufacturers can start hardening their firmware so
it can't be easily modified. Security companies can start adding
programs to check USB devices for unauthorized firmware alterations.
One
way to prevent attacks would be for manufacturers to require signed
firmware updates for USB controllers or to disable the ability to
change the firmware once a device leaves the factory. Some vendors
might already do this, but many don’t. And even if more
manufacturers start doing this, the millions of existing insecure USB
thumb drives will linger on for years and users will have a hard time
telling them apart.
BadUSB
is a real threat that has serious consequences for computer hardware
input devices. The only true protection that users have against
BadUSB is to avoid the usage of USB drives and devices, along with
covering USB ports to prevent infected devices from being plugged in.