Bad USB

Bad USB meaning bad not in a good way, is a critical security flaw detected last year has become a main point of interest for users.Security researchers Karsten Nohl and Jakob Lell first presented the concept, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Since BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted.

The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed, in addition to USB memory sticks, Nohl and Lell say they’ve also tested their attack on an Android handset plugged into a PC. And once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play. It can, for example, replace software being installed with a corrupted or backdoored version. It can even impersonate a USB keyboard to suddenly start typing commands.

The element of Nohl and Lell’s research that elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer. “It goes both ways,” Nohl says. “Nobody can trust anybody”.

We know that every USB device has a microcontroller which acts as an interface between the device (a keyboard, a flash drive) and the host (your PC). This contains software that can be reprogrammed to do nefarious things, such as logging your keystrokes, infecting your PC with malware, or something much worse. This makes BadUSB highly dangerous; very hard to detect, even for virus scanners. This occasional reformatting keeps our thumbdrives from becoming the carrier of the malware epidemic. 

BadUSB potentially gave hackers the ability to hijack or subvert billions of USB devices, from keyboards to printers to thumb drives. At the time, due to the severity of the issue, the researchers who discovered the flaw didn’t publish their BadUSB exploit code. Now, however, two other hackers have worked out how to exploit BadUSB and they’ve published their code on Github for all to see. The pressure is now on device makers to actually fix the flaw before millions of users have their USB devices and peripherals exploited, which is a problem, because there’s really no easy fix for BadUSB.

IMPACT OF BadUSB ATTACK

Once reprogrammed, devices can turn malicious in many ways, including:

1.A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.

2.The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.

3.A modified thumb drive or external hard disk can, when it detects that the computer is starting up, boot a small virus, which infects the computer’s operating system prior to boot.

4.No effective defences from USB attacks are known. Malware scanners cannot access the firmware running on USB devices. Behavioural detection is difficult since behaviour of an infected device may look as though a user has simply plugged in a new device. Blocking or allowing specific USB device classes and device IDs is possible, however generic lists can easily be bypassed. Pre-boot attacks may be prevented by use of a BIOS password and booting only to the hard drive.

5.Simply reinstalling the operating system, the standard response to otherwise ineradicable malware, does not address BadUSB infections at their root. The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive.

6.Once infected, computers and their USB peripherals can never be trusted again.

Implementing that new security model will first require convincing device makers that the threat is real. The alternative, Nohl says, is to treat USB devices like hypodermic needles that can’t be shared among users, a model that sows suspicion and largely defeats the devices’ purpose. Also, USB chipset manufacturers can start hardening their firmware so it can't be easily modified. Security companies can start adding programs to check USB devices for unauthorized firmware alterations.

One way to prevent attacks would be for manufacturers to require signed firmware updates for USB controllers or to disable the ability to change the firmware once a device leaves the factory. Some vendors might already do this, but many don’t. And even if more manufacturers start doing this, the millions of existing insecure USB thumb drives will linger on for years and users will have a hard time telling them apart.

BadUSB is a real threat that has serious consequences for computer hardware input devices. The only true protection that users have against BadUSB is to avoid the usage of USB drives and devices, along with covering USB ports to prevent infected devices from being plugged in.