Mobile // Mobile Devices
News
7/31/2014
04:25 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

USB Hardware Easily Subverted, Researchers Claim

Security researchers say they can reprogram USB controller chips to hijack USB devices and connected computers.

iPhone 6: 8 Ideas Ripped From Rivals?
iPhone 6: 8 Ideas Ripped From Rivals?
(Click image for larger view and slideshow.)

USB hardware is insecure and there's no effective defense, a pair of security researchers claim.

In a coming presentation at Black Hat USA 2014, Karsten Nohl and Jacob Lell plan to demonstrate a proof-of-concept attack on USB devices they're calling BadUSB.

The researchers, who work with Security Research Labs in Berlin, claim that USB devices can easily be reprogrammed to execute malware.

Such compromised devices "can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware," the pair explained in a blog post. They also can pretend to be a network card and reroute network traffic by altering DNS settings. Or they can detect when an attached computer begins to boot up and install a virus before the operating system loads, thereby infecting an existing operating system or one that has been newly installed; this nullifies a standard defense against malware -- reinstallation of the operating system. The attack can even rewrite a computer's BIOS, offering another way to preempt security measures implemented in the operating system.

[Smartphones take on yet another job. Read Hilton Turns Smartphones Into Room Keys.]

Beyond avoiding untrusted USB devices, there appears to be very little that can be done at present to mitigate this risk.

"No effective defenses from USB attacks are known," the pair states. "Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist."

The threat looks to be theoretical, at least for a while.

"Fortunately, this type of attack has not been observed 'in the wild' yet," said Nohl in an email. "It would appear to only be a matter of time until we see actual abuse given the high gains and relatively low effort to implement such attacks."

However, the NSA, and presumably other intelligence agencies, have long been aware that USB hardware and connectors provide a path to compromising a target device. The NSA's Tailored Access Operations (TAO) group's implant catalog, leaked by Edward Snowden, contains three versions of a tool called Cottonmouth, a hacked USB connector that can send and receive data -- or exploit code -- wirelessly.

If Nohl and Lell succeed in demonstrating software to subvert USB devices, we might see more compromised USB devices. But untrusted hardware has long been a potential risk; the researchers' findings should underscore that fact. The upside for intelligence agencies is that henceforth they might be able to simply reprogram USB devices instead of rewiring them -- if they weren't already aware of this vulnerability.

A spokesperson for the USB Implementers Forum (USB-IF), the standards organization that develops and promotes USB specifications, said in an email that the group does not produce devices and cannot speak for specific manufacturers.

"The USB-IF agrees that consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices," the group's spokesperson said. "...To prevent the spread of malware, consumers should only grant trusted sources with access to their USB devices."

The USB-IF spokesperson added that USB specifications support additional security, but equipment makers decide whether to implement these capabilities, which would entail greater cost.

The BlackHat security conference is owned by United Business Media, which also operates InformationWeek.

Consumerization means CIOs must grant personal devices access to corporate data and networks. Here's how to avoid loss and corruption. Get the new Mobile Security Action Plan issue of InformationWeek Tech Digest today (free registration required).

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
X3N0N
50%
50%
X3N0N,
User Rank: Apprentice
8/4/2014 | 12:32:55 PM
data theft via USB
In my opinion, data theft via USB has become an everyday job, but unfortunately are often the attentive users (data theft via USB) don't agree. Especially in personal computers make it easy for data theft.
Li Tan
50%
50%
Li Tan,
User Rank: Ninja
8/2/2014 | 5:14:25 AM
Re: USBs and the military / intelligence world
This post addressed on black spot. Hardly there is somebody pay attention to USB port. People get used to the convenience of plug and play. They can easily forget about the security issues. Furthermore, there is hardly somebody think about the possibility of hacking via USB port...
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
8/1/2014 | 7:43:43 PM
Re: USBs and the military / intelligence world
well clearly there's something wrong with the way USB devices are set up if they can be reprogrammed to overwrite the operating system or BIOS when inserted.

 

 
quantm
50%
50%
quantm,
User Rank: Apprentice
8/1/2014 | 2:55:32 PM
Re: NOT new!
Thank you for pointing out how this is not new, not even remotely new. It blows my mind that it is the topic of a BlackHat talk. I think next year I will submit a talk about the dangers of DNS Poisoning or maybe DDOS attacks.
asksqn
50%
50%
asksqn,
User Rank: Ninja
8/1/2014 | 12:03:54 PM
Place Your Bets!
And still USB has its entire line of peripherals available for purchase with nary a warning at all.  I should start a pool to take bets as to how long before news hits the intenet detailing the big trainwreck data breach/network hijacking event most likely coming from some low level government employee.  Of course it goes without saying it will be American citizens who will suffer since the feds don't give too much of a crap about securing personally identifying information.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
7/31/2014 | 11:59:40 PM
Re: Why are there no USB Firewalls yet?
@Thomas: most people I know who work outside of tech wouldn't think twice about sticking a USB they found into their computer, espeically if it was one handed out as, say, a promotional item somewhere. Education is sorely lacking on this topic.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
7/31/2014 | 11:57:31 PM
Re: NOT new!
@CitizenT138: "If you want something to keep you up at night, consider that every DAY there are between 20K and 30K new pieces of malware released into the wild."

Yikes, thanks. Your mission is accomplished.

Your advice is completely sound and about the best that any of can hope for in trying to avoid hackers who are way ahead of most home and business and even enterprise-scale efforts. Research I've seen generally indicated that plain old human error on the part of well-meaning employees is as big a danger to enterprise systems as anything else.

Yet most companies do very little to educate their employees about safe practices when it comes to using hardward and software (and clicking on those links!).

 
CitizenT128
100%
0%
CitizenT128,
User Rank: Apprentice
7/31/2014 | 10:30:21 PM
NOT new!
This is as old as USB itself.  It's just a fact of life.  As long as you control what's plugged into your PC (or any other USB host device), it's not a problem.  I have known about this "threat" for over a decade, and for me- it's a non-issue.  USB devices have to be recognized by the device they're plugged into.  Generic things, like keyboards and mice and mass storage have default drivers (and any device- be it a USB stick, a mouse or just what looks like a plain cable, can be identified by a PC as any of those if the person who programmed it decided to have it be so).  Otherwise your PC is going to ask you to install a driver (which could be the actual malware).  Just pay attention.

If you want something to keep you up at night, consider that every DAY there are between 20K and 30K new pieces of malware released into the wild.  There's no way that Anti-Virus software can keep up with all of that.  The vast majority of those are thrown together with malware kits that don't require any real programming skills.  So those are just variations of existing (and detectable) malware, but there are a few unique pieces of code that are made by very skilled, even gifted programmers.  Some are from governments and other organizations and are very selective in what they target, and what they do once they infect a system.  Those are not a threat to me and you (unless you're a criminal, a terrorist, or someone has an interest in you and your activities and associates).  But some are from criminals, ID thieves targeting you and me and anyone with a bank account, a credit card, or a decent credit score.

Just be careful what you do, what websites you visit- no porn or gambling sites- which are more likely to give you a problem than not.  Don't put USB devices or media (like CDs and DVDs) into your machine unless you know where they're from and where they've been.  Don't open Email unless you know who sent it, and why (and try not to be fooled by spoofed messages).  Turn off your preview pane, so Emails don't get opened without you intentionally acting to open them.  (Yes, just opening or previewing an Email can infect you. So can opening a web page, even unintentionally or very briefly.)  And look at your bank and credit card activity every day or at least a few times a week.  Never pick up a USB stick or an SD card that isn't yours.  If you practice behavior that your Mom would approve, you are less likely to be a victim.

The people who want to hurt you are counting on being able to remain anonymous.  If you stick with who and what you know, behave like an upright citizen, and run some good security software you will probably be okay.  And Linux will not protect you from something pretending to be a keyboard or a mass storage device.
Jeff Jerome
50%
50%
Jeff Jerome,
User Rank: Ninja
7/31/2014 | 10:10:29 PM
Re: USBs and the military / intelligence world
It is hard to imagine that the government would put sanctions on USB thumb drives but that would also need to translate to other USB devices.  It seems almost impossible to "Ban" this type of device, they are everywhere.  However as a security precaution, we may all want to reconsider how we use them and consider technology that would scan that device prior to allowing it down lad anything to your computer.  But if we step back that can also translate to other products as well and other I/O devices. Theoretically you could gain access to a computer via a coded message on a microphone or even IR through a camera, that is attached via a USB cable too.  Lots of theories so little time, unless we cluster.
pcharles09
50%
50%
pcharles09,
User Rank: Moderator
7/31/2014 | 7:57:19 PM
Re: Why are there no USB Firewalls yet?
@Thomas C,

It's more common that you think. I've heard of hackers spraying USB sticks in corporate parking lots. Guess what happens within a day or two: Curious employees plug them in to either see what's on them OR format them to use for themselves. Either way, the botnet gets stronger.
Page 1 / 2   >   >>
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.