Security researchers say they can reprogram USB controller chips to hijack USB devices and connected computers.

Thomas Claburn, Editor at Large, Enterprise Mobility

July 31, 2014

3 Min Read

iPhone 6: 8 Ideas Ripped From Rivals?

iPhone 6: 8 Ideas Ripped From Rivals?

iPhone 6: 8 Ideas Ripped From Rivals? (Click image for larger view and slideshow.)

USB hardware is insecure and there's no effective defense, a pair of security researchers claim.

In a coming presentation at Black Hat USA 2014, Karsten Nohl and Jacob Lell plan to demonstrate a proof-of-concept attack on USB devices they're calling BadUSB.

The researchers, who work with Security Research Labs in Berlin, claim that USB devices can easily be reprogrammed to execute malware.

Such compromised devices "can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware," the pair explained in a blog post. They also can pretend to be a network card and reroute network traffic by altering DNS settings. Or they can detect when an attached computer begins to boot up and install a virus before the operating system loads, thereby infecting an existing operating system or one that has been newly installed; this nullifies a standard defense against malware -- reinstallation of the operating system. The attack can even rewrite a computer's BIOS, offering another way to preempt security measures implemented in the operating system.

[Smartphones take on yet another job. Read Hilton Turns Smartphones Into Room Keys.]

Beyond avoiding untrusted USB devices, there appears to be very little that can be done at present to mitigate this risk.

"No effective defenses from USB attacks are known," the pair states. "Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist."

The threat looks to be theoretical, at least for a while.

"Fortunately, this type of attack has not been observed 'in the wild' yet," said Nohl in an email. "It would appear to only be a matter of time until we see actual abuse given the high gains and relatively low effort to implement such attacks."

However, the NSA, and presumably other intelligence agencies, have long been aware that USB hardware and connectors provide a path to compromising a target device. The NSA's Tailored Access Operations (TAO) group's implant catalog, leaked by Edward Snowden, contains three versions of a tool called Cottonmouth, a hacked USB connector that can send and receive data -- or exploit code -- wirelessly.

If Nohl and Lell succeed in demonstrating software to subvert USB devices, we might see more compromised USB devices. But untrusted hardware has long been a potential risk; the researchers' findings should underscore that fact. The upside for intelligence agencies is that henceforth they might be able to simply reprogram USB devices instead of rewiring them -- if they weren't already aware of this vulnerability.

A spokesperson for the USB Implementers Forum (USB-IF), the standards organization that develops and promotes USB specifications, said in an email that the group does not produce devices and cannot speak for specific manufacturers.

"The USB-IF agrees that consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices," the group's spokesperson said. "...To prevent the spread of malware, consumers should only grant trusted sources with access to their USB devices."

The USB-IF spokesperson added that USB specifications support additional security, but equipment makers decide whether to implement these capabilities, which would entail greater cost.

The BlackHat security conference is owned by United Business Media, which also operates InformationWeek.

Consumerization means CIOs must grant personal devices access to corporate data and networks. Here's how to avoid loss and corruption. Get the new Mobile Security Action Plan issue of InformationWeek Tech Digest today (free registration required).

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights