USB Hardware Easily Subverted, Researchers Claim - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Devices
News
7/31/2014
04:25 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

USB Hardware Easily Subverted, Researchers Claim

Security researchers say they can reprogram USB controller chips to hijack USB devices and connected computers.

iPhone 6: 8 Ideas Ripped From Rivals?
iPhone 6: 8 Ideas Ripped From Rivals?
(Click image for larger view and slideshow.)

USB hardware is insecure and there's no effective defense, a pair of security researchers claim.

In a coming presentation at Black Hat USA 2014, Karsten Nohl and Jacob Lell plan to demonstrate a proof-of-concept attack on USB devices they're calling BadUSB.

The researchers, who work with Security Research Labs in Berlin, claim that USB devices can easily be reprogrammed to execute malware.

Such compromised devices "can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware," the pair explained in a blog post. They also can pretend to be a network card and reroute network traffic by altering DNS settings. Or they can detect when an attached computer begins to boot up and install a virus before the operating system loads, thereby infecting an existing operating system or one that has been newly installed; this nullifies a standard defense against malware -- reinstallation of the operating system. The attack can even rewrite a computer's BIOS, offering another way to preempt security measures implemented in the operating system.

[Smartphones take on yet another job. Read Hilton Turns Smartphones Into Room Keys.]

Beyond avoiding untrusted USB devices, there appears to be very little that can be done at present to mitigate this risk.

"No effective defenses from USB attacks are known," the pair states. "Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist."

The threat looks to be theoretical, at least for a while.

"Fortunately, this type of attack has not been observed 'in the wild' yet," said Nohl in an email. "It would appear to only be a matter of time until we see actual abuse given the high gains and relatively low effort to implement such attacks."

However, the NSA, and presumably other intelligence agencies, have long been aware that USB hardware and connectors provide a path to compromising a target device. The NSA's Tailored Access Operations (TAO) group's implant catalog, leaked by Edward Snowden, contains three versions of a tool called Cottonmouth, a hacked USB connector that can send and receive data -- or exploit code -- wirelessly.

If Nohl and Lell succeed in demonstrating software to subvert USB devices, we might see more compromised USB devices. But untrusted hardware has long been a potential risk; the researchers' findings should underscore that fact. The upside for intelligence agencies is that henceforth they might be able to simply reprogram USB devices instead of rewiring them -- if they weren't already aware of this vulnerability.

A spokesperson for the USB Implementers Forum (USB-IF), the standards organization that develops and promotes USB specifications, said in an email that the group does not produce devices and cannot speak for specific manufacturers.

"The USB-IF agrees that consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices," the group's spokesperson said. "...To prevent the spread of malware, consumers should only grant trusted sources with access to their USB devices."

The USB-IF spokesperson added that USB specifications support additional security, but equipment makers decide whether to implement these capabilities, which would entail greater cost.

The BlackHat security conference is owned by United Business Media, which also operates InformationWeek.

Consumerization means CIOs must grant personal devices access to corporate data and networks. Here's how to avoid loss and corruption. Get the new Mobile Security Action Plan issue of InformationWeek Tech Digest today (free registration required).

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
8/1/2014 | 7:43:43 PM
Re: USBs and the military / intelligence world
well clearly there's something wrong with the way USB devices are set up if they can be reprogrammed to overwrite the operating system or BIOS when inserted.

 

 
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
7/31/2014 | 11:59:40 PM
Re: Why are there no USB Firewalls yet?
@Thomas: most people I know who work outside of tech wouldn't think twice about sticking a USB they found into their computer, espeically if it was one handed out as, say, a promotional item somewhere. Education is sorely lacking on this topic.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
7/31/2014 | 11:57:31 PM
Re: NOT new!
@CitizenT138: "If you want something to keep you up at night, consider that every DAY there are between 20K and 30K new pieces of malware released into the wild."

Yikes, thanks. Your mission is accomplished.

Your advice is completely sound and about the best that any of can hope for in trying to avoid hackers who are way ahead of most home and business and even enterprise-scale efforts. Research I've seen generally indicated that plain old human error on the part of well-meaning employees is as big a danger to enterprise systems as anything else.

Yet most companies do very little to educate their employees about safe practices when it comes to using hardward and software (and clicking on those links!).

 
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
7/31/2014 | 6:38:48 PM
USBs and the military / intelligence world
The Department of Defense tried imposing an absolute ban on USB removable storage a few years ago but eventually wound up allowing exceptions selectively. USBs were apparently a factor in the Edward Snowden leak scandal as well. One challenge: USB has become the standard interface for connecting all sorts of gadgets to a PC, including keyboard and mouse. Maintaining an absolute ban might make a lot of sense -- except that it's impossible to maintain.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
7/31/2014 | 5:14:51 PM
Re: Why are there no USB Firewalls yet?
I wonder what percentage of people insert thumb drives they find somewhere? Just leaving compromised USB sticks in hotels and in bars is probably a very efficient way to create a botnet.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
News
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
Slideshows
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll