BadUSB hasn’t gone from bad to worse necessarily, but it sure has reached a new state of confusion for security experts and consumers in the crosshairs.
Researcher Karsten Nohl, who warned the world during Black Hat last summer that the controller chips in most USB devices could be reprogrammed to behave badly, has dug deeper into the problem. Nohl’s Black Hat research was limited to chips built by Phison Electronics Corp., of Taiwan, the market share leader. But his most recent effort looked long and hard into the top eight chips populating not only USB sticks, but just about anything that connects to a computer over USB, and determined that some can be reprogrammed, some cannot, and some might be reprogrammable under certain conditions.
The real kicker, however, is that USB device makers indiscriminately flip-flop between these chips depending on price and availability, meaning that not all USBs are alike—not even those in the same product line. Determining which chips are risky requires physically dismantling and examining the chip in the particular USB device.
“Of the 60 or so chip families we looked at from the eight vendors, not a single one consciously disabled the ability to be reprogrammed,” Nohl said, clarifying that even in cases where chips could not be modified, that it was because of a design decision made to conform with a particular purpose and not for security reasons.
Nohl demonstrated during Black Hat how his attack code—which has not been released—could overwrite USB firmware and turn a USB device into anything. A flash drive plugged into a PC, could for example, emulate a keyboard and issue commands that steal data from the machine, spoof a computer’s network interface and redirect traffic by altering DNS settings, or could load malware from a hidden partition on the drive. The attack is undetectable and does not exploit a vulnerability in the code, but rather just takes advantage of the way in which USBs are supposed to behave.
Nohl’s research was a two-phase exercise. The first, he said, was based on available specs for the eight leading controller chips from vendors Phison, Alcor, Renesas, ASmedia, Genesys Logic, FTDI, Cypress and Microchip. The goal, Nohl said, was to confirm or debunk suspicions that BadUSB was a vendor bug versus a USB bug. The second analysis was more hands on, looking at 30 USB devices, in order to get a representative sample of the USB controller chip market, and trying to reprogram them. Here, Nohl and his fellow researchers at SR Labs Jakob Lell and Sascha Krissler, took apart USB keyboards, computer mice, webcams, storage devices, USB hubs and even devices chargers.
In both cases, Nohl said, roughly half were reprogrammable—even the chargers—meaning that the problem is not confined to particular vendors, but to USB chips.
“More often than not, chips are hidden to a computer; different chips all appear the same to the computer,” he said. “It requires a visual inspection. You have to open them and read the markings on the chip.”
Nohl has published his results, looking at USB hubs, SD card adapters, SATA adapters, Input devices, webcams and USB storage.
“I think of BadUSB as a way of maintaining control over a computer versus as a means of getting malware on a computer,” Nohl said, adding that recovery is supremely difficult. “It’s an infection technology, and a technology to create a persistent infection. There’s no telling where the virus is; you can’t just look at the device and conclude it’s safe. Only after it’s too late do you notice.”
Just as any clear answers on what vectors are vulnerable to BadUSB are acarce, so too are there relatively few reasonable mitigations short of disabling USB—which is hardly reasonable.
“After three months of talking, it doesn’t look like a good solution has emerged yet,” Nohl said. “A good solution is one that is effective and available in the short term, and applicable to existing devices.”
Some, including researchers Adam Caudill and Brandon Wilson who released attack code similar to BadUSB as well as partial patch for Phison devices, have suggested that code signing is one way to keep devices from being reprogrammed by malware. And while that’s true, vendors aren’t going to go back and retro-fit existing devices with code signing via updates. That would apply only to new devices.
Nohl, instead, suggests another possibility.
“An alternative option to code signing that is just as effective and comes at zero cost is just don’t allow updating,” Nohl said. “Why update at all? How often have you updated a USB peripheral at all? For most people, the answer is ‘never.'”
Nohl said that about half of the chips he examine already disallow updates—again not consciously for security reasons.
“Usually, when [USB] devices are updated, it is for malicious purposes,” he said.