BadUSB hasn’t gone from bad to worse necessarily, but it sure has reached a new state of confusion for security experts and consumers in the crosshairs.
Researcher Karsten Nohl, who warned the world during Black Hat last summer that the controller chips in most USB devices could be reprogrammed to behave badly, has dug deeper into the problem.
Nohl’s Black Hat research was limited to chips built by Phison Electronics Corp., of Taiwan, the market share leader. But his most recent effort looked long and hard into the top eight chips populating not only USB sticks, but just about anything that connects to a computer over USB, and determined that some can be reprogrammed, some cannot, and some might be reprogrammable under certain conditions. The real kicker, however, is that USB device makers indiscriminately flip-flop between these chips depending on price and availability, meaning that not all USBs are alike — not even those in the same product line. Determining which chips are risky requires physically dismantling and examining the chip in the particular USB device.
Nohl demonstrated during Black Hat how his attack code — which has not been released — could overwrite USB firmware and turn a USB device into anything. A flash drive plugged into a PC, could for example, emulate a keyboard and issue commands that steal data from the machine, spoof a computer’s network interface and redirect traffic by altering DNS settings, or could load malware from a hidden partition on the drive. The attack is undetectable and does not exploit a vulnerability in the code, but rather just takes advantage of the way in which USBs are supposed to behave.
In both cases, Nohl said, roughly half were reprogrammable — even the chargers — meaning that the problem is not confined to particular vendors, but to USB chips. “More often than not, chips are hidden to a computer; different chips all appear the same to the computer,” he said. “It requires a visual inspection. You have to open them and read the markings on the chip.” Nohl has published his results, looking at USB hubs, SD card adapters, SATA adapters, Input devices, webcams and USB storage.
Just as any clear answers on what vectors are vulnerable to BadUSB are acarce, so too are there relatively few reasonable mitigations short of disabling USB—which is hardly reasonable. “After three months of talking, it doesn’t look like a good solution has emerged yet,” Nohl said. “A good solution is one that is effective and available in the short term, and applicable to existing devices.”
Nohl, instead, suggests another possibility. “An alternative option to code signing that is just as effective and comes at zero cost is just don’t allow updating,” Nohl said. “Why update at all? How often have you updated a USB peripheral at all? For most people, the answer is ‘never.” Nohl said that about half of the chips he examine already disallow updates — again not consciously for security reasons. “Usually, when [USB] devices are updated, it is for malicious purposes,” he said.