Researchers say they have managed to reprogram the firmware within some flash drives with malicious code – code executed by the gadget's micro-controller to ultimately install malware on a PC or redirect network traffic without a victim knowing.
Karsten Nohl and Jakob Lell, from German security skunkworks SR Labs, spent months analyzing the software and micro-controllers embedded in particular USB devices, and said they have found they could reliably hide, in the flash ROM, malware that's undetectable to today's antivirus tools – and it's very, very effective.
We're told their software nasty, which they call BadUSB, can be installed not just in certain thumb drives, but in anything sporting a supported or compatible micro-controller. It is impossible to remove from the device, unless you too have tools and skills to reprogram the firmware.
USB thumb drives are typically a block of flash memory with a micro-controller attached to it; this controller chip has its own RAM scratch pad, and something akin to a tiny operating system in the firmware telling it how to interface the flash with the outside world via USB. This firmware can be reprogrammed to do unintended stuff – if you've worked out how to do so.
For a few years now, this sort of attack has been known to be possible: infosec types even dubbed malicious USB devices "plug and prey."
Now we're told it's a reality. There's no need for custom hardware, which we've seen before – instead generic yet supported chips on USB sticks can be reprogrammed to infect a host PC with malware that then infects any other supported devices plugged into it, sparking a rather irritating infection.
"No effective defenses from USB attacks are known," claimed SR Labs.
"Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as though a user has simply plugged in a new device."
How it's supposed to work
The two, who will present a full technical talk and proof-of-concept code at next week's Black Hat conference in Las Vegas, designed BadUSB to convince the target computer that a USB thumb drive is also a USB keyboard – which quickly feeds a string of characters to the computer as if typed by the user.
This string could, on Windows, open a cmd.exe box, run an executable on the flash drive that installs further malware, or open an Internet Explorer window and surf to a website that exploits a vulnerability in IE or Adobe Flash to inject malware. The drives can also be configured to impersonate a network card and redirect traffic.
It's all possible because USB devices can be multi-function: when they are plugged into a computer, they announce to the operating system, via the USB protocol, what kind of device they are so that the correct drivers are loaded and the gadget is usable.
Usually, a thumb drive announces itself as mass storage. If it also announces itself as a keyboard, today's desktop operating systems play along and attach it as another keyboard source to cause mischief.
Before you start panicking and throwing away your peripherals, there are a few caveats to the research.
1. Not every USB chip
Firstly, this attack will not work on all USB chips automatically – it appears to be vendor specific, and while there are a limited number of USB silicon suppliers, there's still a lot of chip models to tackle. Every chipmaker designs their controllers differently.
For Black Hat, we're told the following three attack devices will be demonstrated; these gadgets use chips made by Phison, which typically use 8051 micro-controllers:
- A USB thumb drive that rapidly injects key-presses to download and run malicious software before the user can stop it. This is triggered by plugging the device into the PC.
- A USB thumb drive that boots the PC, tampers with the operating system installation to cause further misery, and then boots the machine proper.
- A USB thumb drive that announces itself as a network card, allowing it to reconfigure the machine's DNS settings to redirect internet traffic into hackers' hands.
Earlier this year, at Shmoocon 2014, Richard Harmamn gave a presentation on his research into analyzing USB micro-controllers and studying their firmware and security features. Phison, he pointed out, has a tool called MPAll which allows firmware to be rewritten – although it's hard work crafting a working rogue firmware as the chip internals aren't documented.
2. Security versus cost
Secondly, it may be possible for device manufacturers to deal with these problems themselves. Controllers could be designed to only accept new firmware that is cryptographically proven to be legit, for example, but that would increase the complexity and the cost of these cheap-as-pennies chips.
There is, though, room for increased security, we're told.
"The USB specifications support additional capabilities for security, but original equipment manufacturers (OEM’s) decide whether or not to implement these capabilities in their products. OEMs develop products based on consumer demand," a spokeswoman from the USB Implementers Forum told El Reg in an email.
"Greater capabilities of any product likely results in higher prices, and consumers choose on a daily basis what they are willing to pay to receive certain benefits. If consumer demand for USB products with additional capabilities for security grows, we would expect OEMs to meet that demand."
At the moment it's unlikely that manufacturers are going to do anything that would drive up the price of USB devices. (Operating system developers could, of course, consider rejecting bizarre USB function combinations.)
If someone were to develop malware that infected PCs from thumb drives and then silently reprogrammed other connected thumb drives to spread again, it's unlikely that anyone's going to whine about paying a few pennies more for something that's locked down. ®