Thumb drives are so inconsistently manufactured it is all but impossible to know if any unit could be reprogrammed to own computers, researcher Karsten Nohl says.
The conditions that determined if a unit could be hacked varied not only between vendors but also within product unit lines due to manufacturers buying different hardware components due to fluctuating prices.
In a presentation (slides) at the recent PacSec conference in Japan, Nohl and fellow SRLabs researchers Sasha Kribler and Jakob Lell revealed more information into the attacks known as BadUSB.
"As long as USB controllers are reprogrammable, USB peripherals should not be shared with others," the team said.
"Once infected through USB, malware can use peripherals as a hiding place, hindering system clean up."
See the researcher's pic here.
They examined about 60 chip families from vendors Phison, Alcor, Renesas, ASmedia, Genesys Logic, FTDI, Cypress and Microchip. They found Phison chips vulnerable, along with the new USB 3.0 line from Genesys Logic, while none disabled the reprogramming vector.
It was bad news for the most security conscious organisations and individuals and good news for attackers, notably given the release last month of BadUSB attack code.
Android phones they said were the simplest BadUSB attack platforms due to its pre-configured ethernet over USB setup.
The team also detailed attacks booting hidden rootkits using a BadUSB that could determine Windows, from Mac and Linux, and a large number of attacks including keyboard emulation, and network card spoofing.
Security company Ironkey was the only known USB vendor to protect against reprogramming; the remaining BadUSB-immune devices were so only by the chance use of custom application design, Wired reported.
There was no decent defence against BadUSB other than disabling firmware updates in hardware, a feat restricted to new devices, and by pouring glue into USB ports which had obvious usability problems.
Whitelisting USBs was hindered due to lack of serial numbers and mechanisms to apply the measure, while malicious firmware could easily spoof its legitimacy to foil malware scans.
Firmware code signing could still permit unauthorised firmware upgrades, and was problematic on small devices.
It took the team two months to document, reverse engineer and patch the USB firmware processes, a system which they said may also fit similar analysis for web cams and other peripherals. ®