BadUSB: Big, bad USB security problems ahead

BadUSB: Big, bad USB security problems ahead

Summary: Everyone knows that USB thumb-drives can spell security trouble, but a German security group has found new and nasty ways to use USB devices to wreak havoc on computers.

TOPICS: Security, Hardware

It's a common scene from TV: Our hero sneaks into the villain's office, plugs in a USB stick and — flash! — all the secret plans to conquer Chicago are sucked down into the thumb-drive. The only fiction is how fast it takes to download data. In the real world, office data thieves walk out with stolen data everyday on their flash drives.

USB memory sticks may prove far more dangerous for your company than you'd ever imagined.

It could be worse. USB sticks can also carry malware. Or, as SRLabs security researchers Karsten Nohl and Jakob Lell propose to show at Black Hat, an ordinary USB pen drive can be turned into an automated hacking tool.

The base problem, according to the pair, is "USB has become so commonplace that we rarely worry about its security implications. USB sticks undergo the occasional virus scan, but we consider USB to be otherwise perfectly safe — until now."

Nohl and Lell continue:

USB devices are connected to – and in many cases even built into – virtually all computers. The interface standard conquered the world over the past two decades thanks to its versatility: Almost any computer peripheral, from storage and input gadgets to health-care devices, can connect over the ubiquitous technology. And many more device classes connect over USB to charge their batteries.

This versatility is also USB’s Achilles heel: Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing.

They're right of course. I have a half-dozen USB drives in my laptop bag and, except for an iPhone and iPad Touch, every device in my home office has USB ports. I'm aware that they pose a security risk, but do I worry about it? Not really.

I should and you should too.

Nohl and Lell have discovered that USB controller chips' firmware offer no protection from reprogramming. Using a set of proof-of-concept tools they call BadUSB, they claim that an ordinary USB device, even a thumb drive, can be used to compromise computers in the following ways:

  • A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
  • The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
  • A modified thumb drive or external hard disk can — when it detects that the computer is starting up — boot a small virus, which infects the computer’s operating system prior to boot.

Adding insult to injury, they state that there's no effective way to detect a corrupted USB device. That's because, "Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as though a user has simply plugged in a new device."

It gets worse. The hackers claim that "Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root. The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive."

In short, "Once infected, computers and their USB peripherals can never be trusted again."

Before you start banning USB devices from your workplace — good luck with that — there are ways to fix this problem. First, USB chipset manufacturers can start hardening their firmware so it can't be easily modified. Security companies can start adding programs to check USB devices for unauthorized firmware alterations.

Those are all long-term fixes. In the short-term, BadUSB-created cracking tools will be able to create compromised devices that will have the potential to be a new and deadly attack vector for hackers.

Related Stories:

Topics: Security, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Gosh

    I think I should run out and buy stock in Alcoa. Gonna be a run on tinfoil hats.
    • No tinfoil needed

      "[Russian] he gift bags included USB sticks emblazoned with Russia's G20 logo and three-pronged phone chargers, of the format that's commonly used across most of Europe. According to sources the sticks contained malware. And the phone chargers were equipped with an even more sophisticated combination of malicious hardware and malware -- similar to the "mactans" proof of concept that Georgia Institute of Technology security researchers showed at the annual Black Hat security conference in September [2013]."

      See more at:
      • Duco Cement

        Years ago when USB first came on the market a government security expert becoming alarmed at the risk recommended that USB ports be filled with Duco cement. This was not a joke but a serious recommendation. Many computers had their USB connectors filled.
    • The media is going crazy over this with poor information

      1) Changing firmware is pointless, the vulnerability involves replacing the old firmware.
      2) Most USB devices have the firmware data line cut, so they are invulnerable to this hack.
      3) EEPROMS vary so much between USB devices that creating a hack that gets all of them is unlikely
      4) Once everyone does #2 this vulnerability will disappear.
      • It's not about how USB sticks get infected...'s about USB sticks with malware pre-loaded.
  • Most IT people know 75% of those risks

    USB ports can be turned off using mdm or emm. In healthcare most computers have usb ports turned off for hippa compliance. some business use security software like McAfee to detect and restrict file access, copying (to usb and more), and record all that. At the enterprise level most customers keep their data in the cloud, rather than allowing it to be saved to a local drive or usb, they keep the data on servers and some disable usbs, some use no hard drive, instead they use thin clients, especially hospitals. What is interesting in this article is the detail about how the usb's manipulate the machine's bios for example. intel now has some cpu's with vpro which can help protect against this, but not many of my customers use this advanced feature, yet.
    • Fine for big-budget IT shops, but...

      ... that's pretty difficult for the majority of us to implement. On most of the production PC's out there now, keyboard and mouse are USB, so you can't just disable the controller.
      Used to be that Enterprise-grade networks were the only ones worth investing the time in, to hack through their defenses.
      With the infected-USB model, all the villain needs is two seconds of distraction to plug into one of the many "Convenience" ports that you see in front and back of PC's, in keyboards, in monitors, etc.
      Better yet, just leave a few infected thumb drives laying around in your target's office - someone is bound to plug one in to see what's on it!

      Scary stuff...
  • No big deal if you take precautions...

    No malware can modify critical and/or internal operating system structures without administrative privileges. By using a standard user account and keeping your system and applications up-to-date, you will be just fine against any kind of attack, including this one.
    • No

      Might I suggest you look up "privilege escalation zero day"?
      • May I suggest that you pay attention to my previous comment...

        when I said "keeping your system and applications up-to-date", when the manufacturer releases updates? Zero days don't remain that way too much time once the manufacturer has knowledge of them.
        • Only problem here is there have already been cases of Microsoft

          taking many months, and even years to fix some reported security issues, despite them being classed as 'zero day' issues. MS applies it's own priorities in such things, and then gets upset if the people reporting the issues go public with them, even months after telling MS, especially when they've not yet done anything about fixing it.
          Deadly Ernest
          • Everyone suffers from this problem...

            from time to time, including the open-source community and companies that support open-source efforts, so mentioning Microsoft exclusively doesn't sound very fair to me.
          • I emntioned Microsoft simply because they are the ONLY

            company I know of to have a Zero Day security issue ignored for over a year, and others ignored for several months; only bothering to react months later AFTER the people who reported them went public and the media jumped up and down. I know others have sometimes taken days, or several weeks to fix a reported problem, but MS still have the record for the five longest delays between reporting and COMMENCING corrective action.
            Deadly Ernest
  • Good luck...

    to any malware trying to modify the BIOS/UEFI without administrative privileges.
  • I think the attack vectors are not as big as you think

    Because turning a USB key into a Fake keyboard is going to be obvious to the user plugging in the flash drive. And without admin privilages... would be hard to get most of that stuff done. Especially considering the wide variation of OS's and the steps to do different procedures on different hardware.
    Additionally, if the hardware in the machine was infected, there would still need to be drivers for it, you can still disable infected hardware as the OS doesn't HAVE to talk to it.
  • Post-PC?

    Steve please comment on this:
  • I've read a few articles on this

    and none says anything about what it takes to reflash the firmware of a thumb drive. Can this happen invisibly at a bad web site or plugging into a bad PC without the user doing anything or knowing about it, or does some villain have to physically possess the drive to insert the malware? Seems to me a more likely infection source for PC malware would be smartphones, which are generally unprotected and constantly interacting with the web and local desktops and laptops.
  • Just put an OS on the stick and run it from there

    Reboot the machine with the stick in and you can usually get access to all the hard drives.
    • you can see the partitions,

      but can't do anything useful with them (if they're encrypted).
      Rick S._z
  • Seems I heard these same arguments way back to do with floppy drives

    the answer for the work place is very simple, the same way it was with the floppy drive - physical security of the work area and where very high security is needed you simply disable the device capability in the BIOS. I know of some high security areas that have been doing this for years.

    For the average home user this is a non-issue as you need to have physical access at least once to load anything, and then if hit you can handle it like any other major virus strike - nuke with format C: and reload your software.

    There is NO way you can stop one of your staff from walking off with data in some form or another, you can only make it harder. But good physical and gateway security will handle 99.9999999% of this.
    Deadly Ernest