It's a common scene from TV: Our hero sneaks into the villain's office, plugs in a USB stick and — flash! — all the secret plans to conquer Chicago are sucked down into the thumb-drive. The only fiction is how fast it takes to download data. In the real world, office data thieves walk out with stolen data everyday on their flash drives.
The base problem, according to the pair, is "USB has become so commonplace that we rarely worry about its security implications. USB sticks undergo the occasional virus scan, but we consider USB to be otherwise perfectly safe — until now."
Nohl and Lell continue:
USB devices are connected to – and in many cases even built into – virtually all computers. The interface standard conquered the world over the past two decades thanks to its versatility: Almost any computer peripheral, from storage and input gadgets to health-care devices, can connect over the ubiquitous technology. And many more device classes connect over USB to charge their batteries.
This versatility is also USB’s Achilles heel: Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing.
They're right of course. I have a half-dozen USB drives in my laptop bag and, except for an iPhone and iPad Touch, every device in my home office has USB ports. I'm aware that they pose a security risk, but do I worry about it? Not really.
I should and you should too.
Nohl and Lell have discovered that USB controller chips' firmware offer no protection from reprogramming. Using a set of proof-of-concept tools they call BadUSB, they claim that an ordinary USB device, even a thumb drive, can be used to compromise computers in the following ways:
A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
A modified thumb drive or external hard disk can — when it detects that the computer is starting up — boot a small virus, which infects the computer’s operating system prior to boot.
Adding insult to injury, they state that there's no effective way to detect a corrupted USB device. That's because, "Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as though a user has simply plugged in a new device."
It gets worse. The hackers claim that "Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root. The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive."
In short, "Once infected, computers and their USB peripherals can never be trusted again."
Before you start banning USB devices from your workplace — good luck with that — there are ways to fix this problem. First, USB chipset manufacturers can start hardening their firmware so it can't be easily modified. Security companies can start adding programs to check USB devices for unauthorized firmware alterations.
Those are all long-term fixes. In the short-term, BadUSB-created cracking tools will be able to create compromised devices that will have the potential to be a new and deadly attack vector for hackers.