Sunday, March 29, 2015
BadUSB Security Threat Affects Billions of Devices and is Fundamentally Unfixable
We all use USB storage devices and accessories - in fact there are billions of them in the world right now, according to the USB Implementers Forum - and we take for granted that theyll just work when plugged in. Before the standard existed, plugging anything in to a PC usually involved shutting it down, restarting, and installing drivers.
This simplicity is achieved using microcontrollers in each USB device which negotiate connections with host PCs and tell both parties how to recognise each other. Now, nearly 20 years after the first USB devices became widespread, a lack of forethought about security in the original implementations of those controllers is being exploited.
Security researchers Adam Caudill and Brandon Wilson announced that they had reverse-engineered one widely used USB controller chip and demonstrated how they had been successful in reprogramming commonly available USB pen drives to behave in unexpected ways. Their methods can be expected to be replicated for malicious purposes since the two have released all their findings, including source code, to the public.
A previous report on the potential vulnerability, which has come to be known as BadUSB, was published earlier this year although no information was released that could have been used by attackers. Caudill and Wilson believe that the scale of the problem is so immense that the entire industry needs to be jolted into action, or nothing will be done about it. It is also possible that the flaw has been known to attackers (including government agencies) for a long time and has been exploited without anyone knowing. Forcing knowledge of BadUSB into the public domain will make potential victims aware of that possibility.
Terrifyingly, fixing the problem will require a completely new set of USB protocols and the scrapping of all devices that are currently in existence. People are so used to USB that they will not hesitate to plug in a storage device, keyboard, or any other product - even a smartphone. This complacence can be exploited by attackers, for example, by leaving a doctored pen drive lying around in public or giving thousands of them away for free in a promotion - no one would hesitate to plug it in.
Because the drives firmware has been modified, formatting it wont do any good. Malware detection tools can only scan storage locations, not firmware. Experts citied by Wired estimate that it could take over a decade for a new, secure version of USB to become dominant, and even then there would be no way to ensure that every single previously sold USB device had been destroyed.
Even commonly available password-protected pen drives can be compromised - the duo demonstrated a technique by which any password set by a user could be invalidated. The user might continue thinking his device is secure, but unbeknownst to him, any combination of characters will be able to unlock it.
Another demonstration involved modifying a commodity pen drive so that it contains a completely hidden partition which is only mounted by plugging a pen drive into a PC and then ejecting it. When unmounted, the secret partitions contents are not detectable even to forensic examination tools. The final demo was of a virtual keyboard which was capable of taking over input and entering commands on a PC - just plugging in any USB device could trigger a flood of keyboard inputs that could potentially be used to install malware, steal passwords, or anything else.
In effect, USB itself should now be considered fundamentally insecure. Users concerned about device and data security should not use any new USB device that comes into their possession. Affected devices cannot be detected and there is no patch. At most, according to the two demos, PCs might be able to detect fishy behaviour but would not be able to prevent it before it happened. The USB-IF has not responded, although at least one secure device vendor, Ironkey, has publicly announced that its products are not vulnerable because they use signed firmware code, and signatures are verified on each use to make sure the code has not been tampered with.
USB as a standard is already set to become a lot more confusing with the impending debut of the new, backwards-incompatible Type-C connector which will work with existing USB 3.0 and older devices as well as upcoming USB 3.1 standard.