• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

USB drives with altered firmware

B

bononos

Diamond Member
I don't think if this has been posted yet:
http://www.wired.com/2014/07/usb-security/

Common usb thumb drives can hide viruses hidden in the firmware which would be invisible from normal scans. These hacked usb flash drives can alter files stored on the drive, redirect network traffic, take over the pc...
And worse, there is no easy way to patch this exploit.
 
Happy to see more press related to USB security, but security people have been warning of the dangers surrounding USB for a long time. The USB Rubber Ducky (very cool device that imitates a keyboard...check it out if you haven't seen it) has been on the market for at least 3 years now.

Nohl and Lell's research related to reprogramming the firmware, on any device, by plugging it in to a BadUSB host PC (for lack of a better term to describe it) so that it will carry a malicious payload is a new threat vector (or maybe I should say newly-public threat vector), but the risk-level related to USB has always been high.

I'm happy that the article also mentioned the thought of finding a trusted source/supply chain for usb devices, because that's a huge problem. How do you know the new devices you purchase, in their shiny retail packaging, are trustworthy? A trusted supply chain isn't a new problem in the technology world, either. Not to go off on a tangent, but remember these stories related to Cisco back in 2008? http://www.infoworld.com/d/security-central/fbi-worried-dod-sold-counterfeit-cisco-gear-266
 
No I haven't read about the USB rubber ducky. Was the stuxnet worm delivered through something like the usb rubber ducky or was it a 'normal' infected flash drive?
 
bononos said:
No I haven't read about the USB rubber ducky. Was the stuxnet worm delivered through something like the usb rubber ducky or was it a 'normal' infected flash drive?
Click to expand...

To the best of my knowledge, stuxnet used "normal" infected flash drives. However, it leveraged several 0day vulnerabilities, which made it an extremely powerful piece of malware.
 
Here's another link about the security researchers discoveries.

http://www.bbc.com/news/technology-28701124

The connector is popular due to the fact that it makes it easy to plug in and install a wide variety of devices. Devices that use USB contain a small chip that "tells" the computer exactly what it is, be it a phone, tablet or any other piece of hardware.

It is this function that has been exposed by the threat.

In one demo, shown off at the Black Hat hackers conference in Las Vegas, a standard USB drive was inserted into a normal computer.

Malicious code implanted on the stick tricked the machine into thinking a keyboard had been plugged in.

After just a few moments, the "keyboard" began typing in commands - and instructed the computer to download a malicious program from the internet.

Another demo, shown in detail to the BBC, involved a Samsung smartphone.

When plugged in to charge, the phone would trick the computer into thinking it was in fact a network card. It meant when the user accessed the internet, their browsing was secretly hijacked.

Mr Nohl demonstrated to the BBC how they were able to create a fake copy of PayPal's website, and steal user log-in details as a result.

Unlike other similar attacks, where simply looking at the web address can give away a scam website, there were no visible clues that a user was under threat.
Click to expand...
 
There was a discussion about this on 4chan's /g/ board a few days back.


Honestly I have no idea what can be done to prevent it. Do virus scanners have access to USB device's firmware? If not i don't think they'd be able to detect it. The only way to stop this is that OS makers like MS and Apple introduce some thing in their kernel. Or maybe some kind of anti-virus built into the motherboards UEFI.
 
Some A/V suites (for example, I know Symantec Endpoint Protection can do it) have the ability to Blacklist (block specific devices) or Whitelist (block all devices except those that are explicitly allows) USB devices based on their Device ID.

That being said, I suspect that whitelisting known-good devices would be a step in the right direction for protecting against these kinds of USB vulnerabilities, but it's still not a perfect solution. It could potentially protect against people plugging in random devices that haven't been approved by their IT/Information Security department, but if devices that get infected with bad firmware retain their DeviceID, then you still run the risk of it being infected if it's attached to a computer that you don't control (for instance, an employee plugging it in to their personal laptop). It also doesn't solve the problem of a badguy in the supply chain, and malicious firmware making its way into devices when they ship from the manufacturer.

Some kind of a kernel-level firmware code-signing check would be a nice defense, but I don't know how possible/practical that is.
 
Last edited:
seepy83 said:
Some kind of a kernel-level firmware code-signing check would be a nice defense, but I don't know how possible/practical that is.
Click to expand...

Not the easiest for just anyone to use, but I wonder if you could gpg sign the firmware; basically attesting your trust of the device. It could either be factory firmware, or firmware you loaded yourself. Plug in a stick, and it checks for the certificate. If it's unrecognized, or untrusted, the stick couldn't be accessed
 
Update

http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer.

In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.
Click to expand...

also a video from Twit.tv with a guest talking about the exploit

http://twit.cachefly.net/video/tn2n/tn2n0185/tn2n0185_h264b_640x368_256.mp4

advance the video to about 8 mins. 25 secs.



*e2a*

Phison USB sticks have been found with the malware

http://www.businessinsider.com/hackers-infect-phison-usb-sticks-with-badusb-2014-10

The "good" news is that vulnerability only comes from one USB manufacturer, Phison of Taiwan. The bad news is that Phison USB sticks can infect any device they're inserted into, and it's not clear whether those devices can then go on to infect any other USB device that is plugged into them afterward. Phison does not disclose who it makes USB sticks for — so it's not yet clear how widespread the problem might be.

Edward Snowden's leaks revealed that the NSA possesses a spying device known as "Cottonmouth" that uses a vulnerability in USB to monitor computers and relay information. It's possible that Cottonmouth works using a similar vulnerability as the discovery outlined above.
Click to expand...

Interesting speculation on the NSA having found out about the exploit separately.


....
 
Last edited:
You must log in or register to reply here.

TRENDING THREADS

Back
Top