BadUSB: Undetectable USB flaw Could Expose all Your Tech Gear to Hackers

| News

Security research firm SR Labs has discovered a flaw in USB devices that could be exploited by attackers to inject their own code into firmware. There currently isn't any way to detect a USB-based hack, and so far no one has found any way to patch the flaw.

BadUSB makes any USB device a potential security riskBadUSB makes any USB device a potential security risk

Karsten Nohl from SR Labs will be discussing the issue during the Black Hat Conference next week in Las Vegas. He said,

These problems can't be patched. We're exploiting the very way that USB is designed.

The flaw, dubbed BadUSB, works by adding malicious code to the device's firmware controller instead of simply storing a virus, say, in the flash memory on a USB thumb drive. Mr. Nohl said most any USB device -- from keyboards to mice to computers to smartphones -- include firmware that can be reprogrammed, and that's what BadUSB exploits.

A compromised USB device will load its malicious payload into the firmware of any other USB device it is connected to, and there isn't any way of knowing that's happened. The result is that no USB devices can be trusted to be safe unless they have never been out of your physical control and have never been connected to anyone else's gear.

The convenience of USB, and especially thumb drives, means they often get handed off to share files and if any device is infected it'll quickly spread to other USB gear connected to your computer. That essentially makes all USB devices disposable because once they pass out of your trusted closed environment you have to assume they've been infected, including your own computer.

There aren't any official reports of BadUSB in the wild, but that doesn't mean the flaw isn't already being exploited. University of Pennsylvania computer science professor Matt Blaze said it's possible agencies such as the NSA have been exploiting the flaw for some time without detection. He cited the NSA's USB surveillance tech known as Cottonmouth as a potential example of BadUSB in action, adding, "I wouldn't be surprised if some of the things [Mr. Nohl] discovered are what we heard about in the NSA catalogue."

The only workaround for now is to keep all of your USB-equipped devices isolated, including your computer, and never connect anything to your computer that comes from a source you can't personally verify as safe. Sharing files via USB hard drives or thumb drives isn't safe, either, unless you're completely certain very other device they've been connected to can be trusted.

That mindset goes against the way we currently use USB devices and completely kills their convenience, too. Until a way to detect and overcome BadUSB is discovered and implemented, it's on end users to practice safe tech and do what they can to keep their own gear away from untrusted devices.

Since there aren't any reported incidents of BadUSB in the wild, it's possible no devices have been infected, and that manufacturers will have a way to protect from the exploit before it becomes a widespread issue. Without a reliable way to detect BadUSB, however, we're all in the dark right now wondering if our mice, keyboards, USB drives, and even computers, have been compromised.

[Thanks to Wired for the heads up]

Comments

Lee Dronick

Oh great! USB charging stations in public places. USB drive swag handed out for free.

aardman

Paradox of the day.  Headline says ‘Undetectable USB flaw’.  I don’t think so.  Think about it.

furbies

Could a manufacturer “fix” their USB device(s) so the firmware isn’t writable after leaving the factory ?

gnasher729

@furbies: Yes, they could reasonably easily. And overwriting firmware isn’t quite trivial, because for example if you want to overwrite the firmware in my USB flash drive, you first have to write firmware that keeps the USB flash drive working as a flash drive, _plus_ perform some malicious activity, _plus_ figure out how to make the device overwrite its firmware (you can’t just overwrite it, you have to ask the device politely to overwrite its own firmware).

For example, with a USB flash drive, having firmware that cannot be overwritten would be a selling point. But you have to trust the seller. For example with Flash drives, plenty of people sell cheap 64GB drives that are really 1GB drives pretending to be 64GB drives (you only notice when you write more than 1GB, and read the data again and compare. Fatal if you use such a drive for backup). So just because the seller says the firmware can’t be overwritten, that means nothing if they are lying.

Hagen

I’ve also had a number of USB hubs that required firmware updates to work correctly—sometimes multiple updates. I would expect these to be prime targets for a well crafted piece of malware.

And yes, a well crafted piece of malware can do such things on your computer in the background with no user visibility, in much the same way as a key logger or botnet slave.

Intel is putting the finishing touches on USB 3.1 (faster speeds, new connector, up to 100w power).  Let’s hope they delay the final release of that long enough to implement a fix for this… assuming one wasn’t already in there.

Log-in to comment