USB ports are a bit like Cinnabons at airports and bad Wi-Fi at hotels: ubiquitous. Almost every computer and millions of other connected devices have one. And while USB security has long been discussed, an 'unfixable' exploit threatens to up the danger quotient significantly—especially since it’s been made public.
Two security researchers, Adam Caudill and Brandon Wilson, have reverse-engineered a popular USB firmware from Taiwanese firm Phison, which powers hundreds of millions of devices. With the right exploit, USBs can become an injection conduit for malicious code—so, a flash drive could emulate a keyboard and issue commands on behalf of the logged-in user, to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
Or, a modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
The compromised code in question is stored in the USB’s read-write memory, so a user can’t remove it, and no patch will fix it. In order to get rid of the issue, new USBs must be issued with an entirely different security architecture.
The two are replicating research from SR Labs’ Karsten Nohl, who gave a talk at the Black Hat security conference discussing the exploit, which he dubbed BadUSB. However, given the persistent nature of the issue, he decided not to release it.
“No effective defenses from USB attacks are known,” he said in his information page on the issue. “Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as though a user has simply plugged in a new device.”
To make matters worse, cleanup after an incident is nigh impossible.
“Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root,” Nohl said. “The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive.”
In case we missed the point, he added, “Once infected, computers and their USB peripherals can never be trusted again.”
But the decision not to disclose is one that Caudhill and Wilson feel is a grand mistake. So now, they’ve thrown the exploit code up on Github to bring attention to the issue.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience in Louisville, Ky. Last week. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
Government agencies and high-end espionage groups are probably already using it, Caudhill told WIRED.
“If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it,” he said. “You have to prove to the world that it’s practical, that anyone can do it…That puts pressure on the manufacturers to fix the real issue.”
He added, “People look at these things and see them as nothing more than storage devices. They don’t realize there’s a reprogrammable computer in their hands.”