8 October 2014

The Unpatchable, And Undetectable Malware That Infects USB Devices — Is Now On The Loose; USB Devices Are Likely Carrying The ‘Next’ Digital Epidemic

October 3, 2014 

The Unpatchable, And Undetectable Malware That Infects USB Devices — Is Now On The Loose; USB Devices Are Likely Carrying The ‘Next’ Digital Epidemic


Andy Greenberg, writing in the October 2, 2014 edition of Wired.com, observes that “it’s been two months since researcher Karsten Nohl demonstrated an attaché he called BadUSB to a standing room only crowd at the Black Hat security conference in Las Vegas [this summer], showing it’s possible to corrupt any USB device with insidious, undetectable malware. Given the security of that security problem — and, the lack of an easy patch — Nohl has held back on releasing the code he used to pull off the attack [hack],” Mr. Greenberg writes but, he adds, “two of Nohl’s fellow researchers aren’t waiting any longer.”

“In a talk at the Derbycon Hacker Conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs,. reproducing some of Nohl’s BadUSB tricks. And unlike Nohl.” Mr. Greenberg notes, “the hacker pair also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem; or, leave hundreds of millions of users vulnerable.”

“The belief we have is that all of this should be public. It shouldn’t be held back. So, we’re releasing everything we’ve got,” Caudill told the Derbycon audience on Friday. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove there’s a flaw, you need to release the material so people can defend against it.” 

“The two, independent researchers, who declined to name their employer, say that publicly releasing the USB attack code will allow penetration testers to use the technique, all the better to prove to their clients that USBs are nearly impossible to secure in their current form. And, they also argue that making a working exploit available is the only way to pressure USB makers to change the tiny devices’ fundamentally broken security scheme,” Mr. Greenberg wrote.

“If this is going to get fixed, it needs to be more than just a talk at Black Hat,” Caudill told Wired in a follow-up interview. Mr. Caudill “argues that the USB trick was likely the already available to highly resourced government intelligence agencies like the NSA — who may already be using it in secret. If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it,” he says. “You have to prove the world that it’s practical, that anyone can do it…That puts pressure on the manufacturers to fix the real issue.”

“Like Nohl,” Mr. Greenberg adds, “Caudill and Wilson reverse engineered the firmware of USB microcontrollers, sold by the Taiwanese firm, Phison, one of the world’s top USB makers. Then, they [the researchers] reprogrammed that firmware to perform disturbing attacks: In one case, they showed that the infected USB can impersonate a USB a keyboard to type any keystrokes the attacker chooses on the victim’s machine. Because it affects the firmware of the USB’s microcontroller, that attack program would be stored in the rewritable code that controls the USB’s basic functions, not in its flash memory — even deleting the entire contents of its storage wouldn’t catch the malware. Other firmware tricks demonstrated by Caudill and Wilson would hide files in that invisible portion of the code, or silently disable the USB’s security feature that password protects a certain portion of its memory.” 

“People look at these things and see nothing as nothing more than storage devices,” Caudill said. “They don’t realize there ‘s a reprogrammable computer in their hands.”

“In an earlier interview with Wired, ahead of his Black Hat talk, the Berlin-based Nohl had said he wouldn’t release the exploit code he’d developed, because he considered the BadUSB vulnerability practically unpatchable. (He did however, offer proof-of-concept for Android devices). To prevent USB devices’ firmware from being rewritten, their security architecture would need to be fundamentally redesigned, he argued, so that no code could be changed on the device without the unforgeable signature of the manufacturer. But, he warned that even if that code-signing measure were put in place today, it could take 10 years or more to iron out the USB’s standard’s bugs, and pull existing vulnerable devices out of circulation,” Mr. Greenberg warned. “It’s unfixable for the most part,” Nohl said at the time. “But, before even starting this [cyber] arms race, USB sticks have to attempt security.” 

Caudill says “that by publishing their code, he and Wilson are hoping to start the security process. But, even they hesitate to release every possible attack against USB devices. They’re working on another exploit that would invisibly inject malware into files as they are copied from a USB device to a computer. By hiding another USB-infecting function in that malware, Caudill says it would be possible to quickly spread the malicious code from any USB stick that’s connected to a PC and back to any new USB plugged into the computer. That two-way infection trick could potentially enable a USB-carried malware epidemic. Caudill considers that attack so dangerous…that even he and Wilson are debating whether to release it,” Mr. Greenberg warned.

“There’s a tough balance between proving it’s possible; and, making it easy for people to actually do it,” Caudill said. “There’s an ethical dilemma here. We want to make sure we’re on the right side of it.”

As I read this and thought back to the fact that the U.S. Government recently severed it’s ties to the largest background/security investigation firm, USIS — over a breach into their networks earlier this year — one is reminded that there are just too many ways to break into the networks and systems of just about anybody on the planet — even, the NSA. If the USG wants to ensure no repeats of the USIS breach, they only surefire way to do that — is to take everything off the net. Even then, you would still have the trusted insider threat. And, how do you know your systems are really ‘clean?’ 

Carrying The Next Digital Epidemic: Why The Security Of A USB Device Is Fundamentally Broken — Next Big Digital Infection Vector?

Mr. Greenberg had a previous article on this same subject in the July 31, 2014 edition of Wired.com. He wrote at that time, “”computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections. we depend on antivirus scans and the occasional reformatting to keep our thumb-drives from becoming the carrier of the next digital epidemic. But, the security problems with USB devices run deeper than you think,” he says: Their risk isn’t just what they carry, it’s built into the core of how they work.”

“The problem isn’t limited to thumb drives,” Mr. Greenberg wrote at the time. “All manner of USB devices, — from keyboards and mice, to smartphones — have firmware that can be reprogrammed. In addition to USB sticks, Nohl and Lell say they’ve also tested their attack on an Android handset, plugged into a PC. And, once a BadUSB-infected device is connected to a computer, a grab bag of evil tricks it can play havoc on the infected network/IT system. It can, for example, impersonate a USB keyboard to suddenly start typing commands.” “It can do whatever you can do with a keyboard, which is basically everything a computer does. The malware can silently hijack Internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases. Or, if the code is planted on a phone, or another device with an Internet connection, it can act as a man-in-the-middle, secretly spying on communications — as it relays them from the victim’s machine,” Nohl added. 

The Alternative Is To Treat USB Devices Like Hypodermic Needles

“Nohl, and his colleague, Jakob Lell, reached out to a Taiwanese USB device maker, whom he declines to name, and warned the company about their BadUSB research,” Mr. Greenberg writes. “Over a series of emails, the company repeatedly denied that the attack was possible. When Wired contacted the USB Implementers Forum, a nonprofit corporation that oversees the USB standard, spokeswoman Liz Nardozza responded in a statement: “Consumers should always ensure their devices are from a trusted source; and, that only trusted sources interact with their devices,” she wrote. “Consumers safeguard their personal belongings; and, the same effort should be applied to protect themselves — when it comes to technology.”

“Nohl agrees. The short-term solution to BadUSB isn’t a technical patch, so much as a fundamental change in how we use USB gadgets.” writes Mr. Greenberg. “To avoid the attack, all you have to do is not connect your USB device to computers you don’t own; or, have good reason to trust — and, don’t plug untrusted USB devices into your own computer. But, Nohl admits that makes the convenient slices of storage we all carry in our pockets, among many other devices, significantly less useful.” “In this new way of thinking, you can’t trust a USB — just because it’s storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” said Nohl. “You have to consider USB infected; and, throw it away as soon as it touches a non-trusted computer. And, that’s incompatible with how we use USB devices right now,” he added.

“The two researchers haven’t yet decided just which of their BadUSB device attacks they’ll release at Black Hat, if any. Nohl says he worries that the malicious firmware for USB sticks could quickly spread,” wrote Mr. Greenberg. “On the other hand, he says users need to be aware of the risks. Some companies could change their USB policies, for instance, to only use a certain manufacturer’s USB devices; and, insist that vendor implement code-signaling protections on their gadgets.” 

“Implementing that new security model will first require convincing device makers that the threat is real,” Mr. Greenberg concludes. “The alternative,” Nohl says, “is to treat USB devices like hypodermic needles that can’t be shared among users — a model that sows suspicion; and, largely defeats the devices’ purpose. “Perhaps you remember once when you’ve connected some USB device to your computer from someone you don’t completely trust,” says Nohl. “That means you can’t trust your computer anymore. That is a threat on a layer that’s invisible. It’s a terrible kind of paranoia.” V/R, RCP

No comments: