How to transform USB sticks into an undetectable malicious devices

Pierluigi Paganini October 04, 2014

Two researchers Brandon Wilson and Adam Caudill released their attack code to reprogram USB sticks and use them as an undetectable hacking instrument.

Recently, two independent researchers, Brandon Wilson and Adam Caudill, have released the code which can reprogram, benign USB devices turning them in malicious components.

The experts published the code on the Github raising the question related to the real level of security of USB devices, the BadUSB research was approached in detail during the Black Hat conference when security experts demonstrated the risks related to an undetectable menace carried via USB.

Security experts explained that USB devices can be used to compromise personal computers in a potential new type of attacks that could not be detected with all actual security protections.

Karsten Nohl, chief scientist with Berlin’s SR Labs, discovered that bad actors could exploit this new class of attacks loading malicious software low-cost computer chips that control the functions of USB devices.

The researchers from SR Labs, which presented the attack scheme during the Black Hat conference this summer, point a series of flaws in the software used to run a tiny electronic components, these components are usually designed without protections against tampering with their code.

Hackers can uncover such flaws and exploit them creating serious problems to the targeted architecture.

“You cannot tell where the virus came from. It is almost like a magic trick,” said Nohl.

Nohl explained that his team has written malicious code and deployed it into USBcontrol chips used in thumb drives and smartphones, at this point it is sufficient that victims connect the USB device to a computer to trigger the execution of malicious software.

Nohl and Lell’s BadUSB demonstrations during Black Hat illustrated how their code could overwrite USB firmware and turn a USB device into anything. A flash drive plugged into a PC, could for example, emulate a keyboard and issue commands that steal data from the machine, spoof a computer’s network interface and redirect traffic by altering DNS settings, or could load malware from a hidden partition on the drive.

Antivirus software are not able to detect malicious firmware that controls USB devices, the code inserted with this method can be used for many purposes, including spy on communications, data tampering and log keystrokes.

But while Karsten Nohl decided to not disclose the attack code, Brandon Wilson and Adam Caudill made public their source code to solicit the IT industry to adopt necessary measures for securing USB firmware from malicious manipulation.

“The security of these devices is completely compromised.” “The security of these devices is completely compromised,” Wilson said. “You can’t trust anything you plug into your computer any longer, not even something as simple as a flash drive.”

“We’re just taking advantage of the USB protocol,” Wilson said. “This drive is a reprogrammable computer that allows you to do all sorts of things. It allows you to be any device, and up until now, most developers had hard-coded them to behave in specific ways. The firmware on a flash drive makes it behave like a flash drive.”

After Black Hat, Wilson said he bought numerous drives and tested them and were able to take advantage of existing tools used to update firmware to get their code to overwrite the firmware on the Phison device. At Derby Con, they were able to demonstrate their attack with the device pretending to be a keyboard that typed out a predetermined script once it was plugged into the host computer. They also showed another demo where they had a hidden partition on a flash drive that was not detected by the host PC.

“It’s undetectable while it’s happening,” Wilson said. “The PC has no way of determining the difference. The way a PC determines the type of device all happens through the USB and code on the other device. Our ability to control that code means you cannot trust anything a USB device tells you.”

This kind of attack is very insidious, it is necessary that the device manufacturers will improve the level of security for their devices, avoiding for example the unauthorized firmware overwriting using digitally signed code for the USB device firmware.

“The fact that we were so easily able to change the firmware is an easy fix. The manufacturers could implement code-signing, but they don’t do that at all” Wilson said. “That needs to change. And even if they do add code-signing, you still have the other aspect which is that the computer cannot trust what you’re plugging into it. To truly fix the problem, it has to be fixed on the host.” “When you have a firmware image, you want to protect it in some way. You want a checksum, or something that the drive uses to validate that something is coming across correctly,” Wilson added. “There’s nothing like that. There needs to be something. Code signing is one approach to take for now. But to really shut it down long term, the host needs to be aware that when you plug in a device you don’t trust, it has to be given an option not to trust it. Because once you plug it in, it’s done.”

Resuming, threat actors could exploit USB as an attack vector simply by reprogramming USB peripherals, so it is crucial to implement protection from such malicious reprogramming.

bad usb hacking

Once reprogrammed, any USB devices could be used for various malicious purposes, including:

  1. emulates a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
  2. spoofs a network card and change the computer’s DNS setting to redirect traffic.
  3. A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.

Unfortunately, no effective defenses from USB attacks are possible in this moment, antivirus cannot access the firmware running on USB devices and behavioral detection very hard to implement.

Pierluigi Paganini

(Security Affairs – hacking, USB)



you might also like

leave a comment