Feeds

Plug and PREY: Hackers reprogram USB drives to silently infect PCs

BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more

Providing a secure and efficient Helpdesk

Researchers say they have managed to reprogram the firmware within some flash drives with malicious code – code executed by the gadget's micro-controller to ultimately install malware on a PC or redirect network traffic without a victim knowing.

Karsten Nohl and Jakob Lell, from German security skunkworks SR Labs, spent months analyzing the software and micro-controllers embedded in particular USB devices, and said they have found they could reliably hide, in the flash ROM, malware that's undetectable to today's antivirus tools – and it's very, very effective.

We're told their software nasty, which they call BadUSB, can be installed not just in certain thumb drives, but in anything sporting a supported or compatible micro-controller. It is impossible to remove from the device, unless you too have tools and skills to reprogram the firmware.

USB thumb drives are typically a block of flash memory with a micro-controller attached to it; this controller chip has its own RAM scratch pad, and something akin to a tiny operating system in the firmware telling it how to interface the flash with the outside world via USB. This firmware can be reprogrammed to do unintended stuff – if you've worked out how to do so.

For a few years now, this sort of attack has been known to be possible: infosec types even dubbed malicious USB devices "plug and prey."

Now we're told it's a reality. There's no need for custom hardware, which we've seen before – instead generic yet supported chips on USB sticks can be reprogrammed to infect a host PC with malware that then infects any other supported devices plugged into it, sparking a rather irritating infection.

"No effective defenses from USB attacks are known," claimed SR Labs.

"Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as though a user has simply plugged in a new device."

How it's supposed to work

The two, who will present a full technical talk and proof-of-concept code at next week's Black Hat conference in Las Vegas, designed BadUSB to convince the target computer that a USB thumb drive is also a USB keyboard – which quickly feeds a string of characters to the computer as if typed by the user.

This string could, on Windows, open a cmd.exe box, run an executable on the flash drive that installs further malware, or open an Internet Explorer window and surf to a website that exploits a vulnerability in IE or Adobe Flash to inject malware. The drives can also be configured to impersonate a network card and redirect traffic.

It's all possible because USB devices can be multi-function: when they are plugged into a computer, they announce to the operating system, via the USB protocol, what kind of device they are so that the correct drivers are loaded and the gadget is usable.

Usually, a thumb drive announces itself as mass storage. If it also announces itself as a keyboard, today's desktop operating systems play along and attach it as another keyboard source to cause mischief.

Before you start panicking and throwing away your peripherals, there are a few caveats to the research.

1. Not every USB chip

Firstly, this attack will not work on all USB chips automatically – it appears to be vendor specific, and while there are a limited number of USB silicon suppliers, there's still a lot of chip models to tackle. Every chipmaker designs their controllers differently.

For Black Hat, we're told the following three attack devices will be demonstrated; these gadgets use chips made by Phison, which typically use 8051 micro-controllers:

  • A USB thumb drive that rapidly injects key-presses to download and run malicious software before the user can stop it. This is triggered by plugging the device into the PC.
  • A USB thumb drive that boots the PC, tampers with the operating system installation to cause further misery, and then boots the machine proper.
  • A USB thumb drive that announces itself as a network card, allowing it to reconfigure the machine's DNS settings to redirect internet traffic into hackers' hands.

Earlier this year, at Shmoocon 2014, Richard Harmamn gave a presentation on his research into analyzing USB micro-controllers and studying their firmware and security features. Phison, he pointed out, has a tool called MPAll which allows firmware to be rewritten – although it's hard work crafting a working rogue firmware as the chip internals aren't documented.

2. Security versus cost

Secondly, it may be possible for device manufacturers to deal with these problems themselves. Controllers could be designed to only accept new firmware that is cryptographically proven to be legit, for example, but that would increase the complexity and the cost of these cheap-as-pennies chips.

There is, though, room for increased security, we're told.

"The USB specifications support additional capabilities for security, but original equipment manufacturers (OEM’s) decide whether or not to implement these capabilities in their products. OEMs develop products based on consumer demand," a spokeswoman from the USB Implementers Forum told El Reg in an email.

"Greater capabilities of any product likely results in higher prices, and consumers choose on a daily basis what they are willing to pay to receive certain benefits. If consumer demand for USB products with additional capabilities for security grows, we would expect OEMs to meet that demand."

At the moment it's unlikely that manufacturers are going to do anything that would drive up the price of USB devices. (Operating system developers could, of course, consider rejecting bizarre USB function combinations.)

If someone were to develop malware that infected PCs from thumb drives and then silently reprogrammed other connected thumb drives to spread again, it's unlikely that anyone's going to whine about paying a few pennies more for something that's locked down. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.