Feeds

Plug and PREY: Hackers reprogram USB drives to silently infect PCs

BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more

Beginner's guide to SSL certificates

Researchers say they have managed to reprogram the firmware within some flash drives with malicious code – code executed by the gadget's micro-controller to ultimately install malware on a PC or redirect network traffic without a victim knowing.

Karsten Nohl and Jakob Lell, from German security skunkworks SR Labs, spent months analyzing the software and micro-controllers embedded in particular USB devices, and said they have found they could reliably hide, in the flash ROM, malware that's undetectable to today's antivirus tools – and it's very, very effective.

We're told their software nasty, which they call BadUSB, can be installed not just in certain thumb drives, but in anything sporting a supported or compatible micro-controller. It is impossible to remove from the device, unless you too have tools and skills to reprogram the firmware.

USB thumb drives are typically a block of flash memory with a micro-controller attached to it; this controller chip has its own RAM scratch pad, and something akin to a tiny operating system in the firmware telling it how to interface the flash with the outside world via USB. This firmware can be reprogrammed to do unintended stuff – if you've worked out how to do so.

For a few years now, this sort of attack has been known to be possible: infosec types even dubbed malicious USB devices "plug and prey."

Now we're told it's a reality. There's no need for custom hardware, which we've seen before – instead generic yet supported chips on USB sticks can be reprogrammed to infect a host PC with malware that then infects any other supported devices plugged into it, sparking a rather irritating infection.

"No effective defenses from USB attacks are known," claimed SR Labs.

"Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as though a user has simply plugged in a new device."

How it's supposed to work

The two, who will present a full technical talk and proof-of-concept code at next week's Black Hat conference in Las Vegas, designed BadUSB to convince the target computer that a USB thumb drive is also a USB keyboard – which quickly feeds a string of characters to the computer as if typed by the user.

This string could, on Windows, open a cmd.exe box, run an executable on the flash drive that installs further malware, or open an Internet Explorer window and surf to a website that exploits a vulnerability in IE or Adobe Flash to inject malware. The drives can also be configured to impersonate a network card and redirect traffic.

It's all possible because USB devices can be multi-function: when they are plugged into a computer, they announce to the operating system, via the USB protocol, what kind of device they are so that the correct drivers are loaded and the gadget is usable.

Usually, a thumb drive announces itself as mass storage. If it also announces itself as a keyboard, today's desktop operating systems play along and attach it as another keyboard source to cause mischief.

Before you start panicking and throwing away your peripherals, there are a few caveats to the research.

1. Not every USB chip

Firstly, this attack will not work on all USB chips automatically – it appears to be vendor specific, and while there are a limited number of USB silicon suppliers, there's still a lot of chip models to tackle. Every chipmaker designs their controllers differently.

For Black Hat, we're told the following three attack devices will be demonstrated; these gadgets use chips made by Phison, which typically use 8051 micro-controllers:

  • A USB thumb drive that rapidly injects key-presses to download and run malicious software before the user can stop it. This is triggered by plugging the device into the PC.
  • A USB thumb drive that boots the PC, tampers with the operating system installation to cause further misery, and then boots the machine proper.
  • A USB thumb drive that announces itself as a network card, allowing it to reconfigure the machine's DNS settings to redirect internet traffic into hackers' hands.

Earlier this year, at Shmoocon 2014, Richard Harmamn gave a presentation on his research into analyzing USB micro-controllers and studying their firmware and security features. Phison, he pointed out, has a tool called MPAll which allows firmware to be rewritten – although it's hard work crafting a working rogue firmware as the chip internals aren't documented.

2. Security versus cost

Secondly, it may be possible for device manufacturers to deal with these problems themselves. Controllers could be designed to only accept new firmware that is cryptographically proven to be legit, for example, but that would increase the complexity and the cost of these cheap-as-pennies chips.

There is, though, room for increased security, we're told.

"The USB specifications support additional capabilities for security, but original equipment manufacturers (OEM’s) decide whether or not to implement these capabilities in their products. OEMs develop products based on consumer demand," a spokeswoman from the USB Implementers Forum told El Reg in an email.

"Greater capabilities of any product likely results in higher prices, and consumers choose on a daily basis what they are willing to pay to receive certain benefits. If consumer demand for USB products with additional capabilities for security grows, we would expect OEMs to meet that demand."

At the moment it's unlikely that manufacturers are going to do anything that would drive up the price of USB devices. (Operating system developers could, of course, consider rejecting bizarre USB function combinations.)

If someone were to develop malware that infected PCs from thumb drives and then silently reprogrammed other connected thumb drives to spread again, it's unlikely that anyone's going to whine about paying a few pennies more for something that's locked down. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.