USB Hardware Easily Subverted, Researchers Claim - InformationWeek
Mobile // Mobile Devices
04:25 PM
Connect Directly
Cloud Security: Don't Go Blind While Playing in the Cloud
Dec 06, 2017
Attend this webinar to understand the security transformation from an on-prem fortress mentality t ...Read More>>

USB Hardware Easily Subverted, Researchers Claim

Security researchers say they can reprogram USB controller chips to hijack USB devices and connected computers.

iPhone 6: 8 Ideas Ripped From Rivals?
iPhone 6: 8 Ideas Ripped From Rivals?
(Click image for larger view and slideshow.)

USB hardware is insecure and there's no effective defense, a pair of security researchers claim.

In a coming presentation at Black Hat USA 2014, Karsten Nohl and Jacob Lell plan to demonstrate a proof-of-concept attack on USB devices they're calling BadUSB.

The researchers, who work with Security Research Labs in Berlin, claim that USB devices can easily be reprogrammed to execute malware.

Such compromised devices "can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware," the pair explained in a blog post. They also can pretend to be a network card and reroute network traffic by altering DNS settings. Or they can detect when an attached computer begins to boot up and install a virus before the operating system loads, thereby infecting an existing operating system or one that has been newly installed; this nullifies a standard defense against malware -- reinstallation of the operating system. The attack can even rewrite a computer's BIOS, offering another way to preempt security measures implemented in the operating system.

[Smartphones take on yet another job. Read Hilton Turns Smartphones Into Room Keys.]

Beyond avoiding untrusted USB devices, there appears to be very little that can be done at present to mitigate this risk.

"No effective defenses from USB attacks are known," the pair states. "Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist."

The threat looks to be theoretical, at least for a while.

"Fortunately, this type of attack has not been observed 'in the wild' yet," said Nohl in an email. "It would appear to only be a matter of time until we see actual abuse given the high gains and relatively low effort to implement such attacks."

However, the NSA, and presumably other intelligence agencies, have long been aware that USB hardware and connectors provide a path to compromising a target device. The NSA's Tailored Access Operations (TAO) group's implant catalog, leaked by Edward Snowden, contains three versions of a tool called Cottonmouth, a hacked USB connector that can send and receive data -- or exploit code -- wirelessly.

If Nohl and Lell succeed in demonstrating software to subvert USB devices, we might see more compromised USB devices. But untrusted hardware has long been a potential risk; the researchers' findings should underscore that fact. The upside for intelligence agencies is that henceforth they might be able to simply reprogram USB devices instead of rewiring them -- if they weren't already aware of this vulnerability.

A spokesperson for the USB Implementers Forum (USB-IF), the standards organization that develops and promotes USB specifications, said in an email that the group does not produce devices and cannot speak for specific manufacturers.

"The USB-IF agrees that consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices," the group's spokesperson said. "...To prevent the spread of malware, consumers should only grant trusted sources with access to their USB devices."

The USB-IF spokesperson added that USB specifications support additional security, but equipment makers decide whether to implement these capabilities, which would entail greater cost.

The BlackHat security conference is owned by United Business Media, which also operates InformationWeek.

Consumerization means CIOs must grant personal devices access to corporate data and networks. Here's how to avoid loss and corruption. Get the new Mobile Security Action Plan issue of InformationWeek Tech Digest today (free registration required).

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
7/31/2014 | 6:39:42 PM
Re: Why are there no USB Firewalls yet?

The USB-IF spokesperson added that USB specifications support additional security, but equipment makers decide whether to implement these capabilities, which would entail greater cost.  

Seems that security and cost will be added following some high profile breach. But, still that would be the security added at USB owners end rather than the device which will run it.

David F. Carr
David F. Carr,
User Rank: Author
7/31/2014 | 6:38:48 PM
USBs and the military / intelligence world
The Department of Defense tried imposing an absolute ban on USB removable storage a few years ago but eventually wound up allowing exceptions selectively. USBs were apparently a factor in the Edward Snowden leak scandal as well. One challenge: USB has become the standard interface for connecting all sorts of gadgets to a PC, including keyboard and mouse. Maintaining an absolute ban might make a lot of sense -- except that it's impossible to maintain.
User Rank: Ninja
7/31/2014 | 6:29:08 PM
Re: Why are there no USB Firewalls yet?
Amazed that still the USB culture prevails in many organizations where numerous flash drives from Employees, Customers, Vendors and even the visitors and trainees find their way into company PCs. From the article, it seems that currently the only way to cover this risk is to restrict thumb drive use. I wonder how culture can be changed quickly and are there any secure alternatives available.
Thomas Claburn
Thomas Claburn,
User Rank: Author
7/31/2014 | 5:14:51 PM
Re: Why are there no USB Firewalls yet?
I wonder what percentage of people insert thumb drives they find somewhere? Just leaving compromised USB sticks in hotels and in bars is probably a very efficient way to create a botnet.
User Rank: Ninja
7/31/2014 | 4:52:57 PM
Why are there no USB Firewalls yet?
I was reading the Blogpost and Wondering to myself.

Why are their no USB Firewalls yet?

Seems to be a matter of Cost primarily.

The other issue is that if they can hit the BiOS with their attacks ,absolutely anything is possible.

And Hardware Level attacks are much more difficult to erase than just pure Software Hacks.

Lot of Trouble,Looking forwads to this Black Hat Presentation.


<<   <   Page 2 / 2
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll