If you bought a computer before 1997, you probably noticed that the back was a pock-marked mess of connectors and ports. And if you bought a new printer and scanner, odds were good it would only work with a certain type of port. And if the pins on the connector broke, your device was worthless. It was a nightmare. And then USB arrived.
Universal Serial Bus (USB) was created by a consortium of seven major technology companies, all hoping to solve one important question; ‘How do I connect this device to my computer?’. Almost 20 years later, USB has reached a level of absolute ubiquity.
This ubiquity has been both a blessing and a curse. Whilst USB has made using peripherals and removable storage trivially easy and convenient, there has recently been a discovery of a vulnerability with USB that makes every computer in the world vulnerable. It’s called BadUSB, and you need to know about it.
The earth-shattering revelations that USB isn’t as secure as first thought was first disclosed by security researchers Karsten Nohl and Jakob Lell in July, 2014. The malware they created – dubbed BadUSB – exploits a critical vulnerability in the design of USB devices which allowed them to hijack a user’s Internet traffic, install additional malware and even surreptitiously gain control of a user’s keyboard and mouse.
The BadUSB malware isn’t stored on the user-accessible storage partition, but rather on the firmware of a USB device – including Keyboards, phones and flash drives. This means that it’s virtually undetectable to conventional anti-virus packages, and can survive the drive being formatted.
Fortunately, would-be attackers have been unable to take advantage of BadUSB, due to Nohl and Lell not publishing the code in order to give the industry an opportunity to ready a fix. Until recently, that is.
In a talk given at DerbyCon – a computer security conference held in Louisville, Kentucky – Adam Caudill and Brandon Wilson demonstrated their successful reverse-engineering of BadBSD, and published their exploit code on code-sharing platform GitHub.
The motivation behind releasing BadUSB was simply to spur-on a notoriously slow-moving industry to add some security to how USB works. But, this means that from this point onwards, USB is no longer safe.
But when one looks at the history behind USB, one realizes that USB has never been especially secure.
USB As An Attack Vector
The term ‘attack vector’ refers to the path taken by an attacker in order to compromise a computer. These range from malware, to browser exploits (such as the one recently found in the stock browser on Android), to vulnerabilities in software already installed on the computer (much like Shellshock).
The use of a USB flash drive as a potential attack vector isn’t especially new or uncommon. For years, hackers have dropped USB drives in public areas, just waiting for someone to plug them in and unlock the nasties stored within. Just ask Dutch chemical firm DSM.
In 2012, they reported finding flash drives that had been intentionally dropped in their parking lot. Upon examination, they were found by DMS’s internal IT staff to contain malware which was set to auto-run and harvest login credentials, potentially giving an attacker access to privileged and confidential information.
If one looks even earlier, we can see malware that specifically took advantage of the Sandisk U3 flash drives. Discontinued in 2009, this line of consumer USB drives contained a partition which ‘tricked’ the computer into thinking it was a CD-ROM. This streamlined the process of installing and managing portable applications, but also meant that it would auto-run whatever was stored in this partition. A package of malware (called the USB Switchblade) was developed, that allowed an attacker with physical access to a post-Windows 2000 computer running with root to obtain password hashes, LSA secrets and IP information.
An exploration of how to create a USB Switchblade is found in the above video.
Of course, any USB-based attack can be easily thwarted by avoiding plugging in devices that you don’t personally own, which brings me on to how you can protect yourself against future BadUSB-based attacks.
How To Stay Safe
I’ve got some bad news. It’s going to be incredibly challenging to fight any attacks that are based upon the BadUSB exploit. As it is right now, there are no firmware-level security systems for USB. A long-term fix to the issue would require a significant update to the USB standard, the most recent of which was USB Type-C. This would still leave thousands with older hardware lacking the update vulnerable.
So, what can you do? Well, it’s still very early days, but there’s one fix that’s guaranteed to protect you from BadUSB. Simply put, you’ve got to have your wits about you. If you see a USB drive lying about, ignore it. Don’t share USB drives. Don’t let people put untrusted USB devices in your computer.
Don’t Have Nightmares
Although BadUSB is incredibly frightening, it’s important to put the risk in perspective. USB has never had a huge amount of popularity as an attack vector. Furthermore, at the time of writing, there are no documented examples of BadUSB-based attacks ‘in the wild’.
I’d still love to hear your thoughts. Worried about BadUSB? Got any thoughts? Let’s chat. The comments box is below.