Next time you find a foreign USB lying around, think twice before plugging it into your computer. A pair of security researchers named Karsten Nohl and Jakob Lell demonstrated before an audience at Black hat security conference in Las Vegas a fundamental flaw in USB firmware could be exploited to create an undetected malware that cannot be patched. Realizing the kind of power they were dealing with, the pair opted to keep the code secret – until fellow colleagues decided to post it publically on Github.
Two other researchers – Adam Caudill and Brandon Wilson – reversed engineered the same USB firmware that Nohl and Lell did and released it into the wild in an effort to coerce USB makers into fixing the problem or risk leaving millions of users vulnerable.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” said Caudill, speaking before an audience at Derbycon on Friday. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.” In other words, publically releasing the hack allows security experts, and White hat hackers alike, to test the technique and discover all the possible angles of exploit.
Caudill argues that some form of BadUSB – as the exploit has been named – is probably already available to resourceful government intelligence agencies, and manufacturers are less likely to act if the only people who can use it are large entities with “significant budgets.” If one were to prove that everyone can perform the hack, then “that puts pressure on the manufactures to fix the real issue” adds Caudill.
To put the incident into perspective, consider the fact that USB sticks are not simply “storage devices,” but rather minicomputers with microcontrollers. By reprogramming firmware directly onto the microcontroller of a USB stick, Caudil and Wilson created a malware that lurks within the machine-level code which controls the USB’s basic functions, not its flash memory. Thus, deleting the content of the USB will not eliminate the malware.
Caudil demonstrated that the reprogrammed firmware could be used to initiate a number of grievous attacks such as impersonating a keyboard to type any strokes on the victim’s machine, hide files in the invisible portion of the code, or secretly disable the USB’s security feature that password protects content.
Fixing USB devices would involve rewriting the entire security architecture so that firmware cannot be altered without the manufacturer’s security key. Even if this plan is set in motion, it may take up to a decade before the older bug-ridden memory-sticks are phased out.
Caudil and Wilson are currently working on a new angle of attack that creates a two-way infection capable of contaminating any additional USBs that come into contact with infected PCs. So dangerous is this possibility of this type of attack creating an USB-carried malware epidemic, that even Caudil and Wilson are hesitant in releasing this code.
Via Wired
Advertisement
Learn more about Electronic Products Magazine
