TR Member Perks!

Revealed at the Black Hat computer security convention by researcher Karsten Nohl on August 7, was the BadUSB exploit. BadUSB is a problematic USB security issue that was recently released to the public. Mr Nohl was concerned about the BadUSB exploit and opted not to reveal it to the public. Later security researchers Adam Caudill and Brandon Wilson have presented their latest discovery.  Upon reverse engineering the exploit, they then presented their findings at the DerbyCon conference in Louisville Kentucky. They explained how they were able to recreate the same exploit hinted at by Karsten back on the August 7 who had this to say. “The problems can’t be patched. The problem is that we’re exploiting the very way that USB has been designed.”

The way that BadUSB works is under the basis that USB devices can impersonate different other types of USB devices, regardless of their intended use. Every USB thumbdrive has a micro controller chip that identifies it to be a USB device. In the case of a USB thumbdrive, that chip sits between the actual computer and the memory chip that holds the data on the thumbdrive. The firmware that runs the micro-controller chip in the middle between the storage and your computer can be updated with an infected firmware update.  That firmware and that specific USB device will change next time you plug it into your pc. Instead of identifying as a storage device it could identify as a keyboard and start running commands of it’s own. Effectively impersonating the user. Those commands can then be used to infect the computer using a virtual keyboard. For example by opening a command prompt and issuing commands. Obviously it will then change itself back to a storage device and the user won’t notice anything has happened.  This becomes a problem because malware detecting software are currently unable to access the firmware on the flash drives. Due to this aspect, there appears to be no protection or preventative measures against the BadUSB exploit as of yet

The researchers, Adam and Brandon have released the BadUSB code to the public via GitHub. For those who don’t know, GitHub is a computer source code hosting service.  It is designed to allow multiple  software developers to work on a project without requiring a common network.  Representatives from Symantec according to Mashable.com have said anti-virus technology can’t inspect the drivers running inside a USB device. Here are their recommended precautions. They suggested to only insert trusted USB devices into your computers. On top of that you should not purchase preowned USB devices or borrow any. They could contain harmful software. The last precaution suggested was not to leave your computer or mobile device unattended.

McAfee security company’s Chief Consumer Security Evangelist, Gary J Davis had this to say. “The best practical advice McAfee can give consumers regarding the BadUSB attack is to avoid thumb drives that are not from a credible source.  For example a big box retailer or one they have not previously used. Additionally, we would discourage consumers from using promotional thumb drives that are given away at events.  So the threat may remain hidden. Trade show exhibitors long ago gave up handing out pamphlets and folders to show goers. Instead they now favor bowls full of USB sticks pre-loaded with information about their products and services. Many of us simply grab every one of them in sight, knowing that we can wipe the data and reuse them for personal storage. However, what if there’s a bowl full of BadUSB drives? Erasing the data will not remove the threat.”

It seems the public and security experts are currently up in arms about the threat of this brand new hardware exploit but is it truly as dangerous as they say? One would think you could develop a fix for it in regards to permission controllers through an OS. Regardless of the threat it poses upon the tech world, it’s possible we won’t know for some time. Given the history of some individuals with these things, it’s a little daunting. the thought of it being in the public domain.

 


Tabitha Dickerson

Tabitha has been playing games since she was 4. The first console she ever received from her parents was a SEGA MegaDrive. She has joined the website to gain further experience in an industry that she absolutely adores.



  • Soundstorm

    Jeez. That’s pretty scary. Mostly for anywhere that uses a lot of computers any number of people can access (Offices, Libraries, Ect) but still a major threat to private machines as well.

  • Nick

    All modern cell-phones use some form of USB connector. I’m wondering if the next step is going to be to fake a different device type outside of the specific firmware the phone normally registers with the computer…. Hey man I need to charge my phone? bam, control.

  • Tabitha Dickerson

    that’s one of the possibilities Adam and Brandon are talking about. little concerning.

  • So the message folks be paranoid, not even your USB stick is safe. Is nothing sacred anymore?

  • LurkerJK

    the cellphone one is the easiest to fix, just do not allow a data connection until you actively turn it on though the cellphone input, you cant hack the cellphone if it wont connect the 2 data lines, until then its just a 5V drain (i imagine this might limit the amount of current you can draw from the port since you cant ask for more though software but you could work around that, and there is no point for charging ports to limit current below their operation limits)

    imho we have allowed cellphones to ignore security for too long, im far more worried at the fact now every single app you install in android just outright asks you for every single permission possible

    You cant just “not install anything”, using “safe sources” is becoming kind of a joke with millions of apps in the store, blackberries allowed to deny permissions to apps and still use them, it wouldnt be that difficult to connect them to a sandboxed/spoofed resource to keep the program from knowing you denied it, also why allow full access to resources why not read only or only access to a range of ips or add an “ask for permission every time” option to things like text messages

  • Nick

    you misinterpreted the flow of the hack. I was stating that someone modifies their own cell phone firmware to engage in malicious behaviour when plugged in to charge on someone elses machine. It requires accepting the driver install for sure, but if that’s all that the hack required to run arbitrary code then this is one of those never install hardware you don’t trust problems.

  • LurkerJK

    i see, i would be more worried about apps silently modifying the firmware themselves rather than the user, usb sticks or microcontrollers seem cheaper and easier to do intentional attacks

    it is troubling that the phones have the particular problems of having constantly changing software and being plugged into every usb socket in sight, they could easily become vectors