Thursday, 31 July 2014

Massive, undetectable security flaw found in USB: It’s time to get your PS/2 keyboard out of the cupboard

By Sebastian Anthony

Security researchers have found a fundamental flaw that could affect billions of USB devices. This flaw is so serious that, now that it has been revealed, you probably shouldn't plug a USB device into your computer ever again.

There are no known effective defenses against this variety of USB attack, though in the future (months or years, not days) some limited defenses might be possible. This vulnerability, which allows any USB device to take over your computer, mostly exists due to the USB Implementers Forum (the USB standards body) eschewing security in favor of maximizing the versatility, and thus the massively successful adoption, of USB. The USB IF itself notes that your only defense against this new attack vector is to only use USB devices that you 100% trust — but even then, as we'll outline below, this won't always protect you.

This flaw, dubbed BadUSB by Security Research Labs in Berlin, leverages the fact that every USB device has a controller chip. Whether it's your PC, smartphone, external hard drive, or an audio breakout box, there's a USB controller chip in every device that controls the USB connection to other devices. It turns out, according to SR Labs, that these controllers have firmware that can be reprogrammed to do a whole host of malicious things — and, perhaps most importantly, this reprogramming is almost impossible to detect.


The USB controller chip is the big chip in the middle (they don't usually have a skull silkscreened onto them though).

This vulnerability mostly stems from the fact that USB, by design, is incredibly versatile. USB can be used to connect just about any kind of peripheral to a host machine — an ability that is only possible because of USB classes and class drivers. Basically, every USB device under the sun has a class — a classification that defines the device's function. Some common classes are human-interface devices (HIDs; keyboards, mice), wireless controller (Bluetooth dongles), and mass storage (thumb drives, digital cameras). On the host (your PC, your smartphone) there are class drivers that manage the functions of that particular class of devices. This is why you can plug a USB keyboard into just about any device and it'll work flawlessly.

USB hacking isn't a new thing — but this is the first time that an attack vector hasn't required extra chips and circuit boards, making a whole lot more dangerous.

The problem, according to SR Labs, is that these USB controllers can have their firmware reprogrammed so that they announce themselves as a different class. For example, you could reprogram a mass storage device so that it masquerades as a network controller, so that all of your network communications (websites, passwords) get redirected to the device. Or, even worse, you could reprogram the firmware of a thumb drive so that it becomes a HID, and can thus issue keyboard and mouse commands to the host machine. These commands might be used to install malware, or to rewrite the firmware of other attached USB devices. Suddenly you are sitting on a computer worm of Conficker proportions that could take down most of the world's devices.

While finding a security hole in USB isn't exactly a surprise, the main issue here is that there's no immediate fix. As of today, there could be billions of USB devices out there with firmware that could be reprogrammed by a computer virus — and, according to SR Labs, it's impossible to spot the modified firmware unless you know exactly where to look. (It took months for SR Labs to reverse engineer the controller firmware, and it doesn't sound like they're giving up their secrets any time soon.) The security researchers also say that malware scanners can't access the firmware of a USB device — so you can forget about that angle, too. SR Labs says it will release more details and proof-of-concept tools at Black Hat 2014 on August 7. [Read: How USB charging works, or how to avoid blowing up your smartphone.]

PS/2 mouse and keyboard sockets: Still safe

It would be possible to mitigate against this attack in the future if every device maker signed their firmware, and then your computer checked that signature every time you plugged the device in — but I suspect, given the scale of the USB device ecosystem, such a change would take months or years to adopt. Another option would be designated USB ports on your computer — so, you might have a port that only accepts mass storage devices, and is completely incapable of handling other classes of USB device. [Read: How to watch hacking, and cyberwarfare between the USA and China, in real time.]

Ultimately, though, the only real mitigation is ensuring you only use USB devices that you trust. It's basically like unprotected sex: If you plug your USB memory stick into another computer, you should then assume that your memory stick is forever compromised. The problem with this approach, though, is that your own computer could infect your USB devices without you knowing — and unless you're a very careful surfer, it's very hard to keep your computer completely malware-free. Which brings us back to the beginning of the story: Maybe it's just best if you don't use USB for a while.

Fortunately my cupboard is full of PS/2 keyboards, parallel printers, and stacks of rewritable DVDs for exactly this kind of apocalyptic occasion…


No comments:

Post a Comment

RPM Tech Widget

Search Box

Blog Archive