Why the Security of USB Is Fundamentally Broken

Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.

Why the Security of USB Is Fundamentally Broken

How bad is this? Pretty bad.

Think of every USB device that you own. Your phone. Your camera. Your external drive. Your MP3 player. Your mouse. Your gaming headphones and microphone. Even if a USB device doesn't have any storage on it, it can be hijacked to infect your computer, and this exploits uses a fundamental flaw in every USB device, and cannot be patched.

What's worse is that it goes two ways -- an exploited USB device can infect your computer, and once infected, your computer can, in turn, infect every USB device you connect to it.

That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”

Their advice? Think of USB devices like hypodermic needles:

The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets. To avoid the attack, all you have to do is not connect your USB device to computers you don’t own or don’t have good reason to trust—and don’t plug untrusted USB devices into your own computer. But Nohl admits that makes the convenient slices of storage we all carry in our pockets, among many other devices, significantly less useful. “In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” says Nohl. “You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer. And that’s incompatible with how we use USB devices right now.”

This could be very, very bad, and it is only a matter of time before it gets out into the wild, assuming that it isn't already.

a reply to: adjensen

Ahhh ! The shutting down of offline filesharing !

Using virus definitions !

Let's see how far this does - or does not - reach.

The pitfalls of USB have been known about since its inception. Adding wireless, and "the cloud", to the mix has only complicated the issues further. As a tech, I carry a flash drive with me 24/7. I am consistently checking and cleaning the device, so I don't become the Typhoid Mary of the 21rst century. I have been known to destroy one, and throw it in the trash, if I find anything more than a piece of malware on it.

I most certainly believe people should be aware of the issues with usb, but there are many other issues in the digital world, that are just as problematic as usb is. The computer industry, as a whole, has a tendency to downplay problems, until they get a bee in their bonnet, and have Paul Revere riding through the streets again. Usually when it's convenient for the industry. I've seen it over and over and over again.

Think Java. You kow, that EVIL little program that could cause the end of your world? *rolling eyes emoticon here* So you better get it off your computer? What they forgot to mention was all the other vulnerabilities that were no less serious. Some people are still convinced that viruses only come through e-mail, and if you get one, you may as well buy a new computer. You can thank the industry alarmists(propagandists) for that lingering mindset.

There should be public service announcements regularly warning people about computer industry propaganda.

S&F Dale. A good issue to bring to peoples attention.

a reply to: adjensen

What I find Interesting is that they are concerned about USB firmware, but not the chips manufactured in China that not only go into our personal computers, devices, but DOD systems as well.

I guess we have an unwritten rule with the bad guys. Hey guys lets only hack USB drives, but lets agree to not put any back doors on the actual chips that control your complete system. Cool agreed!!

a reply to: Klassified

As a tech, I carry a flash drive with me 24/7. I am consistently checking and cleaning the device, so I don't become the Typhoid Mary of the 21rst century. I have been known to destroy one, and throw it in the trash, if I find anything more than a piece of malware on it.

Good policy, but until they figure out a way to determine if the firmware has been infected (USB doesn't require code signing, so there's no easy way to do it,) scanning the storage won't be effective against this. The only way for someone in your position to avoid this exploit is to buy a crapton of flash drives, load them up on your computer that you know isn't infected, and once you've plugged them into a machine that you don't trust, throw it in the garbage, don't put it in any other computer.

What's somewhat scary to me is that anything can be used -- if you take an extra USB mouse with you on a tech call and have to use it, it can be used to infect any computer that you subsequently use the mouse on. In a sense, it's a bit like the AIDs virus, when the PSAs were "when you sleep with someone, you're sleeping with all of their previous partners"… when you use a mouse, if any computer it was ever plugged into had this malware, you're going to get it, too.

And despite this being true since the inception of the USB storage device, nothing has started on fire yet.

It's really not as big of a deal as this thread is making it out to be.

If you're really concerned enable write protection on your flash drive, so if you absolutely must plug it in elsewhere (why would you be doing this anyway outside of a need to for work?)

You are probably more likely to get a virus clicking links from ATS than from your flash drive. True story.

a reply to: TinkerHaus

And despite this being true since the inception of the USB storage device, nothing has started on fire yet.

Now that the exploit has been published, it's only a matter of time before someone uses it, if they aren't already. The article speculates about the NSA already using it to compromise targets' computers.

If you're really concerned enable write protection on your flash drive

I doubt that "write protection" would do anything to prevent the firmware from being overwritten. It would protect the storage, not the firmware.

a reply to: adjensen
Agreed. And I realize your article and thread are USB centered, but why limit our thinking to one problematic area, when there are several areas in the digital realm that constitute just as much of a threat as USB, and its myriad of devices do? The whole digital world is a goldmine of opportunity for the unscrupulous and devious opportunists, who prey on the ignorance of the masses. And the computer industry is, in my opinion, complicit in much of what goes on.

The best I can do is, take precautions where I can, and protect my clientele as much as possible. If I were to take to heart every whim of the industry, I'd have to tell my customers to get rid of everything digital, and go back to the old ways. Sometimes, I think that may not be such a bad idea.

I doubt that "write protection" would do anything to prevent the firmware from being overwritten. It would protect the storage, not the firmware.

Correct.

In my mind, I always presumed that firmware was un-editable.

The only firmware I thought that could be re-written was a computer BIOS, and that's because it's usually on an EEPROM rather than hard coded on a chip.

Could someone clue me in to how you are able to rewrite something hard coded?

People really need to be told about this safety concern? Isn't it obvious.

a reply to: adjensen

What's somewhat scary to me is that anything can be used -- if you take an extra USB mouse with you on a tech call and have to use it, it can be used to infect any computer that you subsequently use the mouse on. In a sense, it's a bit like the AIDs virus, when the PSAs were "when you sleep with someone, you're sleeping with all of their previous partners"… when you use a mouse, if any computer it was ever plugged into had this malware, you're going to get it, too.

Indeed. I have had experiences in the past that have made me wonder if this is exactly what happened.

How can you fix this?

Simple:

Get an Anti-Virus.

My tip:
Microsoft Security Essentials (free!)
Malwarebytes Anti-Malware (not free).

Have both of these on your computer, plus your firewall, and you will have yourself a fortress!

Think your USB may be infected? Then connect it to your PC and scan the damn thing using the software mentioned above.

Also if USB's aren't safe, then the cloud isn't safe. Every file out there can be infected with malware, trojan's or other threats! What can you do? Don't download ANYTHING from the web!

But wait! What if a website got a file from who knows where and uploaded to their site! That file plays a big role on their website's functionality. If you go on the website, you'll temporarily have that file! What if the file got infected with malware?
Simple, disconnect your internet cable and don't use the interent....

originally posted by: gspat
The only firmware I thought that could be re-written was a computer BIOS, and that's because it's usually on an EEPROM rather than hard coded on a chip.

That's what I find strange in this article, they talk about any USB device, but I doubt they use rewritable chips on USB mouses or keyboards or even thumbdrives (or whatever they are called), as that would result in a higher cost.

a reply to: ArMaP

That's what I find strange in this article, they talk about any USB device, but I doubt they use rewritable chips on USB mouses or keyboards or even thumbdrives (or whatever they are called), as that would result in a higher cost.

They do. As an example, here's a Microsoft article on how to update the firmware of one of their USB mice: How to update firmware and software for the Habu Laser Gaming Mouse. Here's an article explaining how to update the firmware in a USB headset: Plantronics DSP headset Firmware Update procedure Instructions. And directions for updating the firmware in a USB game controller: Heres How To Update Your Xbox One Controller Firmware.

I don't know that every single USB device has updatable firmware, but I haven't found any that don't. When you think about it, your belief that it would be more expensive is probably exactly the opposite -- if a bug is found in the code running on a USB device, it's a lot cheaper to issue a firmware upgrade than it would be to recall all of those devices in order to replace a faulty chip.

For the technically inclined, here are the technical specifications of how to write a program that updates USB firmware: Universal Serial Bus Device Class Specification for Device Firmware Upgrade

a reply to: Kuroodo

How can you fix this?

Simple:

Get an Anti-Virus.

Read the source article, anti-virus software isn't going to do anything, and it is unlikely that it will ever do anything, because the exploit isn't detectable on the USB side. The code running on the USB device isn't required to be code signed, and it's completely non-standard, so there's nothing to test for.

About all that we can hope for is additional PC side security that curtails what can be done via a USB device, which will significantly affect how we use them. Files being copied from a USB device to a PC? PC updating the firmware of a USB device? Perfectly normal behaviour, so it will be tricky to figure out what should be allowed and what shouldn't.

originally posted by: adjensen
They do. As an example, here's a Microsoft article on how to update the firmware of one of their USB mice: How to update firmware and software for the Habu Laser Gaming Mouse. Here's an article explaining how to update the firmware in a USB headset: Plantronics DSP headset Firmware Update procedure Instructions. And directions for updating the firmware in a USB game controller: Heres How To Update Your Xbox One Controller Firmware.

I should have been clearer, I was talking about the cheaper hardware, like those small mice you can buy at any supermarket or those small, laptop-like keyboards.

I don't know that every single USB device has updatable firmware, but I haven't found any that don't.

How many devices have you looked into?

When you think about it, your belief that it would be more expensive is probably exactly the opposite -- if a bug is found in the code running on a USB device, it's a lot cheaper to issue a firmware upgrade than it would be to recall all of those devices in order to replace a faulty chip.

Who cares about a bug on a 2 Euros mouse? Also, having a chip made by the millions without the possibility of being updated (a common chip) is obviously much cheaper than an EEPROM or flash memory or something like that.

For example, I have a Microsoft Wheel Mouse Optical 1.1A, is this mouse's firmware updatable? What about my Western Digital external HD?

For the technically inclined, here are the technical specifications of how to write a program that updates USB firmware: Universal Serial Bus Device Class Specification for Device Firmware Upgrade

Yes, I saw that.

Imagine trying to throw away a very expensive Sony brand 64 Gb flash drive. . . can't do it!

Solid state drives use the same chips as USB devises.

does that mean solid state drives are also suspect.

a reply to: ANNED
Yes. There is an SSD manufacturer who had some major problems a few years ago, and had to re-write the firmware on thousands of drives. Many were done at the factory, but many were done by consumers, who downloaded a program from the manufacturers website, and updated their own drive. According to the manufacturer, there was a problem in their firmware which caused the outstanding issues. Rumor has it, thousands of those drives were infected. Likelihood is, we'll never know the truth.

a reply to: ArMaP

Most devices use EEPROM these days because the benefits are far greater, and the cost has been almost identical to mask ROM and PROM for the past 14 years. Plus, if they used mask ROM or PROM they would have to order large quantities to be manufactured, which is risky. If the product doesn't sell, or has a flaw, you have a bunch of wasted ROM.

The main benefit of EEPROM is the same hardware can be used as a foundation for multiple devices. All one would need to do is change the firmware. With mask ROM or PROM, you are stuck with what you got.

Although most devices don't allow an easy mechanism to update firmware. A real hacker could always remove the EEPROM from the PCB and program it externally, and then reattach it to the device. Or in the case of mask ROM or PROM, reverse engineer the ROM and have a new one created, and replace it physically.

There is always a way.

-edit to add-

But you are right, a LOT of devices are application-specific integrated circuits (ASIC). You can't do much with those.