ALERT: Serious Security Flaw in USB Drives
Undetectable malware can be hidden in any USB flash drive, according to security researchers Karsten Nohl and Jakob Lell. This is very bad news for home users who pass around USB drives, and for corporate IT managers who may have to ban the popular devices from business networks. Read on to learn more about the USB devices, and what you need to do...
Is Malware Lurking in Your USB Gadget?
To demonstrate the vulnerability of USB drives, the researchers wrote some proof-of-concept malware (which we can only hope no one copies) called BadUSB. It is a collection of malicious apps that can modify any software installed from a USB drive on a target computer; completely take over control of an infected PC; and even redirect users’ Internet traffic.
Erasing or reformatting the USB drive does not destroy the malware, which hides in the USB device’s firmware that controls the drive’s basic functions. This previously unknown vulnerability is part of the USB standard’s design; as such, it can’t be eliminated without re-engineering every USB device.
“These problems can’t be patched,” says Nohl. “We’re exploiting the very way that USB was designed.” Noll and Lell plan to demonstrate their code at the BlackHat 2014 conference to be held on August 7th. That will either shine a bright light on the problem, or spawn a cottage industry of hacking USB devices, or both.
We've long known that using USB flash drives can be dangerous, because a virus can be stored as a file on the drive. But any decent anti-virus tool will catch that type of thing. However, standard anti-virus scans can't see or touch the firmware that controls a USB drive’s basic input/output functions. Security pros would have to reverse-engineer the firmware of a USB device and know what to look for in order to detect this threat. That would require some specialized expertise and equipment to analyze firmware.
It's Not Just Your Flash Drive...
But wait, the news gets worse: it’s not just USB flash drives that are vulnerable. Any USB device, from a mouse or keyboard to a digital camera or smartphone charger, contains firmware with the same exploitable vulnerability. While such devices aren’t shared among users as promiscuously as USB flash drives are, it’s very possible to pick up an infection from anything that plugs into a USB port.
The BadUSB demo malware suite can do a lot of evil tricks. It can sneak Trojan software past anti-malware defenses. It can imitate a USB keyboard and execute any commands on the target PC. It can hijack Internet traffic and change DNS settings to redirect a user’s outbound traffic to any server it pleases. If planted on a phone or other USB device with an Internet connection, it can eavesdrop on a user’s communications.
There is currently no way to ensure that your USB device’s firmware is clean of such malware. There are no digitally signed versions of USB firmware that can serve as certified “clean” standards.
The only defense against the USB attack vector is to jealously guard your USB devices. Don’t plug them into any port that is not a trusted device, say the experts. But following that protocol will drastically reduce the usefulness and convenience of USB devices.
For example, you can’t safely plug your flash drive or phone charging cable into a friend's computer, unless you are 100% certain that person's computer is virus-free. (Plugging into a USB port on a PUBLIC computer has never been safe.) Neither can you trust a flash drive, mouse, keyboard or digital camera that you've borrowed, bought used, or that has been used by someone who is not diligent about security. Presumably, USB devices purchased new will be safe.
What's The Solution?
USB device manufacturers will have to step up and address this problem. One solution is to implement “code signing,” an encrypted digital certificate that certifies a firmware package was clean when it left the factory and has not been altered. But first, we’ll have to convince OEMs that this is their problem, not just ours. And that solution will only fix the problem for new USB gadgets, not the untold millions already in circulation.
Nohl told Wired magazine that he contacted an unnamed USB drive maker and described his team’s findings. The vendor repeatedly denied that it was possible. Wired contacted the USB Implementers Forum, a trade organization that manages the USB standard. Its spokesperson responded with this statement:
“Consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices,” she wrote. “Consumers safeguard their personal belongings and the same effort should be applied to protect themselves when it comes to technology.” In other words, it’s your problem and no concern of the people who sold it to you. That will not sit well with consumers.
Let me reiterate... any USB device (flash drive, external hard drive, smartphone, digital camera, mouse, keyboard, etc.) that has been plugged into an untrusted computer should be treated with suspicion -- much like a used hypodermic needle. Further, erasing, formatting, or using anti-virus tools will not remove malicious code from the firmware of USB devices. And there is no known method at this time to scan USB devices to see if they are clean.
So on a practical level, what should you do? I think it's important to recognize that this vulnerability is new, and (as far as we know) it hasn't been exploited yet. So it seems likely to me that we don't have USB gadgets with infected firmware in circulation, for now. My advice is that if you use USB devices, do so with this threat in mind from now on. A 32 GB flash drive sells for about $15. If you have a flash drive that's been connected to unknown or public computers, you might want to discard it.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 7 Aug 2014
|For Fun: Buy Bob a Snickers.|
Geekly Update - 06 August 2014
The Top Twenty
HOWTO: Get Free College Textbooks
There's more reader feedback... See all 39 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- ALERT: Serious Security Flaw in USB Drives (Posted: 7 Aug 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved