The firmware that controls USB functions can be used by hackers to take control of computers, according to security experts at Security Research Labs, a Berlin-based security firm. The finding could represent an entirely new class of attack for which there are no defenses.
Karsten Nohl, chief scientist at Security Research Labs, and security researcher Jakob Lell discovered the vulnerability by reverse-engineering the USB firmware. They dubbed the security flaw "BadUSB" and plan to present their findings at the Black Hat convention in Las Vegas next week. According to the researchers, widely spread USB controller chips have no protection against being reprogrammed.
Not Just Thumb Drives
In addition to USB thumb drives and external hard drives, the vulnerability also applies to any device that connects to a PC via a USB port, including keyboards, mice, and mobile device chargers. The very versatility and ubiquity of the USB standard is also its Achilles heel. “Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing,” according to the researchers.
The security flaw can allow hackers to reprogram a USB device’s firmware with malicious code, allowing them to gain access to PCs connected to the infected device, and issue their own commands. Unauthorized users could use the flaw to install malware, access files, or issue commands. A modified thumb drive can also spoof a network card and change the computer’s DNS setting in order to redirect traffic, or boot a small virus to infect a computer's operating system prior to booting.
The infected peripheral can then infect other USB devices connected to the PC. According to Nohl, SR Labs has already succeeded in performing such attacks themselves, and global intelligence agencies, such as the National Security Agency, may already be using the security vulnerability to launch attacks.
Virtually Untraceable Intrusion
According to Nohl and Lell, “no effective defenses from USB attacks are known.” Malware scanners cannot access the firmware running on USB devices, and so far there are no firewalls capable of blocking certain device classes. “Behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as through a user has simply plugged in a new device,” the researchers said.
Even worse, recovering from an attack is extraordinarily difficult. “Simply reinstalling the operating system -- the standard response to otherwise ineradicable malware -- does not address BadUSB infections at their root,” Nohl and Lell wrote in their report.
“The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS -- again by emulating a keyboard and unlocking a hidden file on the USB thumb drive, they added.”
Once infected, the researchers said, neither the computer nor its USB devices can ever be trusted again. Nohl and Lell plan to describe the attack in greater detail at the Black Hat hacking conference.
Posted: 2014-08-03 @ 12:10pm PT
I have just discovered that I've acquired this virus sometime in the last 8 days! [I didn't have the virus when I ran scans last weekend.] I have not used any plug-ins this week than I have been using for over a year, so I don't know how it might have come from a plug-in. I have also not installed any new software or updates in the same time period. Does this virus lie latent, and then show up when triggered by something else?
Posted: 2014-08-02 @ 8:18pm PT
Come on guys and gals. Everyone is claiming this is a vulnerability of USB. Wrong. This is a vulnerability of Plug and Play. This can be done with Firewire and Thunderbolt. It could even be done with a card in a PCI slot. I am amazed that it has taken the bad guys almost 20 years to figure this out. I saw this coming when the first Plug and Play devices came out with Windows 95. Luckily none of the hardware manufacturers allowed their techs to pull off something like this.
Posted: 2014-08-01 @ 1:12pm PT
For some reason this is "new"? I know of a computer security company that's been doing this in a manner of speaking for well over a year. They have a modified USB device that has a RAT that loads as part of the device driver. Windows sees it as a keyboard, so no screen pop ups or driver installs. Compromise takes less than a second. Thankfully, this agency is a true security testing entity and uses the device as part of physical pentests. Think about an interview candidate left alone in a conference room with a PC somewhere.
Physical security of computing devices and restricted access to them is absolutely as important as catching something from "the Net".
Posted: 2014-08-01 @ 11:32am PT
Answers the question - not what's next, but what's last. It's a shame that all those who are admittedly computer and security dummies will suffer the worst from any of this. Reaching consumers about PC security has been a major problem since day one when spyware was born. I never throw the hands up, there will be a fix, count on it!
Posted: 2014-08-01 @ 9:08am PT
Why can't someone publish a USB firmware verifier that performs a checksum on USB firmware chips and compares it to an OEM hash database?
Posted: 2014-07-31 @ 11:45am PT
A startup out of MIT called Gigavation (http://www.gigavation.com/) has solved this problem according to recent MIT Sloan CIO Symposium "Security and Privacy" panel (http://www.mitcio.com/agenda).