Research Compares USB devices to Dirty Needles – What now?

21171535_sFlash drives: we share them with friends knowing full well that if they come back with some mysterious .exe the last thing we should do is open it. Easy enough to remember and easy enough to avoid. But what if the malware is hidden? What if there’s no trace of malware, or .exe, at all?

New research from a pair of independent security pros has proven that USB firmware can be reverse engineered to act as malware. That means that the hard coded instructions that tell your flash drive how to operate can be altered, to behave maliciously. It’s not just flash drives, though. It’s anything that uses the USB protocol. Like mouses and keyboards and public phone charging stations and printers.

In their proof-of-concept hell spawn, white hat researchers Karsten Nohl and Jakob Lell achieved complete control of a test computer by reprogramming a USB memory stick to be recognized as a USB-connected keyboard instead. From there, it was a merely a matter of telling the memory stick to act like a keyboard and issue malicious commands. Quite fittingly, the researchers have named their creation BadUSB.

BadUSB was made possible by the fact that USB firmware does not implement code signing, meaning it can be updated and altered by un-certified sources – like hackers.

For users, this now means that essentially all USB technology is vulnerable; and, it’s not just a one-way street. In theory, malware can now also be created to infect the PC, spread to a connected USB device and transform that device’s firmware into malware.

Sound freaky? Some reports are suggesting that this type of thing has been being done by the NSA for years. With public disclosure, it is now only a matter of time before attacks go mainstream.

In the meantime, we’d suggest saying no the next time someone wants to share files unprotected.

For complete coverage, see the original article at Wired.

  • Legend

    Have Emsisoft tried to emulate that kind of behavior , to see if the behaviour blocker covers that type of alteration , of hard coded instructions, of usb devices? We can’t always rely on virus signatures, (even though Emsisoft has a good solid reputation in that regard), they only catch what is known. Does Emsisoft do a regularly evaluation, of the set of rules, the behaviour blocker operates after, according to the current threat landscape.

    • emsisoft_steve

      Good question. As far as we know, right now BadUSB is just a proof-of-concept. No malware has been spotted in the wild yet, so there’s no way to directly test it. It is likely that Behavior Blocker would block the malicious actions of such a malware, and prevent the infection of a computer by an infected USB device. The problem, though, is that the malicious code is
      located on the firmware chip of the device, which is not a location Emsisoft or any
      other AV for that matter, has access to.

      That means that Emsisoft can prevent infection of the computer, but it can’t clean the infected USB device. Not yet at least…

      • Legend

        Thanks Steven . It was a good, and at the same time an interesting response. Just a thought, but a possible solution to counter these scenarios, could be a closer entrusted cooperation between Av industries and manufacturers of usb firmware chips, in usb devices. Mmmh, but I guess it would, or could lead to other kind of vulnerabilities if av industry and manufacturers is entangled too much in each other. No easy solutions =). I also wonder, in what degree does the Av industry actually research in new “alternative tools” to mitigate unknown threats. In my perspective it seems that things is more or less stuck, in the three key components, signatures – firewall- behavior blocker.

        • emsisoft_steve

          Ah, but you forgot the most important component of all. User education! :D

          • Legend

            So true……. = D

  • Буду очень признателен за USB в подарок. С предложением пишите на почту [email protected]