Remember BadUSB? If you use a USB device to move digital files from one machine to another, you need to know the latest news on this flaw in design specs that could put your computers at risk.
Attack code for this flaw, which is impossible to patch, is now public. Security researchers Brandon Wilson and Adam Caudill released two patches to existing firmware for the Phison 2251-03, and a minimal custom firmware for that same chip.
But let’s back up a minute. In August, we learned from SR Labs that the versatility of USBs — almost any computer, from desktops to healthcare devices to storage can connect using USBs — make this flaw especially dangerous.
“To turn one device type into another, USB controller chips in peripherals need to be reprogrammed,” SLR reported. “Very widely spread USB controller chips, including those in thumb drives, have no protection from such reprogramming.”
Corrupting a Good USB
Once reprogrammed, SR Labs warned, benign devices can turn malicious. And there’s more than one way to turn a good USB into a so-called BadUSB.
For example, a device can emulate a keyboard and issue commands on behalf of the logged-in user to enter files or install malware. Alternatively, the device could also spoof a network card and change the computer’s DNS setting to redirect traffic. Or, the firm explained, a modified thumb drive or external hard disk can boot a small virus when it detects that the computer is starting up. That virus infects the computer’s operating system prior to boot.
“When a user looks at a thumb drive, what they perceive is nothing more than a storage device. But that’s obviously an oversimplification,” said Adam Caudill, a security researcher, at the DerbyCon conference last week. “It’s effectively a computer — a programmable computer . . . It can be programmed to be anything.”
According to SR Labs, malware scanners can’t access the firmware running on USB devices. That, the firm continued, is because USB firewalls that block certain device classes do not exist. What’s more, behavioral detection is difficult because the behavior of a BadUSB device looks like a user has merely plugged in a new device. Symantec has confirmed that anti-virus technology can’t inspect the drivers running inside a USB device. McAfee publicly confirmed the dilemma.
Heroes or Irresponsible?
Why did the security researchers release this code? Because device manufactures were quick to dismiss the BadUSB threat, Caudill said in a blog post. Caudill wanted to raise user awareness and push device manufacturers to implement signed updates.
“There’s nothing malicious about what we’ve released here. While we did release a patch to modify the password protection feature — that’s all it does. It doesn’t modify data, infect computers with anything, or anything of that nature,” Caudill said. “There’s no self replication code anywhere, while it’s possible that it could be done, and we’ve talked about how to do it — it won’t be released.”
So are Caudill and Wilson heroes, saving a future generation from cyberattack? Or are they irresponsible researchers, opening the door to potential attackers? Chester Wisniewski, senior security advisor at Sophos, told us he’s leaning toward the latter.
“It is unfortunate and extremely irresponsible for these so-called researchers to release this code at the DerbyCon conference,” said Wisniewski. “While criminal elements may have been able to figure this out on their own there’s no reason to publish a roadmap.”
Posted: 2014-10-06 @ 6:06pm PT
Fact is, the criminals are not like anybody and what the researchers published is most likely unhelpful to them. It may be helpful to “script kiddies”, but they are anyway self-defeating.
Posted: 2014-10-06 @ 3:26pm PT
@BadIndustry: I see your point, but still agree with Wisniewski that there’s no reason to publish a roadmap making it easier for criminals to exploit vulnerabilities.
Posted: 2014-10-06 @ 2:48pm PT
It is unfortunate and extremely irresponsible for the USB industry to dismiss the BadUSB threat, and even more unfortunate for Mr. Wisniewski’s to comment negatively on the researcher. As an employee of a security company, he has a vested interest in the threat being dismissed. He has an interest in the industry selling unsecure devices so that his employer can sell their security software and services. The truth is: the researchers are right, and if the industry would follow their advice and sell secure devices, Mr. Wisniewski would be unemployed.
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.