It is well known that an executable should not be launched if it is unknown or untrusted. And while social engineering and phishing strategies attempt to trick the user into executing these files, the newly developed “BadUSB” exploit finds a way around the need for a user to do anything other than plug in any device that utilizes a USB connection. This is not limited to USB storage devices. Many other computer peripherals employ use of the USB connection, and any of these devices can be used as well. Researchers Karsten Nhol and Jakob Lell demonstrated this vulnerability with their newly engineered BadUSB, applied to the firmware of a USB storage devices plugged into a computer. Within minutes after plugging it in, it downloaded a remote access program through power shell in Windows without the user doing anything, and at the same time displaying that the USB storage device was empty and could even be reformatted if desired, not hindering the BadUSB firmware at any point. The goal was to showcase that the security of USB devices is fundamentally broken, and the cracks have only just begun to be discovered.
The Gory Details
BadUSB’s application, as specified, lies not in any flash memory or executable programs, but in the firmware that controls the USB basic functions, thus remaining undetectable and hidden even after the flash memory has been deleted. Firmware is placed in read-only memory by the manufacturer of the device and is rarely changed throughout the devices use. Firmware has been described as being on the boundary between hardware and software, running basic communication functions for the various pieces of hardware inside the device.
BadUSB’s researches, who spent months reverse engineering the firmware, explain that “these problems can’t be patched . . . their risk isn’t just in what they carry, it’s built into the core of how they work” (Greenberg). Running anti-virus or any other scanning program doesn’t even go near any of the files described here. The capabilities of BadUSB are considerable. It can take over a computer, hijack internet traffic, alter DNS settings, spy on communications and install back-doors. It can even act as other hardware. When you connect a USB storage device to a computer, drivers are automatically installed and your computer recognizes that device as a storage device, and the same happens when you plug in a USB keyboard. The computer will recognize and accept keyboard input. With BadUSB, it can change a USB storage device and act as a keyboard. The researchers demonstrated this at the recent Black Hat convention, by plugging in a BadUSB-infected storage device into a computer, coded to instead act as a keyboard. Within minutes, BadUSB utilized the “keyboard” input to download a remote control program, installing a backdoor on the computer, giving complete access to the hacker.
Time to Change Our Habits
Due to the unnerving reality that this vulnerability has no patch and currently no scanning method to be detected, the approach to a solution for computer security must be proactive, but also define a completely new method to using and trusting USB devices.
The first approach taken needs to be education and policy. For companies and organizations who want to maintain a secure network, security policies will need to be re-considered with an end goal of educating its users to operate with the mindset that USB devices can not be trusted in the meantime. When USB devices can be used by multiple people and connected to multiple computers, both inside and outside a network, the USB method of transferring and storing data must be avoided. Alternate methods can be put in place to facilitate such needs, and users will have no reason to use USB devices, especially personal ones.
Additionally, steps can be taken to ensure that USB devices are not used besides filling the ports with epoxy. Ports can also be disabled in a computers BIOS, and some OS’s allow a lock down of a user installing new hardware or mounting new drives.
Bottom line, physical security comes hand in hand with user awareness and education, changing the habits and practices of users to mitigate these USB security threats. With a vulnerability thus far undetectable and unpatchable, the only current solution is to lock down the use of these devices in each network environment that is concerned with security.
Watch video of the demonstration here: https://www.youtube.com/watch?v=nuruzFqMgIw#t=75