back to article FLASH drive ... Ah-aaaaaah! BadUSB no saviour to plug and play Universe

The seriousness of a USB security weakness, which could potentially allow hackers to reprogram USB drives, has been ratcheted up a notch, with the release of prototype code. Researchers Karsten Nohl and Jakob Lell, from German security skunkworks SR Labs, demonstrated how it might be possible to reprogram the firmware within …

  1. Stevie

    Bah!

    Is BadUSB as big and as present an annoyance as the zero-story all-add "content" waiting under the "You don't have to be mad to work for Apple" link on the Register's main page?

    1. Anonymous Coward
      Anonymous Coward

      SIM cards - same thing...

      They can in principle be programmed to run arbitrary code.

      Exploit your smartphone's insecure communications chip. Never visible to the OS. Do whatever they want. Hopeless.

  2. Irongut

    It's plug and pray and it has been a piss take of plug and play since long before usb flash drives were common.

    1. PC Paul

      'Plug and pray' is indeed very old but it's nothing to do with the current context. It was about how USB drivers were very hit and miss for a long time, needing installing for each individual port, being very OS specific etc.

      'Plug and prey' refers to maliciously altered USB devices that actively prey on whatever system they are plugged into.

      1. Anonymous Coward
        Anonymous Coward

        'Plug and pray' is indeed very old but it's nothing to do with the current context. It was about how USB drivers were very hit and miss for a long time, needing installing for each individual port, being very OS specific etc.

        Actually, it predates USB… we were talking about Plug-and-Pray back in the days of ISAPnP. (Not PCI, ISA.)

  3. 45RPM Silver badge

    This is the most interesting malware in ages - unless I’ve misunderstood how it works. If it works at the hardware / firmware level then no amount of patching is going to fix it. Would it be possible, I wonder, for an operating system to sandbox all USB activity, such that the device (when connected) has to be approved by the User?

    “Are you sure that you want to use this USB Storage device”, “Are you sure that you want to use this Keyboard”. It would get bloody tiresome, very quickly, but it would help to ensure that a hacked USB device of one type couldn’t masquerade as an entirely different USB device.

    This is an exploit that has the potential to affect any OS on any computer with USB (and yes, that includes iOS devices, which only appear not to have a USB socket) - I feel nervous about plugging even box-fresh USB kit into my computer already.

    1. Warm Braw

      "Are you sure that you want to use this USB Storage device"

      You can disable automatic device driver installation in Windows. If you have group policies available, you can disable the automatic configuration of devices in certain classes and with certain device ids.

      However, if something mimics, say, a keyboard, mouse, or other common peripheral these options will be of limited use, particularly since you don't necessarily have any guarantee of the order in which the USB devices will be enumerated when the machine is turned on.

      1. User McUser

        Re: "Are you sure that you want to use this USB Storage device"

        However, if something mimics, say, a keyboard, mouse, or other common peripheral these options will be of limited use [...]

        A keyboard could be a threat vector, especially coupled with a USB storage device. Just quickly launch a CMD window ([Windows Key] + R -> cmd.exe -> [Enter]) and from there launch a silent payload from the USB disk and exit the shell. OSX could be vulnerable too ([Command Key] + [Space Bar] -> Terminal.app -> [Return].) Obviously some people might notice the CMD/terminal window flash up and disappear, but by then it would be too late.

        1. Daniel B.
          Pirate

          Re: "Are you sure that you want to use this USB Storage device"

          A keyboard could be a threat vector, especially coupled with a USB storage device.

          It already exists. Google "Rubber Ducky USB". A USB "drive" that is actually showing itself as a keyboard, and can be programmed to type stuff upon being plugged in.

  4. Gene Cash Silver badge

    Already out there, called "U3" and "startkey"

    From the Wikipedia article: "Applications that comply with U3 specifications are allowed to write files or registry information to the host computer" and "A U3 flash drive presents itself to the host system as a USB hub with a CD drive and standard USB mass storage device attached"

    This makes it difficult to use on anything except Windows, and to make it a plain flash drive again, you have to run an uninstall program on a real Windows box. A VM doesn't work. I've run into the U3 shitware, but I've not encountered the startkey stuff except for the wiki mention.

    1. Crazy Operations Guy

      Re: Already out there, called "U3" and "startkey"

      I have yet to figure out why USB drive manufactures thought that anyone would want that crap anyway. All I want is an array of bits that I can manipulate over USB, not a crap ton of shovel-ware that screws with my machine despite me not having done anything more than plugged it in.

      1. Brian Miller

        Re: Already out there, called "U3" and "startkey"

        OK, here's the problem: the USB serial connection is just a serial connection, and there needs to be additional stuff to convert all that to writing into the flash. Now, if you were plugging in a flash card into a bus, then things might be different, like the CF cards. But instead, you want to put something on a general-purpose bus, which has no real security features. "Hello, I'm device XXYYXYXY!" That's basically it, and then the bus routes traffic. So really, it's a kind of network, but without the security features of Ethernet.

        What does this mean? It means that there must be a controller to translate the serial to the flash, keep the flash wear level, and some other housekeeping. The problem with all of this is that the microcontrollers are amazingly good these days, an a 32-bit controller can be had in an 8-pin package. It doesn't take much to emulate a keyboard, so reprogramming a USB stick isn't that much of a problem.

        I figure at some point what we'll see are USB firewalls in the operating system.

    2. psychonaut

      Re: Already out there, called "U3" and "startkey"

      Ahh that u3 crap! You can blow it away using diskpart

  5. Crazy Operations Guy

    USB device manufacturers should either be locking the flash memory on the devices or installing some kind of microcontroller (Or possibly an ARM chip, given their extremely low cost for the lower-end models) in there to verify the data getting written to flash.

    Since I do hardware hacking in my spare time, I'll usually pull open a freshly purchased device, look up the datasheet for its USB controller and then blow the write fuse, doesn't bother me so much since firmware updates for USB devices that affect the controller are rarer than hen's teeth. If I can't, then I'll mark the device as 'insecure' and it never touches my secure network.

    1. Message From A Self-Destructing Turnip

      How do you know the device has not been hacked before you got it? Sweet dreams.

    2. Paul Crawford Silver badge

      Wrong direction of trust...

      You have to start by assuming everything is suspect, so the PC/OS should start with the assumption that any USB device cannot be trusted.

      As others have mentioned, when it is plugged in the very least an OS should do is tell you what class of device it claims to be. If it should be a USB mass storage device then that is fine, and you can proceed to be suspicious of its contents.

      However, if your USB stick claims to be a mouse/keyboard/etc then WTF?

      Fine for a proportion of El Reg readers, we might go "WTF? ...disable... ...destroy..." but that is not good enough for Joe/Jane Public for whom the OS needs to be a bit more protective, and query with language a bit more obvious than "enable HID?", say to something like "You appear to be adding a second mouse, is this really true? Think carefully my friend before answering..."

      1. Anonymous Coward
        Anonymous Coward

        Re: OS: "You appear to be adding a second mouse, is this really true? "

        ... and then all we'd need is a friendly animated paperclip to ask the question :-)

      2. Anonymous Coward
        Anonymous Coward

        Re: Wrong direction of trust...

        "You appear to be adding a second mouse, is this really true? Think carefully my friend before answering..."

        Let's see you click the Yes button after you accidentally unplug the wrong USB cable to your combo keyboard/mouse then have to plug it back in again.

        Reminds me back in 2003 of someone doing a Windows XP install onto a machine with no floppy drive, SATA disks (which were a new thing then) and USB HID keyboard/mouse.

        Setup unwittingly unloaded the USB drivers, then prompted with a dialogue box asking if we trusted the unsigned SATA drivers. A dialogue box we couldn't answer because we had no working keyboard or mouse at the time.

    3. razorfishsl

      That will not always work, back in ~2008 I already had working systems for subversion of nand flash device processors ( It was a possible thesis, but that genie was better off kept in the bottle)

      I can say that in the last 6 years I have had plenty of time to think up all sorts of interesting attack vectors, not least of which is the possibility to get into a situation where you can use external USB devices for communications.

      So say have a subverted device, then that uses USB wireless & network dongles to completely bypass the security on the computer. by having the flash device act as the USB master, the big issue of course has been the damned fact that there was only one master on the USB tree and the rest were slave devices and as such many chipsets were only capable of being slaves, however since USB 3.1 there is the facility for any device to now be the controller.

      Some of these chip sets actually have the facility to store the code in the Nand flash chip , it is a simple matter to just mass program the NF chip before soldering onto the PCB, or indeed just top hat the NF chip.( just in case the ASIC/ silicon rom mask was messed up, there is bypass functionality to save the silicon)

      All this is before we even consider that many of the wireless adaptors are also based around 8051 or arm embedded chips…. ( take a look at the CSR stuff)

  6. Anonymous Coward
    Anonymous Coward

    I could be wrong, but I'm pretty sure the infection used in each instance would require data specific to the controller of the USB drive being attacked..

    If this is the case i wouldn't be too incredibly concerned about the implications of USB devices, but more concerned about how this could effect SSDs.

    They're just as easy to flash if not easier and well...There isn't anywhere near as many individual controllers on the market for these.

  7. Brian Miller

    Read up, this is fun!

    "Hi! I'm your friendly input device! And I have a CD drive! And I have storage space! You love me!"

    And then everything went to Hell, in a hand basket. Oh, wait, we were already shellshocked before this...

    Do you have any idea how many times I've given the OK to Windows to install a device driver for a known good device, just because I plugged it into a different USB port?? It doesn't matter if system policies are changed if the user is trained by the OS to always click "OK" before the "friendly" device can be used.

    The "microcontrollers" have some fairly good horsepower. Once upon a time, a 32-bit 60MHz chip would have been running a server or workstation instead of sitting behind a USB connector. If you want to fabricate your own board, you can add a coprocessor, and have a serious little hacking system! Some of these controllers have their own FPGA.

    Welcome to the future of Moore's Law, where the servers and storage systems of yesterday are now on USB sticks, and can hack your system in milliseconds.

    Trust the computer. The computer is your friend.

  8. Scroticus Canis
    Holmes

    Youv'e got to love the distinction Egemen Tas implies...

    ...that this hack is malicious but not the hacks of the intelligence agencies or fraudsters. Malleable morality filter or what?

  9. Christian Berger

    Maybe we should see USB as an internal bus

    After all it's electrical characteristics are barely suitable for any external wiring. It's not even completely symmetrical, and every bit flip causes the bus to reset.

    Maybe we should come back to some simpler interface to talk to HIDs and memory devices. USB already is a convoluted mess with compatibility layer upon compatibility layer. A simple protocol without compound interfaces and with clearly defined independent device protocols would be a way forward. Why is it allowed that a device can claim it's a keyboard and a CD-Rom drive? And why does the CD-Rom have to speak SCSI over USB?

  10. Version 1.0 Silver badge

    "For example, fraudsters have been using hacked firmware to sell USB drives which shows higher storage capacity than they actually have."

    I bought a USB drive in a street market in Beijing in 2007 - the vendor showed my that it worked and verified the capacity - when I got back home I found that it reported it's capacity at twice what it would actually store.

  11. Rafikibob

    Read!

    For those arguing about plug & pray can you please take note that pray and prey are different words, they are both plays on the original but for different reasons. Plug and pray predates USB exploits of course but plug and prey is referring to predation of targets using usb exploits. Now, shut up and get back on topic.

  12. Anonymous Coward
    Anonymous Coward

    Re. Onchip "compression"

    Been around since the very first flash drives, in fact one little known variant was to use 100x write "firmware only" flash chips designed never to be written more than a few times and retrofit them in expensive casings with a micro to hide all the bad sectors that inevitably appeared.

    A lot of FakeFlash microSD cards and SSDs are being made now with 16, 32 or 64GB apparent capacity but are actually factory failed 8GB with insane remapping, compression and interpolation to cover up the appalling write fade of in some cases megabytes of loss.

    So they might play a film fine but with random glitches and failed frames, seen this symptom before.

    1. Anonymous Coward
      Anonymous Coward

      Re: Re. Onchip "compression"

      "...interpolation... 64GB -> 8GB ...play a film fine..."

      Ah, that explains the movie that I watched from a cheap USB stick. The movie's plot kept repeating the same scene over and over again. That data compession algorithm must be working at an extremely high level, comprehending dialog and plot themes, as well as character development and music score alignment. Able to squeeze the H.264 video file by another 8-to-1 ratio. It's AMAZING!!!! They not only got your $10 for the fake stick, they also won a Fields Medal for this amazing new algorithm.

      PS: The movie was called 'Groundhog Day'.

  13. Anonymous Coward
    Anonymous Coward

    RE. RE. Re. Onchip "compression"

    It was amazing, the compression was obviously working but subtle artifacts crept in that resembled the distortions seen on DTV broadcasts with bad signal.

    Also found that sometimes files would play from the bad disks and the following day they would crash out, as you would expect if remapping exceeded the firmware's ability to react.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like