Bah!
Is BadUSB as big and as present an annoyance as the zero-story all-add "content" waiting under the "You don't have to be mad to work for Apple" link on the Register's main page?
The seriousness of a USB security weakness, which could potentially allow hackers to reprogram USB drives, has been ratcheted up a notch, with the release of prototype code. Researchers Karsten Nohl and Jakob Lell, from German security skunkworks SR Labs, demonstrated how it might be possible to reprogram the firmware within …
'Plug and pray' is indeed very old but it's nothing to do with the current context. It was about how USB drivers were very hit and miss for a long time, needing installing for each individual port, being very OS specific etc.
'Plug and prey' refers to maliciously altered USB devices that actively prey on whatever system they are plugged into.
'Plug and pray' is indeed very old but it's nothing to do with the current context. It was about how USB drivers were very hit and miss for a long time, needing installing for each individual port, being very OS specific etc.
Actually, it predates USB… we were talking about Plug-and-Pray back in the days of ISAPnP. (Not PCI, ISA.)
This is the most interesting malware in ages - unless I’ve misunderstood how it works. If it works at the hardware / firmware level then no amount of patching is going to fix it. Would it be possible, I wonder, for an operating system to sandbox all USB activity, such that the device (when connected) has to be approved by the User?
“Are you sure that you want to use this USB Storage device”, “Are you sure that you want to use this Keyboard”. It would get bloody tiresome, very quickly, but it would help to ensure that a hacked USB device of one type couldn’t masquerade as an entirely different USB device.
This is an exploit that has the potential to affect any OS on any computer with USB (and yes, that includes iOS devices, which only appear not to have a USB socket) - I feel nervous about plugging even box-fresh USB kit into my computer already.
You can disable automatic device driver installation in Windows. If you have group policies available, you can disable the automatic configuration of devices in certain classes and with certain device ids.
However, if something mimics, say, a keyboard, mouse, or other common peripheral these options will be of limited use, particularly since you don't necessarily have any guarantee of the order in which the USB devices will be enumerated when the machine is turned on.
However, if something mimics, say, a keyboard, mouse, or other common peripheral these options will be of limited use [...]
A keyboard could be a threat vector, especially coupled with a USB storage device. Just quickly launch a CMD window ([Windows Key] + R -> cmd.exe -> [Enter]) and from there launch a silent payload from the USB disk and exit the shell. OSX could be vulnerable too ([Command Key] + [Space Bar] -> Terminal.app -> [Return].) Obviously some people might notice the CMD/terminal window flash up and disappear, but by then it would be too late.
A keyboard could be a threat vector, especially coupled with a USB storage device.
It already exists. Google "Rubber Ducky USB". A USB "drive" that is actually showing itself as a keyboard, and can be programmed to type stuff upon being plugged in.
From the Wikipedia article: "Applications that comply with U3 specifications are allowed to write files or registry information to the host computer" and "A U3 flash drive presents itself to the host system as a USB hub with a CD drive and standard USB mass storage device attached"
This makes it difficult to use on anything except Windows, and to make it a plain flash drive again, you have to run an uninstall program on a real Windows box. A VM doesn't work. I've run into the U3 shitware, but I've not encountered the startkey stuff except for the wiki mention.
I have yet to figure out why USB drive manufactures thought that anyone would want that crap anyway. All I want is an array of bits that I can manipulate over USB, not a crap ton of shovel-ware that screws with my machine despite me not having done anything more than plugged it in.
OK, here's the problem: the USB serial connection is just a serial connection, and there needs to be additional stuff to convert all that to writing into the flash. Now, if you were plugging in a flash card into a bus, then things might be different, like the CF cards. But instead, you want to put something on a general-purpose bus, which has no real security features. "Hello, I'm device XXYYXYXY!" That's basically it, and then the bus routes traffic. So really, it's a kind of network, but without the security features of Ethernet.
What does this mean? It means that there must be a controller to translate the serial to the flash, keep the flash wear level, and some other housekeeping. The problem with all of this is that the microcontrollers are amazingly good these days, an a 32-bit controller can be had in an 8-pin package. It doesn't take much to emulate a keyboard, so reprogramming a USB stick isn't that much of a problem.
I figure at some point what we'll see are USB firewalls in the operating system.
USB device manufacturers should either be locking the flash memory on the devices or installing some kind of microcontroller (Or possibly an ARM chip, given their extremely low cost for the lower-end models) in there to verify the data getting written to flash.
Since I do hardware hacking in my spare time, I'll usually pull open a freshly purchased device, look up the datasheet for its USB controller and then blow the write fuse, doesn't bother me so much since firmware updates for USB devices that affect the controller are rarer than hen's teeth. If I can't, then I'll mark the device as 'insecure' and it never touches my secure network.
You have to start by assuming everything is suspect, so the PC/OS should start with the assumption that any USB device cannot be trusted.
As others have mentioned, when it is plugged in the very least an OS should do is tell you what class of device it claims to be. If it should be a USB mass storage device then that is fine, and you can proceed to be suspicious of its contents.
However, if your USB stick claims to be a mouse/keyboard/etc then WTF?
Fine for a proportion of El Reg readers, we might go "WTF? ...disable... ...destroy..." but that is not good enough for Joe/Jane Public for whom the OS needs to be a bit more protective, and query with language a bit more obvious than "enable HID?", say to something like "You appear to be adding a second mouse, is this really true? Think carefully my friend before answering..."
"You appear to be adding a second mouse, is this really true? Think carefully my friend before answering..."
Let's see you click the Yes button after you accidentally unplug the wrong USB cable to your combo keyboard/mouse then have to plug it back in again.
Reminds me back in 2003 of someone doing a Windows XP install onto a machine with no floppy drive, SATA disks (which were a new thing then) and USB HID keyboard/mouse.
Setup unwittingly unloaded the USB drivers, then prompted with a dialogue box asking if we trusted the unsigned SATA drivers. A dialogue box we couldn't answer because we had no working keyboard or mouse at the time.
That will not always work, back in ~2008 I already had working systems for subversion of nand flash device processors ( It was a possible thesis, but that genie was better off kept in the bottle)
I can say that in the last 6 years I have had plenty of time to think up all sorts of interesting attack vectors, not least of which is the possibility to get into a situation where you can use external USB devices for communications.
So say have a subverted device, then that uses USB wireless & network dongles to completely bypass the security on the computer. by having the flash device act as the USB master, the big issue of course has been the damned fact that there was only one master on the USB tree and the rest were slave devices and as such many chipsets were only capable of being slaves, however since USB 3.1 there is the facility for any device to now be the controller.
Some of these chip sets actually have the facility to store the code in the Nand flash chip , it is a simple matter to just mass program the NF chip before soldering onto the PCB, or indeed just top hat the NF chip.( just in case the ASIC/ silicon rom mask was messed up, there is bypass functionality to save the silicon)
All this is before we even consider that many of the wireless adaptors are also based around 8051 or arm embedded chips…. ( take a look at the CSR stuff)
I could be wrong, but I'm pretty sure the infection used in each instance would require data specific to the controller of the USB drive being attacked..
If this is the case i wouldn't be too incredibly concerned about the implications of USB devices, but more concerned about how this could effect SSDs.
They're just as easy to flash if not easier and well...There isn't anywhere near as many individual controllers on the market for these.
"Hi! I'm your friendly input device! And I have a CD drive! And I have storage space! You love me!"
And then everything went to Hell, in a hand basket. Oh, wait, we were already shellshocked before this...
Do you have any idea how many times I've given the OK to Windows to install a device driver for a known good device, just because I plugged it into a different USB port?? It doesn't matter if system policies are changed if the user is trained by the OS to always click "OK" before the "friendly" device can be used.
The "microcontrollers" have some fairly good horsepower. Once upon a time, a 32-bit 60MHz chip would have been running a server or workstation instead of sitting behind a USB connector. If you want to fabricate your own board, you can add a coprocessor, and have a serious little hacking system! Some of these controllers have their own FPGA.
Welcome to the future of Moore's Law, where the servers and storage systems of yesterday are now on USB sticks, and can hack your system in milliseconds.
Trust the computer. The computer is your friend.
After all it's electrical characteristics are barely suitable for any external wiring. It's not even completely symmetrical, and every bit flip causes the bus to reset.
Maybe we should come back to some simpler interface to talk to HIDs and memory devices. USB already is a convoluted mess with compatibility layer upon compatibility layer. A simple protocol without compound interfaces and with clearly defined independent device protocols would be a way forward. Why is it allowed that a device can claim it's a keyboard and a CD-Rom drive? And why does the CD-Rom have to speak SCSI over USB?
"For example, fraudsters have been using hacked firmware to sell USB drives which shows higher storage capacity than they actually have."
I bought a USB drive in a street market in Beijing in 2007 - the vendor showed my that it worked and verified the capacity - when I got back home I found that it reported it's capacity at twice what it would actually store.
For those arguing about plug & pray can you please take note that pray and prey are different words, they are both plays on the original but for different reasons. Plug and pray predates USB exploits of course but plug and prey is referring to predation of targets using usb exploits. Now, shut up and get back on topic.
Been around since the very first flash drives, in fact one little known variant was to use 100x write "firmware only" flash chips designed never to be written more than a few times and retrofit them in expensive casings with a micro to hide all the bad sectors that inevitably appeared.
A lot of FakeFlash microSD cards and SSDs are being made now with 16, 32 or 64GB apparent capacity but are actually factory failed 8GB with insane remapping, compression and interpolation to cover up the appalling write fade of in some cases megabytes of loss.
So they might play a film fine but with random glitches and failed frames, seen this symptom before.
"...interpolation... 64GB -> 8GB ...play a film fine..."
Ah, that explains the movie that I watched from a cheap USB stick. The movie's plot kept repeating the same scene over and over again. That data compession algorithm must be working at an extremely high level, comprehending dialog and plot themes, as well as character development and music score alignment. Able to squeeze the H.264 video file by another 8-to-1 ratio. It's AMAZING!!!! They not only got your $10 for the fake stick, they also won a Fields Medal for this amazing new algorithm.
PS: The movie was called 'Groundhog Day'.
It was amazing, the compression was obviously working but subtle artifacts crept in that resembled the distortions seen on DTV broadcasts with bad signal.
Also found that sometimes files would play from the bad disks and the following day they would crash out, as you would expect if remapping exceeded the firmware's ability to react.