Is this USB thing as bad as it sounds?

Because it sounds pretty bad.

The Unpatchable Malware That Infects USBs Is Now on the Loose

Because it affects the firmware of the USB's microcontroller, that attack program would be stored in the rewritable code that controls the USB's basic functions, not in its flash memory -- even deleting the entire contents of its storage wouldn't catch the malware. [...]

The kind of compromise they're demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue. "These problems can't be patched," says Nohl. "We're exploiting the very way that USB is designed."

Previously, previously, previously, previously.

Tags: , , ,

37 Responses:

  1. joshka says:

    If you have physical access, you have logical access. This mantra is unaltered by this bug.

    Even without it, imagine how many bugs there are in vendor usb drivers that come by default in operating systems. It may help to think back to Stuxnet etc. here. Assuming that USB is broken is the only rational security perspective. Anything else is wishful thinking.

    • jwz says:

      How could I have possibly predicted that a beard-stroking "well I knew about it already" comment was going to be the first reply to this.

      • joshka says:

        Sorry if this came across in that fashion. No beard stroking here, just an answer to your question; Yes this is bad, but no worse than yesterday. :P

  2. Jan Ingvoldstad says:

    USB has always been "plug it in and hope that noone wants to do harm".

    There's been a bit of focus on the DMA access in FireWire etc., but USB's … challenges have been known for just as long, if not longer. It resurfaces now and then, and this is what, the third iteration of this particular USB problem?

    Remember Stuxnet?

    • jwz says:

      I think that those of you who enjoy saying "this is nothing new" haven't actually read the article.

      • Zygo says:

        We don't have to read the article. We've read the spec, looked at some of the devices people are building, and/or used our imagination. The article literally can't be any worse than what's already known to be possible. The only thing left to do is check off the right row on the "so this is what the kids learned in the locker room today" table.

        USB attacks are still mostly hard. One of the reasons why it's so hard is that we still have more than one vendor making everything, and the attacks tend to rely completely on arcane implementation details. Nothing ever works 100% of the time.

        It's hardly unpatchable, although in today's era of disposable hardware "patching" might be more expensive than simply throwing today's model away. In a few years a bunch of half-assed mitigations will be widely deployed to prevent today's vulnerability. Until then, there are thousands of attack vectors that real systems are already vulnerable to anyway, and most of them are easier.

        The only safe way to read data off a USB stick is to plug it into a disposable machine, print the data out, scan it back in, and then put everything you just touched into a huge bonfire, all while it's still sealed in a thick-walled metal box. Anything less is probably vulnerable to something, even if nobody knows exactly what yet. Put a few machines between your important data and the USB stick and most of the problems will be satisfactorily contained.

        • jwz says:

          Ladies and Gentlemen: Academia.

          • Otto says:

            To be fair, what he's is saying is that USB is shit, we've mostly known it is shit for a long time, and now, this is proven. So the shit has finally hit the fan.

            If you were already a paranoid bastard, perhaps professionally, then you stopped using unfamiliar USB quite a while ago. In that sense, it's nothing new.

            In a more fundamental sense, non-paranoid bastards are just now discovering that they live in ruins covered with shit from their fan blades. And yeah, it stinks.

            • Dan Lyke says:

              But if I'm reading the article (and some of the other exploit descriptions I've seen) correctly, this has nothing to do with "unfamilliar USB", this is all about a USB stick that you opened the shrink wrap on at some point being plugged into an infected system, causing that infection to be written to the firmware that drives the USB stick (any modern solid state storage has at least a full-featured ARM core in it).

              So this isn't "Don't boot off that floppy if you don't trust every machine it's been put in", this is "don't even insert that USB stick if you don't trust its entire provenance chain.

              And given that we've seen USB sticks shipped with malware on them, this is basically "put epoxy in your USB ports now".

          • Zygo says:

            Academic solutions to security problems tend to be impractical, and practical measures tend to be uninteresting to academia. Discussions between us and them are always "The sky is falling! Our umbrellas are useless! People could die!" vs. "yes we know. God you people are so boring. Tell me something I might care about" and the best part is you can attribute both quotes to either side interchangeably. It's enough to make one want to quit the industry and open a bar.

            You did ask "is it as bad as it sounds?" and the answer is "yes, it's the worst case scenario, and it's worse now than it's ever been." What you didn't ask, but seemed to imply, is "is it so bad that I'll have to give more fucks about it than usual?" to which the answer is "no, the worst case scenario is also our daily reality, and if you've been OK with reality so far then just keep calm and carry on."

            There have been many apocalyptic worm-breeding security bugs over the years. The thing to remember is that in any fight between two pieces of software, the smart money bets on entropy. Entropy limits worm growth by providing an endless supply of different propagation barriers. Even the most virulent and effective worms so far (excluding the Morris worm) have not managed to propagate to even 1% of the Internet, even as they capture 90% of vulnerable hosts in minutes. The worm alerts kids release today are like the movie Quantum of Solace--the apocalyptic doomsday scenario of the film was arguably a better outcome than similar real life events that had previously happened, and nobody cared about those either. Well, almost nobody outside of Bolivia, anyway.

            Hopefully, if you are doing something important with computers, you're relying on more technical countermeasures than OS upgrades, running antivirus, and disabling AutoPlay. Everyone does that, so attackers now assume you'll do it and plan accordingly. They assume you'll be lazy and click on buttons as they appear (so the attack where the file changes between reads works, since people will use the file in-place on the stick instead of copying it to the nice safe internal hard drive first). Everybody creating new attacks has to figure out how to neutralize or evade current virus scanners or there's no point in bothering to release at all.

            This is not a new situation, it's an old one coming back into style. Antivirus software only really worked from the 1990's to 2007 or so. Today's AV is amazingly successful if it detects one new malware threat in five. The undetectable-malware case is what already happens 80% of the time. USB sticks with self-propagating worms on them will hardly be noticeable in the middle of the horror we are already experiencing.

            Abstinence still works. Limiting the number of data interchange partners you have works less well, but good enough for many organizations. The current state of the art in consumer malware response is to reinstall the OS, and that still works (assuming the attack didn't eat your BIOS or penetrate other USB peripherals). What does a USB stick cost? About $2? Do the math for the cost of assessing suspect USB sticks with unknown malware content and unknown malware detection efficacy vs. replacing every stick you own with a new one. Sometimes "kill it with fire" really is the right answer.

            Some orgs already do literally pour glue into their USB ports. Some employees are designated to copy data onto the (scanned, firewalled, and audited) network servers from USB sticks, while others are designated to copy to USB sticks. All incoming USB sticks make one-way trips that end at corporate security where they are destroyed, and outgoing USB sticks are used once only and never come back. Anybody else who somehow uses USB on their computer gets invited to explain to corporate security why they should remain employed and not arrested or sued. Countermeasures like those still work against this new malware, and people have deployed them because they already learned the hard way that they had to.

  3. macegr says:

    Some are trying to downplay this by saying that most USB drives use mask-ROM or are purely state machines, but this isn't about infecting the USB drives. It's a clandestine attack vector using sneakernet, and the attacker will choose one of the vulnerable devices. The fake keyboard trick is easy to grasp, but the silent modification of retrieved files is the real killer.

    Anyone concerned about security is already paranoid about unknown storage devices, though. And a lot of other computer hardware has reprogrammable controllers inside...hard drives, mice, printers, cameras...this really is an extension of the physical access manta reiterated above.

    • Christian Vogel says:

      Silent modification of retrieved files is evil, and frankly fascinating. But, for me, only relevant for a very specific target, and unsuitable for a mass epidemic.

      To have the evil firmware spread to the next compatible USB stick, you'll have to have run code on your computer (the reprogramming software). And this is something operating system vendors increasingly secure using signatures on executables [e.g. the annoying: This has been downloaded from the Internet, do you really want to run XYZ.exe, signed by ...]

      If you can successfully hide an exploit in an otherwise benign file, I don't see much of a point in taking the effort of reprogramming the USB device, though. Just let the computer do the modification of all the other benign files on the stick...

      • Chris Adams says:

        Are you absolutely certain that every AV implementation is careful enough to scan every read() and never does something like scan an entire file when it's first opened, allowing the controller to return different content when the actual application reads it? Or assumes that if the OS hasn't called write() on a file the AV status hasn't changed? Or re-validates memory-mapped I/O when it's paged in, etc.

        I'm generally still with you on the thought that this is likely to prove a nuisance but not a mass plague but the industry is littered with assumptions which later proved unsafe. I'm not betting against someone finding a creative exploit in what has until now largely been considered a low-exposure local interface.

        • Christian Vogel says:

          Can't find it now, but this has already been exploited to get root on some smart TVs. Store "app" on a storage device emulated by Linux' USB-gadget framework. Present innocuous application the first time (when the TV verifies the signature), present your root-shell the second time for execution.

          My point being: There's been prior art that should have made AV vendors [or OS programmers verifying signatures] switch to a non-braindead way of implementing their scanning/verification.

    • hattifattener says:

      I'd guess that most USB drives are at best OTP EPROM, and probably Flash. Flash is cheap to put onto the same chip as the controller these days.

      Not that the exact ratio matters very much. As long as many controllers are reprogrammable, a paranoid person has to treat them all as if they could be.

  4. Christian Vogel says:

    That "unpatchable supermalware" is (no one would have guessed...) complete hyperbole.

    Yes, one can reprogram the controller-firmware in many USB flashdrives to include arbitrary malicious functionality. And most USB controllers' firmware doesn't require any authorization for it -- often such upgrade modes are in hard-coded ROM to make controllers unbrickable. In that sense, it's "unpatchable".

    "Unpatchable" as in "we are all doomed?" Not so much.

    The problem that most computers just silently will install drivers/kernel-modules/kexts and bind them to any USB device connected to the PC is hardly unfixable, it is trivially fixable in most cases. Just not implemented (yet) in mainstream OSs.

    So with this exploit now released to the wild, I hope most operating systems will do the sensible thing and plug in a confirmation dialog when a USB thumbdrive also wants to have it recognized as a keyboard, usb-webcam, network-adapter and nosehair-trimmer at the same time (e.g. not things on a whitelist for typical day-to-day work).

    • Leolo says:

      I'm not 100% familiar with USB. But can't the device just say "I'm a USB hub" and then a bit later say "a USB drive was plugged into this USB hub" and then "a USB keyboard was plugged into this USB hub"? Put another way, can the OS distiguish between a keyboard and flashdrive plugged into a hub from a single device that pretends to be a keyboard and flashdrive plugged into a hub. Can the OS even detect the simpler scenario, that of one device claiming both keyboard and flashdrive functions?

      • Christian Vogel says:

        Multiple functions in a device: Yes, from the standpoint of the OS, there's a difference between a device having both functionalities and two single-function devices being plugged into a hub. A USB device stores some blocks of data (the "descriptors") which describe it, and in these descriptors, there can be several "functions" for each USB device.

        Pretending to be a USB-Hub: I don't know about the limitations of specific USB controllers used in thumbdrives. But it's prudent to assume that a USB device would be able to also impersonate a hub with several connected devices, not only pretending to be a single device with multiple functions.

        A sane operating system protecting you from malicious devices should prevent critical drivers to bind to any USB device -- no matter in which combination it claims to combine storage, keyboard, or any other things.

        • flodadolf says:

          Sandisk (used to?) have this functionality built into some of their products: It presented itself as a hub, and attached to that hub was a CD-ROM drive* and a regular mass-storage device.

          *: Because Windows is often configured blindly autorun a CD, but not a thumb drive**.

          **: Yeah, I know.

    • The problem that most computers just silently will install drivers/kernel-modules/kexts and bind them to any USB device connected to the PC is hardly unfixable, it is trivially fixable in most cases. Just not implemented (yet) in mainstream OSs.

      So are you suggesting my computer should make me click some OK buttons before I can use my mouse and keyboard? ...

      • berdario says:

        As long as the first keyboard is automatically accepted, and the prompt would happen only for the keyboard n+1, this'd be an acceptable solution imho.

        (unless there's some wacky way to force disconnection of all the HID devices when another USB device is plugged in, but I really hope this is not the case)

        • Zygo says:

          Just shove some noise down the D+/D- lines at the wrong times, and all devices on some part of the USB tree will disconnect. I have a bad cable or ten that do this all the time. It might not work on ports on the motherboard, but it'll work just fine if the victim has a hub on their desk that they plug everything into.

        • The wireless dongle for my mouse presents itself as a keyboard as well (because its' a universal dongle, and only by doing this can it work with clueless operating systems... or your system firmware), so your suggestion means there is a 50% chance my keyboard won't work (and I presumably won't be able to make my keyboard functional)

          And also I have a second dongle, for my second mouse (which gets used roughly once a week while my primary mouse is recharging), so theres a 50% chance it will pick the wrong mouse.

          There are all sorts of ways that this sort of thing can go wrong.

  5. Kyzer says:

    There are a number of attacks outlined, but it's not as doom-and-gloom as imagined.

    1. The worst one: there are bugs in your OS's USB drivers that can be exploited. Then the USB device can get pretty much anything into or out of your computer. However, that requires there to be a bug on your side, which is fairly unlikely, and if one is discovered, it can be patched. You and your OS vendor control those drivers, not the attacker. It may catch you out, but if you're looking for it, you'll find it, and then you can permanently put an end to it.

    For example, it used to be possible to root the PS3 by plugging in a suitable device that exploited a bug in the PS3's code that enumerated USB descriptors to get arbitrary code execution. Once Sony found out how that was happening, they patched it, and banned anyone using the vulnerable firmware from connecting to the PSN, so everyone had to decide that, if they wanted to keep playing games on it, they had to shut the door to running their own OS on the hardware forever.

    The chap above may be going on about "vendor USB drivers", but the absolute majority of USB devices you plug in need no "vendor USB drivers", they use your OS's standard USB mass storage device driver which basically talks SCSI over the wire, or the standard USB human interface device driver (keyboards, mice, etc.) or the standard USB video device driver (TV decoder cards, webcams, etc.). Each of these device classes has fixed specifications, and there should be little room for shenanigans, at least compared to the arbitrary third-party code of, say, printer drivers.

    2. Almost as bad: the USB device looks dumb, but it's actually smart. This is just spycraft. Imagine you habitually run an executable from a "known good" USB drive and someone has tampered with it, so that if you look it at one machine, the executable is fine, but if you look at it on the target machine, the "dumb disk" actually knows who it's connected to and serves up malware. Or maybe the dumb disk secretly registers a USB keyboard at the same time, waits until you're not looking, then types "rm -rf /" or whatever nefarious deeds. Or maybe it registers as a USB network interface and starts capturing your traffic (but how would it deliver it? If it didn't, the jig would be up fairly soon) This is in the same bracket as "but what if the NSA intercepted my hardware in the mail and planted a bug", which they do, or "what if the NSA uploaded new microcode to my Intel CPU that made it subtly wrong at generating cryptographically random numbers?". If you're that concerned, manufacture your own damn hardware, and don't rely on a single piece of hardware.

    The worry is that 1. can combine with 2. and create unwilling zombie USB devices, but that's just the sexy talk for Wired magazine. The real problem is 1., which can be defended against by making your computer say "no" to anything other than vanilla USB devices, and 2. can be defended against by not letting anyone near your computer and only buying new hardware from places the NSA won't expect you to, so they can't pre-fuck your hardware.

  6. David Poole says:

    The scenario I've seen is: patch USB device firmware to mimic keyboard and/or mouse. When plugged in, send keystrokes. Windows key -> Run -> Firefox -> http://drive-by-malware.evil

    Operating systems trust the device is what it says it is. I work on printers. We made a printer that pretends to be a mass storage device. We store the drivers on the printer itself. If the printer didn't detect the drivers on the host, the host mounts up our "hard drive", runs our autorun, and the drivers will prompt the user to install. The rest of the install is automatic.

    Once the install is done, we change our USB VID/PID (Vendor ID/Product ID) back to a printer/scanner. We could easily say we're a keyboard/mouse. It's a small matter of firmware.

    We talked about becoming a mouse/keyboard to automatically click through the dialogs. Sounded creepy and illegal so we didn't do it. Would have worked, though.

    USB reminds me of the early (~1990s) internet--very trusting.

  7. Rob says:

    Your headline ends with a question mark, so, no.

  8. This sort of thing is why I get alarmed at those USB-based solar charging stations. Don't use one without a USB condom! Not even once! Not even just the tip!

  9. Tim says:

    The threat is being overblown, I think. Yeah, you can make a USB memory stick start reporting itself as multiple devices so it can inject keystrokes. But how will this bad firmware make its way onto your thumbdrive?

    Remote network exploit or you download a trojan: If these happen you are already fucked and why would the black hat even bother fucking around with your thumbdrives.

    Locally: The "leave a compromised thumbdrive on the ground, hope someone picks it up and plugs it in" attack. Which works, but it's not like this possibility is a new development. Black hats have always been able to construct their own USB devices. The reported reverse engineering of Phison USB memory stick controllers merely implies that it's a bit cheaper to do.

    Now consider what can be done with such a doctored drive:

    Keylogger? From what I remember, USB hubs don't echo USB packets down branches of the network which do not lie on the route between the leaf node and the host computer. Hub silicon is where bad keylogger firmware could live, but the hub still has to be inserted between your computer and keyboard.

    Send key and mouse events? It will probably need unpatched privilege escalation vulnerabilities or bad user security hygiene to take over any modern OS.

    IMO, most of the worry when plugging in a random USB drive continues to be boring old trojan binaries.

  10. Thomas J. says:

    Similar problems were already presented at 30C3 for SD-cards, USB-sticks are different in that USB allows for more attack vectors but the principle is the same:

  11. It's not so great actually.

  • Previously