USB Vulnerabilities

If it doesn't fit anywhere else, drop it in here. (not to be used as a chat/nonsense section)

Moderator: Moderator Team

PurpleGurl
Posts: 1788
Joined: Fri Aug 07, 2009 5:11 am
Location: USA

USB Vulnerabilities

Post by PurpleGurl »

There seems to be vulnerabilities in the USB protocol itself, or at least the most common hardware implementations. Someone recently released some exploits. It was a bit irresponsible if you ask me. Had they gone to the USB Foundation and to hardware manufacturers, that would have been one thing, but they actually released exploits to the public to force an issue out of it that way.

http://www.wired.com/2014/10/code-publi ... sb-attack/

It seems one of the malicious possibilities is impersonation. Lets suppose someone has an infected USB device that convinces Windows it is a keyboard. Then the attacker can issue commands. The malicious code could be stored in the device's buffer RAM instead of the flash memory. So even formatting an infected USB drive won't help.

tomleem
Posts: 631
Joined: Mon Mar 28, 2005 6:59 pm
Location: New Hampshire of United States of America
Contact:

Re: USB Vulnerabilities

Post by tomleem »

It is like the show they had on television once where they went to houses and showed the home owner how vulnerable their house was. The home owner received permission to break into their house but he ends up doing a lot of damage. IMO, it also showed potential thieves and home intruders how to break into house and what to look for. :x If they just showed the homeowner and did not put it on television, it would have better than being a 'how to' for thieves. :o
* * * * * * * * * * * * *
Tom Lee M / BigGoofyGuy
* * * * * * * * * * * * *

fred02
Posts: 551
Joined: Thu Nov 22, 2007 5:54 pm

Re: USB Vulnerabilities

Post by fred02 »

Don't sweat it, PurpleGurl. Those that will exploit this vulnerability already know about it (and many others), so it is better for us to be aware too. "Security through obscurity" never works and ends-up with an even worse mess: think WEP.

MadWolf
Posts: 544
Joined: Sat Dec 31, 2005 4:19 am
Contact:

Re: USB Vulnerabilities

Post by MadWolf »

hi
Andromeda • 24 days ago

Nohl's research has some serious holes in it. This attack vector, while possible, is incredibly narrow, and any attempt to paint BadUSB as a serious threat is basically FUD. This is a repost of Clandestine Moniker's response to the last BadUSB article wired decided to scare the masses with:
_____________________________________

I make a living designing and selling USB controllers and I can say
this article is very sensationalist and it is only telling a half-truth.
Yes, some USB devices rely on firmware for fundamental operation and
yes, the device firmware of *SOME* USB devices can be field-upgraded or
otherwise updated, but to claim that USB itself is fundamentally broken
due to this limited attack vector is nonsense.

There are three things that make this attack very specific and difficult to execute:

1)
Most USB device controllers are ASIC's, or Application Specific
Integrated Circuits. They are usually highly optimized to perform their
intended function very well, and they usually do not have extensibility
to become other devices. For example, one of my company's products is a
USB 3.0 to SATA Bridge, which is used in USB 3.0 external drives. Our
USB 3.0 to SATA bridge contains USB endpoints for USB Mass Storage Class
and that's it. Even if you re-programmed our device firmware, all it
could be is a USB Mass Storage Class device since the USB endpoint
number and types are fixed in hardware. We did this to make the chip as
lean as possible. It is impossible to program our chip to become a
functional networking controller or a keyboard device since we don't
support those features on the silicon.

>>>> Not All
USB Devices can be infected! Even if you managed to infect the device,
chances are you'd brick it rather than make it into something malicious.
Manufacturers are usually cost sensitive and they find ways to trim
costs everywhere they can ~ releasing general-purpose controllers for
commodity devices is, by definition, wasteful.

2) Device
manufacturers are generally very protective of their device firmwares,
since the device firmwares usually contain stuff device manufacturers
don't want other people to know about such as work-arounds for bugs in
the silicon, or proprietary algorithms which may enhance performance or
reliability, etc. The source code for most device firmwares are never
published, and even if they are, there is very little documentation or
active support. Finally, device manufacturers often have at least
rudimentary checks in place within their controllers to check if the
firmware is "valid" though these checks can vary between cryptographic
hashing to simple checksums to length checks.

>>>>>
Getting access to and mucking around with a device's firmware is hard.
Many ASICs use customized MCU cores and without published
register/programming guides, it is very difficult to reverse-engineer.

3)
Assuming that you've found a USB device controller that for some reason
can be programmed arbitrarily to support other USB classes and
endpoints and assuming again you found the firmware source code or
otherwise reverse-engineered the device's firmware, you still need to be
able to program the device. The vast majority of USB 2.0 and 1.1
devices have fixed firmwares that cannot be updated. The firmware code
is often stored on a metal layer in the silicon itself, and there is no
way for it to be changed. If the firmware is stored on an external
memory device, you still need to find a method to reprogram it, either
using (undocumented) vendor commands or using a dedicated hardware.

>>>>>
Most USB device controllers don't support being reprogrammed at all,
even if they run on firmware. Some ASIC's don't have an MCU and instead
rely purely on a logical state machine so that entire subclass is
immune. Many IC's have a MASK ROM such that the firmware program is
stored in some type of unwritable read-only medium and they are totally
immune to this attack as well.
http://www.wired.com/2014/10/code-publi ... sb-attack/

Tonix
Posts: 89
Joined: Tue May 22, 2007 11:33 am

Re: USB Vulnerabilities

Post by Tonix »

MadWolf wrote:hi
any attempt to paint BadUSB as a serious threat is basically FUD.
]
Totally agree with the article.

To Say that usb protocol is vulnerable is a totally non-sense, devices can be vulnerable if not designed well.

It's true that you can reprogram some devices to be recognized as other devices by the os, see Arduino HID on Goolge.

The problem exist only in case someone can fisically connect a exploited usb device to your machine but
this is a thing that will never append in a server environment where you can't fisically reach the machines and
where usb port are disabled in most cases.

Also inject malicious code while transfering files to/from a usb device is not a issue in a well secured environment.
CRC control and hashing on files prevent this kind of operation.

So yes, someone con program a usb device that cheat on is identity,
but the exploit work only if you permit plug the device in your machine.

Webunny
Posts: 1201
Joined: Sat Apr 28, 2012 1:30 pm

Re: USB Vulnerabilities

Post by Webunny »

Tonix wrote:
MadWolf wrote:hi
any attempt to paint BadUSB as a serious threat is basically FUD.
]
Totally agree with the article.

To Say that usb protocol is vulnerable is a totally non-sense, devices can be vulnerable if not designed well.

It's true that you can reprogram some devices to be recognized as other devices by the os, see Arduino HID on Goolge.

The problem exist only in case someone can fisically connect a exploited usb device to your machine but
this is a thing that will never append in a server environment where you can't fisically reach the machines and
where usb port are disabled in most cases.

Also inject malicious code while transfering files to/from a usb device is not a issue in a well secured environment.
CRC control and hashing on files prevent this kind of operation.

So yes, someone con program a usb device that cheat on is identity,
but the exploit work only if you permit plug the device in your machine.

I do not find the counterarguments all that persuasive, to be frank. In point 1 one makes the argument "Most' devices aren't susceptible, and 'not all' devices can be infected, but that has NO value on itself. What is 'most', what is 'not all'? 10%? 20%? 50%? An argument that vague means very little. Also, on what authority does he speak? Did he make a scientific double-blind study? Can he make such a claim for the entirety of all usb devices? Really? There are other experts that find this a great vulnerability indeed, and it's not only Nohl saying it. Why should we believe this post, and not the articles of the others? He has given us very little to have confidence in his claims, to be honest. Instead being extremely vague and using general statements which are nowhere substantiated.

His point two is basically 'it's secure because it's made difficult to read/know what is being used'. Yeah... Another point which makes me seriously doubt the authority of what he's been saying. "Security through obscurity" is a well-known fallacy. It's NOT because "the source code for most device firmwares are never published" that that means it is safe. No, it's not, not even remotely. On the contrary, by keeping it secret like that, it's making it more difficult to gauge the real amount of vulnerability a certain device has. But that will not stop somebody nefarious from discovering it; it only means it can stay longer under wraps, and the company can always deny any vulnerabilities. To actually claim that obscurity makes the exploit more secure, is ludicrous, and casts a doubt about the kind of reasoning he uses.

Point 3 is, again, full of 'most'-arguments. If you go to a baker, and he tells you 'most of my breads are not poisonous', do you find that reassuring? Because I sure don't. The original (and consecutive) researchers did not have any trouble finding run-of-the-mill usb-sticks that were firmware re-writable. It's not like they went out of their way to find a 1% chance of 'bad' usbs. It were ordinary storage-devices that you can buy in any shop. So if those are vulnerable, where does the confidence come from, 'most' others have no such vulnerability? Knowing that only a limited amount of manufacturers make these devices, that assumption sounds really doubtful. And as far as the 'physical access' is concerned: of course you need that. But that's not the point. It can be YOU that are accessing it, after all. Since one can't easily discern an 'infected' usb from a 'good' usb, in principle, every usb you plug in, could - in theory - already be compromised, without you knowing it. A lot of companies and organisations give 'free' usb's as gifts or whatever; how do you know they're not meddled with? Let alone states. There already have been some states (or their agencies, like the NSA) who 'gifted' away IT-stuff that was found out to be compromised afterwards; why couldn't that, in the future, be also USB's?

Granted, it's no use getting paranoid, but the main point is, it remains a vulnerability, and the 'physical access' can easily be reached, since even the owner of a PC can plug in an usb that has been compromised, without him knowing it. I myself plugged in some usb-sticks I got from firms, to see their data. With this vulnerability - at least, if it were widely know years before - I would have potentially compromised my entire system. The 'physical access' was me. The only thing to remedy physical access, is to not ever use usb-sticks. Or to deal with the vulnerability. I prefer the latter.

justincase
Posts: 440
Joined: Sat Nov 15, 2008 4:13 pm

Re: USB Vulnerabilities

Post by justincase »

Basically it boils down to "Don't plug random USB devices into your PC, they could be malicious." which has always been the case, because not only could you get a virus as with the AutoPlay vulnerabilities which eventually caused Microsoft to simply disable AutoPlay for USB Mass Storage devices, but a flash drive could be something else, for example look at "U3" drives which appeared to USB controller as a USB hub with a USB Mass Storage device plugged into one port, and a USB CD drive plugged into another, not only could somebody use the same trick to manufacture flash drives that include a keyboard, vga out, mouse, ethernet card, etc. and take over complete control of your PC the U3 drives themselves acted not just as a CD-ROM drive, but as a CD BURNER (which was locked except in certain occasions), allowing anybody who had the know-how to create their own CD image to 'burn' to the CD and run whatever they wanted.

By now everyone should know that you don't plug random USB devices into your computer, and if they don't what they need isn't some security requirements in the USB protocol, but better publicity of the fact that you should only plug known, trusted USB devices into your PC (unless your feeling adventurous).

(didn't somebody mention somewhere that some country's military was compromised by people leaving USB "flash-drives" in parking lots near their military sites? it's because somebody plugged one in without knowing where it came from. D'OH!)
I reserve the right to ignore any portion of any post if I deem it not constructive or likely to cause the discussion to degenerate.

Webunny
Posts: 1201
Joined: Sat Apr 28, 2012 1:30 pm

Re: USB Vulnerabilities

Post by Webunny »

justincase wrote:Basically it boils down to "Don't plug random USB devices into your PC, they could be malicious." which has always been the case, because not only could you get a virus as with the AutoPlay vulnerabilities which eventually caused Microsoft to simply disable AutoPlay for USB Mass Storage devices, but a flash drive could be something else, for example look at "U3" drives which appeared to USB controller as a USB hub with a USB Mass Storage device plugged into one port, and a USB CD drive plugged into another, not only could somebody use the same trick to manufacture flash drives that include a keyboard, vga out, mouse, ethernet card, etc. and take over complete control of your PC the U3 drives themselves acted not just as a CD-ROM drive, but as a CD BURNER (which was locked except in certain occasions), allowing anybody who had the know-how to create their own CD image to 'burn' to the CD and run whatever they wanted.

By now everyone should know that you don't plug random USB devices into your computer, and if they don't what they need isn't some security requirements in the USB protocol, but better publicity of the fact that you should only plug known, trusted USB devices into your PC (unless your feeling adventurous).

(didn't somebody mention somewhere that some country's military was compromised by people leaving USB "flash-drives" in parking lots near their military sites? it's because somebody plugged one in without knowing where it came from. D'OH!)
While it's never wise to make an autorun feature, at least, with ordinary viruses, it's detectable by normal virus-scanners. With this exploit, it's not.

Let's be honest here, it has also always been the case that we sometimes plug usb's in our machines that do NOT come straight out of the factory. For instance, I've had RFI's come to me at a USB stick. The data is on there. You need to see it. But it's a 'strange' stick. Even if you trust the company that send it, you don't know if it's not compromised anyhow. With this, scanning with an anti-virus has absolutely no sense. Theoretically, they could even come out of the factory in a compromised state, and no normal enduser would even be able to notice it.

So, in essence, if you want to be completely sure of not being compromised, you not only need to not plug random USB devices into your PC, you have to not put any USB devices into it, period. Which seems excessive, and rather defeats the purpose of having usb in the first place. I think Nohl already came up with the easiest solution himself: just make sure none of the firmware is rewritable in the first place.

It still would mean to not plug in the 'totally unknown' usb's (those where you have no idea where they from), but at least it would solve the problem for the vast majority of normally bought and used USB's out in the market.

justincase
Posts: 440
Joined: Sat Nov 15, 2008 4:13 pm

Re: USB Vulnerabilities

Post by justincase »

Webunny wrote:While it's never wise to make an autorun feature, at least, with ordinary viruses, it's detectable by normal virus-scanners. With this exploit, it's not.
Actually Microsoft could have fixed AutoPlay, but they chose instead to disable it for anything that's not a CD. Which is kind of sad considering that one the first instances of an AutoPlay virus (the first to hit the news where I am) was the stuff that got "inadvertently" added to some batches of Sony's 'Enhanced' audio CDs.
Webunny wrote:I think Nohl already came up with the easiest solution himself: just make sure none of the firmware is rewritable in the first place.

It still would mean to not plug in the 'totally unknown' usb's (those where you have no idea where they from), but at least it would solve the problem for the vast majority of normally bought and used USB's out in the market.
The "vast majority of normally bought and used USB's out in the market" already have read-only firmware, or are even more secure than that, because the manufacturers are too cheap to put a rewritable chip that could function as something more than what it's designed for in a USB device, instead they almost always (with rare exceptions, e.g. Phison's PS2251-03) design them for a specific purpose and cut out anything extra, even if it seems negligible, simply because of the costs, which accumulate as volume increases.

So I'm not saying it's something not to worry about, but it's also not as big a deal as some people would have you believe.
Don't plug random USB devices into your computer, but don't get too paranoid either, OK?

And honestly this kind of attack is possible with other things that you plug in to your computer, it's just more feasible with USB because computers already have so many USB drivers available to be able to accept your (not-really-a-)whatever-device, and most will go on the internet and download whatever other drivers may be necessary for your (not-really-a-)whatever-device, just because you plugged it in.
This is just a danger of "plug'n'play", and if your careful you'll probably never see a problem from it.
I reserve the right to ignore any portion of any post if I deem it not constructive or likely to cause the discussion to degenerate.

User avatar
Black_Fox
Posts: 1584
Joined: Fri Feb 15, 2008 9:44 pm
Location: Czechia

Re: USB Vulnerabilities

Post by Black_Fox »

For instance, there is that story that a security researcher hacked around with a MacBook battery firmware.

Webunny
Posts: 1201
Joined: Sat Apr 28, 2012 1:30 pm

Re: USB Vulnerabilities

Post by Webunny »

justincase wrote:
Webunny wrote:While it's never wise to make an autorun feature, at least, with ordinary viruses, it's detectable by normal virus-scanners. With this exploit, it's not.
Actually Microsoft could have fixed AutoPlay, but they chose instead to disable it for anything that's not a CD. Which is kind of sad considering that one the first instances of an AutoPlay virus (the first to hit the news where I am) was the stuff that got "inadvertently" added to some batches of Sony's 'Enhanced' audio CDs.
Webunny wrote:I think Nohl already came up with the easiest solution himself: just make sure none of the firmware is rewritable in the first place.

It still would mean to not plug in the 'totally unknown' usb's (those where you have no idea where they from), but at least it would solve the problem for the vast majority of normally bought and used USB's out in the market.
The "vast majority of normally bought and used USB's out in the market" already have read-only firmware, or are even more secure than that, because the manufacturers are too cheap to put a rewritable chip that could function as something more than what it's designed for in a USB device, instead they almost always (with rare exceptions, e.g. Phison's PS2251-03) design them for a specific purpose and cut out anything extra, even if it seems negligible, simply because of the costs, which accumulate as volume increases.

So I'm not saying it's something not to worry about, but it's also not as big a deal as some people would have you believe.
Don't plug random USB devices into your computer, but don't get too paranoid either, OK?

And honestly this kind of attack is possible with other things that you plug in to your computer, it's just more feasible with USB because computers already have so many USB drivers available to be able to accept your (not-really-a-)whatever-device, and most will go on the internet and download whatever other drivers may be necessary for your (not-really-a-)whatever-device, just because you plugged it in.
This is just a danger of "plug'n'play", and if your careful you'll probably never see a problem from it.
You sure about that last part? Because I thought they said during their presentation (Black Hat) on the youtube-vid that they used run-of-the-mill USB-sticks one could buy everywhere.

I agree one doesn't need to be paranoid, but the thing here is, that it's not detectable with any normal means. In that respect, it differs considerably from, say, a classical 'new' virus that gets loose on the internet, for instance. The latter will spread much faster, but is also easily detected. A typical virus doesn't last 12 hours, or there is already a countermeasure for it. This will have a much slower 'infectionrate', but it will be much, much longer under the radar too. Come to think of it, isn't the bios overwritable too, these days (well, years)? Ah, where is the time of EEPROM? Though, I believe you have modern motherboards who have both: re-writeable and then a non-rewritable as backup, from which you can restore the defaults settings when necessary (for instance, after faulty flashing of the bios).

Z98
Release Engineer
Posts: 3379
Joined: Tue May 02, 2006 8:16 pm
Contact:

Re: USB Vulnerabilities

Post by Z98 »

Actually a very large percentage of removable storage comes with reprogrammable microcontrollers, because their wide availability makes them dirt cheap so trying to cut costs with a customized solution ends up resulting in a bigger up front engineering cost. But it's a somewhat moot point as while this is a problem, this is more an abuse of features than a security vulnerability since USB is intended to allow for this kind of flexibility. The engineering investment to craft an exploit that takes advantage of these features is not trivial however. If people get hit by this, it'd almost certainly be due to collateral damage like what happened with stuxnet. Criminal organizations simply would not see a high enough ROI to justify this, especially since the delivery vector would be so haphazard. This is something that a nation state would be interested in for using to attack another nation state or companies that they want to steal information or technology from. So it is highly unlikely that we, the general population, need to worry about this. Nothing we do would be important enough to warrant such effort to attack us, especially when there are cheaper methods to do so.

As far as detectability goes, it depends on the attack. If you don't notice your computer doing strange things because the USB drive you just plugged in managed to present itself as a keyboard and is executing keystrokes, you're an idiot. If it's a viral payload, that depends on whether said payload gets detected by virus scanners when it gets loaded into memory. You still have to bypass the OS' built-in protections even if you get a user to plug in a malicious drive.

justincase
Posts: 440
Joined: Sat Nov 15, 2008 4:13 pm

Re: USB Vulnerabilities

Post by justincase »

Black_Fox wrote:For instance, there is that story that a security researcher hacked around with a MacBook battery firmware.
That's really interesting, I'd never heard of that before.
Z98 wrote:Actually a very large percentage of removable storage comes with reprogrammable microcontrollers, because their wide availability makes them dirt cheap so trying to cut costs with a customized solution ends up resulting in a bigger up front engineering cost.
I stand corrected, I was basing that bit off of comments posted to one of the articles linked above.

But I agree that it's pretty unlikely for a criminal organization to try and use this kind of attack, and I think it's even more unlikely that a criminal not part of such an organization would.

So as you say, "it's a somewhat moot point".

(and I like this quote: "If you don't notice your computer doing strange things because the USB drive you just plugged in managed to present itself as a keyboard and is executing keystrokes, you're an idiot." it makes me smile. :D)
I reserve the right to ignore any portion of any post if I deem it not constructive or likely to cause the discussion to degenerate.

Tonix
Posts: 89
Joined: Tue May 22, 2007 11:33 am

Re: USB Vulnerabilities

Post by Tonix »

Z98 wrote:this is more an abuse of features than a security vulnerability since USB is intended to allow for this kind of flexibility.
[..] If you don't notice your computer doing strange things because the USB drive you just plugged in managed to present itself as a keyboard and is executing keystrokes, you're an idiot.
same opinion ;)

I will begin to be upset about this when an USB pen drive, recognize as a USB removable media , can act as a keylogger.

But this is possible only with an hacked device driver. You can develop a removable media driver that register itself for keybord events and
call an hardware service on the usb device to store keystrokes, but a standard keybord driver should'nt do this.

Every piece of hardware need a driver to work, and every driver can contain exploits.
Are you sure that your [add a device type here] driver don't send informations to someone when it says "check for updates"?

Webunny
Posts: 1201
Joined: Sat Apr 28, 2012 1:30 pm

Re: USB Vulnerabilities

Post by Webunny »

Z98 wrote:Actually a very large percentage of removable storage comes with reprogrammable microcontrollers, because their wide availability makes them dirt cheap so trying to cut costs with a customized solution ends up resulting in a bigger up front engineering cost. But it's a somewhat moot point as while this is a problem, this is more an abuse of features than a security vulnerability since USB is intended to allow for this kind of flexibility. The engineering investment to craft an exploit that takes advantage of these features is not trivial however. If people get hit by this, it'd almost certainly be due to collateral damage like what happened with stuxnet. Criminal organizations simply would not see a high enough ROI to justify this, especially since the delivery vector would be so haphazard. This is something that a nation state would be interested in for using to attack another nation state or companies that they want to steal information or technology from. So it is highly unlikely that we, the general population, need to worry about this. Nothing we do would be important enough to warrant such effort to attack us, especially when there are cheaper methods to do so.
As I thought. Everyone was acting as if this was a given, while anyone who had watched the original presentation would have noted they said they used normal usb-sticks. I largely agree with what you say here. As I said in my earlier post, the 'spreading' of it on usb would be much smaller and slower than a regular virus through the internet, which makes it less interesting for criminal organisations targeting broad swats of people/PC's. For very specific targets, this could well be a very good attack modus, since it stays under the radar - interesting for NSA-like organisations (or criminal activity specific to one lucrative target), but not something one has to worry about as a regular user.
As far as detectability goes, it depends on the attack. If you don't notice your computer doing strange things because the USB drive you just plugged in managed to present itself as a keyboard and is executing keystrokes, you're an idiot. If it's a viral payload, that depends on whether said payload gets detected by virus scanners when it gets loaded into memory. You still have to bypass the OS' built-in protections even if you get a user to plug in a malicious drive.
Hmm. I had the tendency, when reading that, to agree and boast a bit too (just like some others were quick to do) - I mean, who *would* want to be regarded as an IT-idiot, especially in these kind of forums?... but that would be a bit blasé, so I decided to go against that first reaction. Truth is, no-one can actually guarantee it could never happen to himself. I myself am very careful in this regard, and while I had been free from viruses for 6 years, 4 months ago I suddenly discovered a virus on my PC nevertheless. So never say never. Absolute security doesn't exist. As for the usb-hack; if you (again) note on the video, they themselves show and say it is hardly noticeable. Even if one postulates that we, IT-knowledgeable people, would not be fooled by it - which is still a bit doubtful to claim with absolute certainty, as said - it still remains a fact that for the vast majority of PC-users, this would pass through without any eyebrows being raised. In that sense, when taken the remark at face value, then one could say 90% of the populace is 'an idiot'.

While that might feel good, especially when considering 'I am with the 10% who isn't an idiot' , this does not make things any safer, though. And I do not think it's warranted unless from a standpoint of IT-superiority. I mean, if I think about my grandfather, who can barely email, can one really expect him to 'notice' such a thing? That doesn't mean he's an idiot, though.
I stand corrected, I was basing that bit off of comments posted to one of the articles linked above.
Which is why I said I had my doubts about the validity of what was being claimed, there. The majority of his counterarguments are based on presumptions, which turn out to be wrong. What z98 said made a lot more sense. As I said too; there is no need to be paranoia. But the arguments given to counter and minimise the risk, were not really worth much.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests