Bad USBs are bad for customers

Egemen Tas asks whether the current level of trust in USB-supported peripherals is misplaced

Intelligence agencies have been known to modify USB controller firmware to hide and encrypt data within USB drives. It should be no surprise that such techniques have also been used for malicious purposes.

Fraudsters have been using hacked firmware to sell USB drives that show higher storage capacity than they actually have for a while now.

Earlier this year, we saw the emergence of the BadUSB proof-of-concept attacks, demonstrated by security researchers Jakob Lell and Karsten Noll at Black Hat in the US.

More recently, another pair of researchers reverse-engineered the hack – and have made their work available to the public.

The hackers say they're publishing their work so the community can come up with a solution.

BadUSB is a form of malware that can be installed on a USB drive and will infect a PC once docked.

Residing in the firmware that controls basic functions rather that the flash memory, BadUSB's attack code can remain hidden even after it appears to have been deleted from the device's memory.

USB controller chips' firmware offers zero protection from reprogramming, meaning that even an ordinary thumb drive can compromise a PC's security.

Such security compromises include emulation of keyboard commands, infection of controller chips of other USB devices connected to the computer, the changing of a PC's DNS setting, to redirect traffic, and the infection of a PC's operating system with a virus pre-boot.

To make things worse, it is believed that reinstalling the OS does not address the infection at its root. Any other USB devices could still be infected: thumb drives, webcams, mice, or keyboards.

Essentially, once you've suffered an infection, computers and USB-based peripherals cannot be trusted.

The only way to guarantee you do not have a BadUSB-style infection is by prevention – by only using trusted devices and computers.

Malware already exisits that can infect USB drives, but if we start to see more malware that propagates itself by flashing USB controller firmware – or if we see maliciously tampered-with USB drives shipped to consumers and enterprises from the factories – it would be a forensic analysis nightmare.

Nevertheless, for IT administrators, removable devices have always been a major source of concern. Fortunately, there are straightforward ways to regulate the use of USB storage devices across an enterprise network.

Almost all end-point security management products allow administrators to create policies that allow or deny the use of such devices. However, an alternative solution would be if the manufacturers produced USB controller chips which do not allow firmware re-flashing except by the factory itself.

To combat this flaw, we need to better assess the available counter-measures. The root cause of the problem should be addressed by the manufacturers, but security vendors will definitely provide solutions for the attacks if this flaw is explored by attackers more often in future.

Whether through BadUSB or not, malware has to infect the computers and traditional black-list-based anti-virus products will have a hard time preventing zero-day infections coming from USBs.

Automatic sandboxing technology, which can isolate the files not based on their content but their reputation and their source in a content-agnostic way, is vital. IT admins need a security tool in their arsenal to mitigate the risks posed by removable devices.

Of course, it's possible that hackers have been exploiting this flaw for years without people becoming aware of it. But designing and executing an effective attack which uses this technique requires a lot of resources on the attacker's part.

If it was used, it would have been a state-sponsored cyber-intelligence or cyber-war activity.

Plugging your USB device into someone else's computer is already risky, even without BadUSB flaws potentially residing on the firmware in future. The use of USB drives has become an everyday occurrence and people rarely worry about the security implications – until now.

Egemen Tas is vice president of engineering at Comodo Group