Simply plugging a USB device into a computer could lead to exploitation. That’s a fact that shouldn’t be news, and yet it is this week. A presentation scheduled for the Black Hat USA security conference in Las Vegas next week is set to reveal new flaws in USB devices that will enable attackers to install malware on user devices.
Karsten Nohl and Jakob Lell, two researchers with the Security Research Labs, are scheduled to deliver a talk at Black Hat titled, “BadUSB—On Accessories that Turn Evil” that will provide full details on the new flaws.
“We demonstrate a full-system compromise from USB and a self-replicating USB virus not detectable with current defenses,” the Black Hat session abstract states. “We then dive into the USB stack and assess where protection from USB malware can and should be anchored.”
In a blog post providing more insight into the talk, Nohl and Lell reveal that the root trigger for their USB exploitation technique is by abusing and reprogramming the USB controller chips, which are used to define the device type. USB is widely used for all manner of computer peripherals as well as in storage devices. The researchers alleged that the USB controller chips in most common flash drives have no protection against reprogramming.
“Once reprogrammed, benign devices can turn malicious in many ways,” the researchers stated.
Some examples they provide include having an arbitrary USB device pretend to be a keyboard and then issue commands with the same privileges as the logged-in user. The researchers contend that detecting the malicious USB is hard and malware scanner similarly won’t detect the issue.
I’m not surprised, and no one else should be, either. After all, this isn’t the first time researchers at a Black Hat USA security conference demonstrated how USB can be used to exploit users.
Last year, at the Black Hat USA 2013 event, security researchers demonstrated the MACTANS attack against iOS devices. With MACTANS, an Apple iOS user simply plugs in a USB plug in order to infect Apple devices. Apple has since patched that flaw.
In the MACTANS case, USB was simply used as the transport cable for the malware, but the point is the same. Anything you plug into a device, whether it’s a USB charger, keyboard or thumb drive has the potential to do something malicious. A USB thumb drive is widely speculated to be the way that the Stuxnet virus attacked Iran’s nuclear centrifuges back in 2010. The U.S. National Security Agency (NSA) allegedly has similar USB exploitation capabilities in its catalog of exploits, leaked by whistleblower Edward Snowden.
While the Security Research Labs researchers claim there are few defenses, the truth is somewhat different.
A reprogrammed USB device can have certain privileges that give it access to do things it should not be able to do, but the bottom line is about trust. On a typical Windows system, USB devices are driven by drivers that are more often than not signed by software vendors. If a warning pops up on a user’s screen to install a driver, or that an unsigned driver is present, that should be a cause for concern.
As a matter of best practice, don’t plug unknown USB devices into your computing equipment. It’s just common sense, much like users should not open attachments that look suspicious or click on unknown links. The BadUSB research at this year’s Black Hat USA conference is not as much a wake-up call for USB security as it is a reminder of risks that have been known for years.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.