Malicious USB device firmware the next big infection vector?

Researchers from German security consultancy SR Labs have created a whole new class of attacks that can compromise computer systems via ubiquitous and widely used USB-connected devices (storage drives, keyboards, mice, smartphones, etc.)

USB devices, as we all know, can carry malware in their flash memory storage, but what researchers Karsten Nohl and Jakob Lell discovered is that it’s possible to reverse-engineer USB devices’ firmware (i.e. the controller chip that makes them function), and reprogram it to contain attack code.

This malicious malware/firmware, which they dubbed BadUSB, can be used by attackers to take over a target computer system, redirect the user’s internet traffic by forcing the computer to use a specific DNS server, make the computer install additional malware, change files, spy on the user, and so on.

The two are set to present several demonstrations of these attacks at the upcoming Black Hat security conference, and while it’s good to know such attacks are possible, the bad news is that we, as users, can’t do much to prevent them apart from stop using USB devices altogether.

The malicious firmware can’t be detected by antivirus solutions, and reformatting the drive does nothing to remove it. And if you don’t have advanced knowledge in computer forensics, it’s practically impossible to make sure that a USB device’s firmware hasn’t been altered.

It has been noted by some that this type of attacks might have already been used in the wild, by none other than the US NSA. Of course, we can’t know for sure.

More bad news is that a thusly compromised USB device can infect a computer, but also that a compromised PC, i.e. malware on it, can easily modify the USB devices’ firmware without the user noticing it.

The researchers have reprogrammed the controller chips manufactured by Taiwan-based Phison Electronics, and have inserted them in memory drives and Android-running smartphones. According to Tech2, Taiwan-based Alcor Micro and Silicon Motion Technology also manufacture similar chips, and event though the researchers haven’t tested them, it’s very probable they can be as chip manufacturers are not required to secure the firmware.

“The next time you have a virus on your computer, you pretty much have to assume your peripherals are infected, and computers of other people who connected to those peripherals are infected,” Nohl commented for Ars Technica.

“No effective defenses from USB attacks are known. Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as though a user has simply plugged in a new device,” the researchers pointed out.

“To make matters worse, cleanup after an incident is hard: Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root. The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive. Once infected, computers and their USB peripherals can never be trusted again.”

There are two options to prevent this type of attacks to become an every-day occurrence: one, users should never let other people use theirs, nor use ones they received from others; two, controller chip manufacturers should implement defenses that prevent the firmware to be modified by unauthorised parties.