SAFEnet USB stick - Why the Security of USB Is Fundamentally Broken

Why the Security of USB Is Fundamentally Broken

Edit** This Blackhat Conference Video, demonstrates live examples of attacks ios7 exploit, bluetooth, remoting usb attacks,

Edit 2** Link to Slides for the Blackhat Talk

Mitigation:

  • If remoteFX is not required on the Server, turn it off
  • If remoteFX is required, specify GUID’s of authorised USB devices
  • Do not enable remoteFX USB remoting on clients
  • Minimise the use of USB ‘High-Level’ remoting vis RDP
  • Be more concious of local vulnerabilities and apply the patches

Conclusions

  • Physical access is no longer required to trigger windows USB bugs
  • RemoteFX USB remoting has exposed more of the kernel to hackers
  • Need to investigate other remote technologies ie Citrix
  • The ‘internet of things’ is full of USB possibilities

May be relevant to the planned Maidsafe.net joint venture USB stick.

Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.

That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”

‘IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.’

Nohl and Lell, researchers for the security consultancy SR Labs, are hardly the first to point out that USB devices can store and spread malware. But the two hackers didn’t merely copy their own custom-coded infections into USB devices’ memory. They spent months reverse engineering the firmware that runs the basic communication functions of USB devices—the controller chips that allow the devices to communicate with a PC and let users move files on and off of them. Their central finding is that USB firmware, which exists in varying forms in all USB devices, can be reprogrammed to hide attack code. “You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’” says Nohl. But unless the IT guy has the reverse engineering skills to find and analyze that firmware, “the cleaning process doesn’t even touch the files we’re talking about.”

The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed—in addition to USB memory sticks, Nohl and Lell say they’ve also tested their attack on an Android handset plugged into a PC. And once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play. It can, for example, replace software being installed with with a corrupted or backdoored version. It can even impersonate a USB keyboard to suddenly start typing commands. “It can do whatever you can do with a keyboard, which is basically everything a computer does,” says Nohl.

The malware can silently hijack internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases. Or if the code is planted on a phone or another device with an internet connection, it can act as a man-in-the-middle, secretly spying on communications as it relays them from the victim’s machine.

Most of us learned long ago not to run executable files from sketchy USB sticks. But old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against.

The element of Nohl and Lell’s research that elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer. “It goes both ways,” Nohl says. “Nobody can trust anybody.”

But BadUSB’s ability to spread undetectably from USB to PC and back raises questions about whether it’s possible to use USB devices securely at all. “We’ve all known if that you give me access to your USB port, I can do bad things to your computer,” says University of Pennsylvania computer science professor Matt Blaze. “What this appears to demonstrate is that it’s also possible to go the other direction, which suggests the threat of compromised USB devices is a very serious practical problem.”

Blaze speculates that the USB attack may in fact already be common practice for the NSA. He points to a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden. The device, which hid in a USB peripheral plug, was advertised in a collection of NSA internal documents as surreptitiously installing malware on a target’s machine. The exact mechanism for that USB attack wasn’t described. “I wouldn’t be surprised if some of the things [Nohl and Lell] discovered are what we heard about in the NSA catalogue.”

THE ALTERNATIVE IS TO TREAT USB DEVICES LIKE HYPODERMIC NEEDLES.

Nohl says he and Lell reached out to a Taiwanese USB device maker, whom he declines to name, and warned the company about their BadUSB research. Over a series of emails, the company repeatedly denied that the attack was possible. When WIRED contacted the USB Implementers Forum, a nonprofit corporation that oversees the USB standard, spokeswoman Liz Nardozza responded in a statement. “Consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices,” she wrote. “Consumers safeguard their personal belongings and the same effort should be applied to protect themselves when it comes to technology.

Nohl agrees: The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets. To avoid the attack, all you have to do is not connect your USB device to computers you don’t own or don’t have good reason to trust—and don’t plug untrusted USB devices into your own computer. But Nohl admits that makes the convenient slices of storage we all carry in our pockets, among many other devices, significantly less useful. “In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” says Nohl. “You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer. And that’s incompatible with how we use USB devices right now.”

The two researchers haven’t yet decided just which of their BadUSB device attacks they’ll release at Black Hat, if any. Nohl says he worries that the malicious firmware for USB sticks could quickly spread. On the other hand, he says users need to be aware of the risks. Some companies could change their USB policies, for instance, to only use a certain manufacturer’s USB devices and insist that the vendor implement code-signing protections on their gadgets.

Implementing that new security model will first require convincing device makers that the threat is real. The alternative, Nohl says, is to treat USB devices like hypodermic needles that can’t be shared among users—a model that sows suspicion and largely defeats the devices’ purpose. “Perhaps you remember once when you’ve connected some USB device to your computer from someone you don’t completely trust,” says Nohl. “That means you can’t trust your computer anymore. This is a threat on a layer that’s invisible. It’s a terrible kind of paranoia.”

2 Likes

Problem is, there’s no way to know if even a brand new USB device (this is not just thumb drives, but anything that connects to your PC USB) is trustable.

I’ve been wondering about this for a while now. It surprises me that it’s news!

This is truly disturbing. Not too surprising, but disturbing.

I guess it’s back to distributing cds for os images, eh? Except more and more devices don’t have cd/dvd drives anymore. Humph!

I’m thinking that a compromised Vault whether on a computer or any other device, will be seen as a bad actor and ejected from the network.

So, not a problem for the integrity of the SAFEnetwork?

But when your planning to distribute SAFE to the worlds poorest people and the distribution mechanism becomes compromised/ unsuited to the task?

Well that’s the gloomy outlook, but what is the incentive to hack/ spy on the worlds poorest people in the first place…certainly not financial…so probably not an issue worth worrying about, when you can control the Vault image from the factory.

I sometimes feel like self censoring and not posting these privacy/security compromised stories, but when applying positive SAFEthinking it’s not a problem :slight_smile:

A SAFE world were inventors can work, free in the knowledge that their IP is not being stolen…has to give momentum to a complete rethink of computing hardware, SAFEhardware.

It makes my brain explode already, thinking about having total privacy and data security…there’s no books that I know of, discussing ‘this is what happens’ …but add in 3D printing, robotics and a global brain…oh boy!

So hopefully a SAFEOS running on SAFEhardware…were not headed for a singularity…it’s a SAFE omniarity…way better :slight_smile:

The problem is that this exposes local machines. Suppose USB device infection was (maybe is) rife. It means every machine touched once by an infected device is exposed to any kind of malware, which means SAFE credentials are compromised. This means SAFE’s own security is compromised at the client.

The problem is I don’t see how SAFE can protect against this without finding or becoming a trusted hardware suppliers. Even a keyboard becomes a malware issue.

I suppose there is some scope for booting from SAFE protection, where the SAFE-OS ensures that it is the only transmitter on the network - which would prevent local malware (eg in a keyboard) from phoning home. Grim though!

Well, if you were starting out to invent a 100% secure data network today, you would presume that everything was compromised.

David Irvine would have suspected this for sure and that would have been enough to design for worst case scenario I would have thought.

I would hate to think SAFE would be delayed, due to the lack of a ‘unique human voice’ algorithm…because surely that would be the best we can get. I cant envisage any other biometric standing up over time…despite what hollywood might have us believe.

Maybe David has been studying other creatures and has something up his sleeve :wink:

1 Like

Our Messiah will surely save us, all hail @dirvine!!!

Reckon he’d get a kick out of an Englishman prostrating before him :wink:

1 Like

SD cards and similar storage products that don’t use USB don’t seem to be affected.

We need flash drives that have been physically disabled from loading firmware, after the initial firmware has been loaded (e.g. cutting a board trace). I’m a bit surprised it isn’t that way already.