That Innocent Little Thumb Drive Could Be Big Security Trouble
Users have no immediate cause for worry about USB security, maintained Robert Capps of RedSeal Networks. "This vulnerability does not appear to be simple to operationalize due to the variety of devices, chipsets and firmware that must be targeted to enable a wide-reaching and successful attack," he explained. That could change if hackers were successful in attacking the supply chain, however.
08/01/14 11:03 AM PT
USB flash drives could be at risk of a pernicious attack on their firmware.
Over the past two decades, USB devices, aka "thumb drives," have proliferated all over the world, because USB has proven to be a versatile standard. That versatility, though, also makes USB devices vulnerable to what could be a very nasty firmware attack by hackers, noted Karsten Nohl and Jakob Lell of Secure Research Labs.
Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without a user noticing, they explained.
To turn one device type into another, they continued, USB controller chips in peripherals need to be reprogrammed. Very widely spread USB controller chips, including those in thumb drives, have no protection against reprogramming.
The device can be reprogrammed to do a number of malevolent things, such as emulate a keyboard and issue commands to the system it's plugged into, spoof a network card and redirect traffic from an infected system to a data thief's lair, or plant malware on a machine's operating system or BIOS before it boots.
Paranoia Strikes Deep
So far, the researchers have tested their firmware attack only on USB stick drives -- a test they'll be demonstrating at the Black Hat conference next week in Las Vegas. However, all USB devices could be at risk -- even those built into a computer.
"Built-in webcams are usually connected over USB," Nohl told TechNewsWorld. "What do you do if you have a suspicion that there's malware in that webcam? Do you break off that part of your computer?"
"You can see how nothing can be trusted anymore after one of these connected devices are infected," he added.
Infected devices are almost impossible to disinfect.
"You always require the help of the current firmware to change it," Nohl said, "so even if you tried to replace the infected firmware with clean firmware, the modified firmware could ignore it or store it someplace while continuing to run the modified version."
What's more, identifying the infection is also almost impossible, because malware scanners typically don't scan firmware for malicious programming.
Although you might see symptoms of malware on your computer, you can never know what's causing them.
"This has the potential to lead to a lot of paranoia. It's like a disease where you can only detect the symptoms and not the virus causing it," Nohl said.
"Consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices," said Liz Nardozza, spokesperson for the USB Implementers Forum.
"In order for a USB device to be corrupted, the offender would need to have physical access to the USB device. To prevent the spread of malware, consumers should only grant trusted sources with access to their USB devices," she advised.
The current USB standard includes additional security capabilities, but implementation of those capabilities is up to makers of USB devices.
"Greater capabilities of any product likely results in higher prices, and consumers choose on a daily basis what they are willing to pay to receive certain benefits," Nardozza said.
There are USB stick drives in the market with such added security capabilities, and their makers say the devices are immune to a firmware attack.
A stick drive that skirts the typical USB boot-up procedure is offered by Kanguru Solutions, for example.
"When it's plugged into the machine, it launches its own application," Kanguru President and CEO Don Brown told TechNewsWorld. "It doesn't run the standard USB firmware."
Don't Worry - Yet
Another company that makes a USB stick with security capabilities is IronKey.
"Any of the firmware on our devices is always digitally signed by us," said IronKey Executive Director of Engineering Ken Jones.
"Nothing can go on that device unless it's signed," he told TechNewsWorld. "We did that because we didn't want someone getting in and putting something on there that shouldn't be on there."
Users have no immediate cause for worry about the researchers' findings, maintained Robert Capps, senior director for customer success at RedSeal Networks.
"Based on the details that have come to light so far, this vulnerability does not appear to be simple to operationalize due to the variety of devices, chipsets and firmware that must be targeted to enable a wide-reaching and successful attack," he told TechNewsWorld.
What is concerning, however, is the potential the attack could have on the product supply chain, Capps pointed out.
"Devices can be manufactured with the compromise already embedded in the hardware," he said. "There are no good methods for most consumers or businesses to identify compromised hardware."