AppleInsider Staff
A pair of researchers has discovered a flaw in the USB protocol's basic architecture that allows for malware to be programed into a device's firmware, making it nearly undetectable and impossible to patch.
To demonstrate the ubiquitous vulnerability, SR Labs security researchers Karsten Nohl and Jakob Lell created a proof-of-concept called "BadUSB" that can be installed on any universal serial bus device, including memory sticks, keyboards, smartphones and more, to take over a victim's PC, insert or change files, modify DNS settings and otherwise play havoc with host hardware, reports Wired.
BadUSB is not a common piece of malware that can simply be copied onto a USB drive's flash memory. Nohl and Lell reverse engineered the standard USB firmware in charge of transporting files on and off a device, finding that malicious code can be inserted and hidden within through a bit of reprograming.
"These problems can't be patched," Nohl said. "We're exploiting the very way that USB is designed."
Unless the tainted firmware is itself reverse engineered, the malware is protected from being discovered and will remain on a device even after a disk erasure is performed, a routine process for clearing suspected malicious software.
Further, BadUSB is bidirectional. In other words, if a malware's payload is coded to do so, a thumb drive can infect a computer's USB firmware, which in turn reprograms the firmware of yet another connected USB device, spreading the code silently across any and all systems. In testing, Nohl and Lell found that basically any USB device is vulnerable to the exploit.
As there is no easy fix to malware like BadUSB, the researchers suggest users adopt a new way of thinking about USB hardware. Instead of thoughtlessly transporting files and other data back and forth between machines, Nohl and Lell recommend connecting only to known devices that are user-owned or trusted.
"In this new way of thinking, you can't trust a USB just because its storage doesn't contain a virus. Trust must come from the fact that no one malicious has ever touched it," Nohl said. "You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer."
Nohl and Lell will present their findings, as well as proof-of-concept software, at the Black Hat conference in Las Vegas this August.
-m.jpg)
Wesley Hilliard
Malcolm Owen
Andrew Orr
William Gallagher
Sponsored Content
Christine McKee
Thomas Sibilly
68 Comments
Stories like these make sense when they can show proof that a person's computer has been infected by this malware instead of some theoretic firmware re-write. Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product? Thirdly, this doesn't apply to cable's I take it, even though there is a cable shown in the article. Personally I'd use a memory stick or something that has firmware embedded. "proof-of-concept" That just may work as a company name.
Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?
I read that as impossible to patch the vulnerability, not the rewritten firmware.
[quote name="hmm" url="/t/181656/badusb-malware-lives-in-usb-firmware-to-remain-undetected-unfixable#post_2572328"][QUOTE name="PhilBoogie" url="/t/181656/badusb-malware-lives-in-usb-firmware-to-remain-undetected-unfixable#post_2572325"] Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?[/QUOTE] I read that as impossible to patch the vulnerability, not the rewritten firmware. [/quote] Ah, ok. But if the malware rewrites your DNS settings, can't one simply restore their hosts file from backup or simply change their DNS settings? On second thought, I presume 'the damage' has already been done by making people go to a website they didn't intend to go to. If so, I wonder where all these hackers want people to go to. TOR? Or some sleazy weazy nudity webby site? Convincing men to use their Credit Card for a lifetime subscription of...whatever. Yeah, whatever. Period.
Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?
Thirdly, this doesn't apply to cable's I take it, even though there is a cable shown in the article. Personally I'd use a memory stick or something that has firmware embedded.
1. It's impossible to patch because [You don't have access firmware in normal USB access].
It's hide in the transportation layer, and to detect malicious code, you need to get access to it.
Unless Windows/Mac has the same feature as iOS (iOS flash firmware to lightning accessories at every connection)
2. Have you seen the inside of lightning cable?
It's basically a chip for proxy, and proxy means you can add/remove message by code.
And by the way? Do you know many card readers run on USB?
My God it's happening. Just like the old gypsy woman said.