Most USB devices have a fundamental security weakness that can be exploited to infect computers with malware in a way that cannot easily be prevented or detected, security researchers found.
The problem is that the majority of USB thumb drives, and likely other USB peripherals available on the market, do not protect their firmware—the software that runs on the microcontroller inside them, said Karsten Nohl, the founder and chief scientist of Berlin-based Security Research Labs.
This means that a malware program can replace the firmware on a USB device like a thumb drive by using secret SCSI (Small Computer System Interface) commands and make it act like some other type of device, for example, a keyboard, Nohl said.
The spoofed keyboard could then be used to emulate key presses and send commands to download and execute a malware program. That malware could reprogram other USB thumb drives inserted into the infected computer, essentially becoming a self-replicating virus, the researcher said.
Researchers from Security Research Labs have developed several proof-of-concept attacks that they plan to present at the Black Hat security conference in Las Vegas next week.
One of the attacks involves a USB stick that acts as three separate devices—two thumb drives and a keyboard. When the device is first plugged into a computer and is detected by the OS, it acts as a regular storage device. However, when the computer is restarted and the device detects that it’s talking to the BIOS, it switches on the hidden storage device and also emulates the keyboard, Nohl said.
Acting as a keyboard, the device sends the necessary button presses to bring up the boot menu and boots a minimal Linux system from the hidden thumb drive. The Linux system then infects the bootloader of the computer’s hard disk drive, essentially acting like a boot virus, he said.
Another proof-of-concept attack developed by Security Research Labs involves reprogramming a USB drive to act as a fast Gigabit network card.
As Nohl explained, OSes prefer a wired network controller over a wireless one and a Gigabit ethernet controller over a slower one. This means the OS will use the new spoofed Gigabit controller as the default network card.
The USB device also emulates a DHCP (Dynamic Host Configuration Protocol) server that automatically assigns a DNS (Domain Name System) server to the spoofed controller, but not a gateway address. In this case, the OS will continue to use the gateway specified by the real network card—so the Internet connection will not be disrupted—but the DNS server from the spoofed controller, Nohl said. By controlling the DNS server, which translates domain names into IP (Internet Protocol) addresses, an attacker can hijack the Internet traffic, he said.
To show that this attack is not only possible with USB thumb drives, the researchers will also use an Android phone connected to the computer to emulate a rogue network card.
Any USB connection can turn evil, Nohl said. If you let someone connect a USB thumb drive or charge a phone on your computer you essentially trust them to type commands on your computer, he said.
The price of convenience
The attacks developed by Security Research Labs underline the difficulty of having both the versatility of the USB standard and security at the same time. The greatest feature of USB—its plug-and-play capability—turns out to be its greatest vulnerability as well, according to Nohl.
Unfortunately, there’s no easy fix for this problem. The Security Research Labs researchers have identified several ways to address this issue, but none of them solve the problem completely or in a timely manner.
One place where the issue could be fixed is in the USB specification by requiring that a secure pairing process is used when adding new USB devices to a computer, similar to the one used for Bluetooth devices. However, even if the USB specification is changed, it could take years before the new standard is adopted and new devices replace the old ones.
OSes could also ask users to confirm the addition of new USB devices to their computers and then remember the approved devices—a sort of USB firewall. However, this might not even be possible because many USB devices use a string of zeros for their serial number and there’s no way for the OS to distinguish between them, Nohl said. Also, this doesn’t solve the attack vector where the USB device infects the boot sector from outside the OS.
An obvious place to fix the issue would be in the USB microcontrollers themselves by requiring firmware updates to be digitally signed or by implementing some sort of hardware locking mechanism that prevents overwriting the firmware once the device leaves the factory. Nohl said that he and his team haven’t seen such protections in any of the USB thumb drives they tested.
Even if manufacturers start implementing such protections there would have to be a way to tell new USB thumb drives apart from old, insecure ones, so that users can make an informed decision about which devices they connect to their computers.
Finally, a more short-term solution would be for users to start understanding the risks and be cautions about which USB devices they plug into their computers, Nohl said. For the purpose of exchanging files with other people an SD (Secure Digital) memory card would be a safer choice than a USB thumb drive, he said.