Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

With BadUSB your USB drive isn't as benign as it looks... - fixedByVonnie

With BadUSB your USB drive isn’t as benign as it looks…

What if I told you…that I could plug a brand name, ordinary USB drive into your computer (Mac, Linux, Windows doesn’t matter) and fool your machine into thinking that my USB drive is actually a network adapter?

You might say “so what”.

But then what I told you that this bad adapter uses a malicious DNS server which surreptitiously intercepts web traffic, exposes logins and capture credit card numbers?

But that’s not all.

What if I told you that I could make your computer think my innocuous USB drive is actually a keyboard. And under the disguise of a keyboard I covertly send commands to install malware?  All this happens silently in the background without your knowledge.  There’s no visual indication that your USB drive has an egregious case of multiple-personality disorder.

And what if I told you that your hijacked USB drive appears as a normal USB drive in the Windows Device Manager and the Finder on your Mac?

What if I told you that installing antivirus can’t fix the problem because antivirus can’t detect the problem?

Oh, and what if I told you that reformatting the USB drive, and even your Operating System for that matter, wouldn’t destroy the threat?

You would say:

Vonnie, you lie.

Unfortunately – I’m being dead honest.

According to well known cryptographer and security researcher Karsten Nohl and Linux savant Jakob Lell, my hypothetical questions aren’t fiction.  In fact, Nohl and Lell plan to demonstrate the proof-of-concept at the BlackHat conference on August 6th and 7th.

There’s a new form of malware on the block that injects itself into the firmware and completely transforms the identity of the device.

Think of it like demon possession… but for devices.

Nohl and Lell posit that a nefarious hacker can reprogram the embedded software in the USB drive to make it masquerade as another device.  Once the poor USB stick takes on it’s new purpose it can be used to spy on the you, steal data and wreak havok on the system.

At the conference they will “demonstrate a full system compromise from USB and a self-replicating USB virus not detectable with current defenses.”

The problem is that almost all the USB drives out there will happily take any firmware update you throw at them.  Since most USB drives don’t have cryptographic signing criteria for upgrading firmware, they will blithely take on your update and become virtual zombies in the hands of an odious hacker.

Unless you can physically guard your USB ports at all times, there’s no real way to stymie this threat.  Thus, in one sense, the ubiquity of the USB standard is both a boon and a bane.  On the one hand, USB let’s us plug not only our smartphones and tablets into our computers, but also our webcams, microphones and even desk fans!  But on the other hand, the USB exploit discovered by Nohl and Lell, called BadUSB, means that your plug-in desk fan could become a keyboard that furtively sends commands to delete your files, infect other devices or log your keystrokes.

But if that wasn’t bad enough, there’s something else really insidious about this threat that bothers me.

If you looked in the Windows Device Manager, the compromised USB drive would still appear as a normal USB drive.  In other words, you could presumably still use it to copy and transport files. If the firmware was hacked in a such a way to allow it to take on both roles concurrently, then there’s nothing stopping that drive from functioning like an authentic storage medium and a duplicitous keyboard.

Also, since the exploit occurs at a low software level: firmware, turning off auto-play probably wouldn’t avert the threat.  That’s why reformatting the drive doesn’t fix the problem because the issue lurks in embedded software.

Have you ever walked into a Delta terminal and seen all those people charging their smartphones and tablets while they wait to board the plane?

You see where I’m going with this right?

What would happen if someone installed a BadUSB charging pod that effectively charged connected devices but also siphoned your files, photos and privacy settings?

Most people would say that I’m being silly because nobody is going to implement BadUSB in the way I’ve imagined; but, it’s still a possibility isn’t it?  I mean, what’s to stop something like that from happening?

What do you think of BadUSB?  Please share your thoughts in the comments.


Connect with Vonnie on Twitter

Posted in Linux, Mac OS X 10.8 Mountain Lion, Mac OS X 10.9 Mavericks, News, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows XP Tagged with:
  • oceanmaster

    Never powered my phone or other device from just a USB cable. I always plug my power supply into a power socket. Anyone plugging their phone into someone else’s USB socket should know this is as good as giving them access to your phone directly.