Reprogramming Thumb Drive Firmware

Tuesday, August 5, 2014 @ 07:08 PM gHale

Security dangers about USB drives are almost becoming a cliché, stories abound about how someone plugged in an infected thumb drive and an attack was born.

But new research that will end up revealed at the Black Hat conference in Las Vegas this week will show how new threats from USB devices go well beyond USB devices someone finds in a parking lot somewhere.

Zero Days: Symantec’s Endpoint Protection
Mitigating Havex, an ICS Threat
Havex an ICS Game Changing Threat
Havex Varient Brings Attack via OPC

As security technology evolves, there are solutions that can locate and destroy malware in a USB device, but what if the threat resides directly in the firmware of the device?

Karsten Nohl and Jakob Lell, researchers at Germany-based SRLabs, will present a new type of malware that leverages firmware found in thumb drives and other USB devices to end up reprogrammed so the bad guys can take over.

The problem is the USB controller chips in peripherals can end up reprogrammed to spoof other devices and there’s little or no protection to prevent anyone from doing so, said Lell and Nohl. In order to demonstrate their findings, Nohl and Lell developed BadUSB, a self-replicating piece of malware that can end up used by an attacker to take control of a computer.

BadUSB malware can make a device emulate a keyboard and use it to send commands on behalf of the victim. Attackers can steal data, install other pieces of malware, and even infect the controller chips of other USB devices connected to the affected computer, SRLabs said in a blog post.

USB devices can also end up used to spoof a network card, allowing the attackers to change the infected computer’s DNS settings in an effort to redirect traffic. Thumb drives or external hard disks can end up configured to detect when a computer is starting, and load a small virus into the operating system before boot.

Nohl said they installed an attack on one type of USB2 chip, one type of USB3 chip, and on Android phones. The controller chip firmware they tested sees widespread use and quite a few companies use it in their thumb drives, he said.

SRLabs spent three months on reverse engineering and reprogramming the two USB controller chips on which they have conducted experiments, Nohl said.

Security solutions do not detect these types of threats because malware scanners can’t access the firmware running on USB devices. Behavior-based scanners don’t work also because devices infected with BadUSB don’t exhibit any suspicious behavior. Instead, when the malware changes the functionality of a drive, it simply looks like the user plugged in a new device.

Leave a Reply

You must be logged in to post a comment.