Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

USB: From bad to worse
SECURITY SHELF

USB: From bad to worse 

Over the last two decades, the USB standard has dominated due to its versatility: keyboards, mice, scanners, storage devices, smart phones, and all sorts of other peripherals use USB to connect with computers. However, this versatility is also USB’s Achilles heel. Different classes of devices use the same standard connector, making it possible for a device to behave differently than a user expects.

Most people have become accustomed to using USB thumb drives to carry and share data as if they are simply another form of media. However, between the PC and the flash memory lies a USB controller chip that in some cases can easily be reprogrammed. The BadUSB code released in September can only be used to exploit products based upon one popular USB chipset, but it won’t take long until exploits are developed for others.

BadUSB, along with similar unpublished exploits, takes advantage of this fundamental weakness by reprogramming some USB devices. For example, a USB thumb drive can be reprogrammed to emulate a keyboard and issue commands on behalf of the logged-in user. The act of simply plugging in a USB thumb drive can result in the installation of malware that, in addition to infecting the local machine, modifies the firmware of other USB thumb drives subsequently connected.

While anti-malware software may help to protect the PC, it is unable to scan the firmware running on the USB device. As long as PCs enable USB devices as soon as they are connected, PCs will remain vulnerable to attack USB-based attacks. Simply formatting the device will not restore the original device firmware — in fact, the act of plugging in the USB device to format it may result in a malware infection.

Endpoint protection products only appear capable of partially mitigating the risk. They were simply not designed to stop users from attaching what appears to be a USB keyboard. On the other hand, if a weaponized device attempts to download or install malware, endpoint protection software may be in a position to prevent or detect the infection.

The only defences available at this point are procedural:

  • USB devices, especially thumb drives, should only be purchased only from reputable vendors in factory sealed packaging.
  • Devices designed to meet security standards, such as FIPS 140-2 cryptographic module validation, should be highly resistant to firmware manipulation, making them less susceptible to attack. Mechanisms such as digitally signed firmware can prevent BadUSB-style attacks.
  • USB thumb drives should be connected only to trusted computers. If it is necessary to connect a standard USB thumb drive to an untrusted computer, the device should then be discarded.
  • USB devices should not be obtained from untrusted sources such as thumb drives given away at trade shows.
  • Individuals and businesses with security concerns should keep in mind that most USB devices can be compromised and that USB vulnerabilities are not limited to thumb drives. For example, a USB mouse could be compromised to include hidden hardware or firmware.
  • Computers with accessible USB ports should never be left logged in and unattended.

These strict procedures are in sharp contrast to the manner in which USB devices have been used for years, but this is the reality in the short term.

Long term, vendors need to make two important changes. First, USB devices must be hardened so they will only execute digitally signed firmware. While this won’t stop the creation of custom USB weapons, it will prevent attackers from modifying the firmware of commercial products through the USB interface. In other words, simply plugging a USB device into a malicious PC should not be sufficient to reprogram the USB controller chip.

Second, and perhaps more important, PC vendors must adopt a pairing approach to USB devices rather than simply enabling them as soon as they are connected. While this may be less convenient, the user should be required to authorize the connection. For example, if a USB thumb drive or custom hardware attempts to emulate a keyboard, the user should be able to say no.

Until USB vendors secure their device firmware and operating systems stop automatically enabling them we have little choice but to assume USB devices cannot be trusted.

Related posts