Inconsistencies in manufacturing could make thumb drives insecure
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
November 18, 2014
These days, traditional USB thumb drives are so inconsistently manufactured that it is all but impossible to know for sure if any unit could be reprogrammed to take over computers and could cause significant security breaches, researcher Karsten Nohl says.
The conditions that determined if a unit could be hacked varied not only between vendors but also within product unit lines due to manufacturers buying different hardware components caused by widely fluctuating prices.
In a presentation at the recent Pacific Security Conference in Japan, Nohl and fellow SR Labs researchers Sasha Kribler and Jakob Lell revealed more information into the attacks known as Bad USB.
"As long as USB controllers are reprogrammable, USB peripherals should not be shared with others," the security team said.
"Once infected through USB, malware can use peripherals as a hiding place, hindering system clean up," added Nohl.
They examined about 60 chip families from USB vendors Phison, Alcor, Renesas, ASmedia, Genesys Logic, FTDI, Cypress and Microchip.
They found Phison chips the most vulnerable, along with the new USB 3.0 line from Genesys Logic, while none disabled the reprogramming vector.
It was bad news for the most security conscious organizations and individuals, but good news for attackers, notably given the release in October of the Bad USB attack code.
Worse, they said Android phones were the simplest BadUSB attack platforms due to its pre-configured ethernet over USB setup.
The security team also detailed attacks from booting with hidden rootkits using a BadUSB that could undermine Windows, Mac and Linux operating systems, and a large number of similar attacks including keyboard emulation and network card spoofing.
To be sure, security company Ironkey was the only known USB vendor to protect against such reprogramming.
There was no real defence against BadUSB other than disabling the firmware updates in the hardware, a feat restricted to new devices, and by pouring glue into USB ports which had obvious usability issues.
Whitelisting USBs was hindered due to the lack of serial numbers and mechanisms to apply the security measures, while malicious firmware could easily spoof its legitimacy to foil malware scans.
Firmware code signing could still permit unauthorized firmware upgrades, and was problematic on smaller devices.
It took the security team two months to document, reverse engineer and patch the USB firmware processes, a system which they said may also fit similar analysis for web cams and other peripherals.
Source: The Pacific Security Conference in Japan.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!