Why the Security of USB Is NOT Fundamentally Broken

I am very, very unhappy about the Fear, Uncertainty and Doubt (FUD) created by Karsten Nohl and Jakob Lell  who will present their findings, as well as proof-of-concept software, at the Black Hatconference in Las Vegas this August.

What makes me unhappy is how easy they generalize the fact that in some extraordinary circumstances some bad things can happen.

“In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” Nohl said. “You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer.”

 

What is the story?

Read here the original article: http://www.wired.com/2014/07/usb-security/

This is the most interesting part:

The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”

‘IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.’

Why is this article flawed?

The article in Wired is … incomplete and therefore severely flawed. Typically for this kind of magazines, it is just written to bring more readers.

 

MOST USB flash drives are NOT upgradable via firmware updates; it is just too expensive to put that logic on the controller. The producers want to have them cheap and not smart.

They have EPROMS or even some stupid simple chips that are not programmable (called ASIC – Application Specific Integrated Circuits ,a kind of silicon hardcoding if you want).

Even if they would be reprogrammable, to transform a USB Mass Storage device into a HID device (keyboard) requires a lot more.

Keyboards, and all HID devices need interrupts to do their job. And not just any kind of interrupts, but OUT interrupts.

So, this requires not only rewriting the controller, but transforming the class of the controller into something else. It would be like transforming a thermostat into a webcam.

You can change the software by rewriting the OS, but you need ultimately the hardware to finish the job.

With other words, you can’t easily have a device with two classes as you can’t have a keyboard used as a USB stick and vice versa.

Such an operation (having a complex USB class) is theoretically possible, but you need to create a new kind of device which must have both classes or more.

Useless to say, this reduces the amount of devices that can be vulnerable to such an attack.

As for the phones that have USB Mass storage: no, it is not easily possible to change them.

They have in the kernel the ability to change the type of USB support from Mass Storage to something else, but you can choose between Media Device (MTP or Mass Storage device) or PTP ( a so called Photocamera mode). You can’t have both at the same type and there is no way to reprogram the controller unless you upgrade the operating system.

 

I am not saying it is not possible to do all those things. I am sure it is.

I am talking ONLY about normal devices (that is, something you can buy on Amazon).

 

Blaze even speculates that the USB attack may in fact already be common practice for the NSA. He points to a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden. The device, which hid in a USB peripheral plug, was advertised in a collection of NSA internal documents as surreptitiously installing malware on a target’s machine. The exact mechanism for that USB attack wasn’t described. “I wouldn’t be surprised if some of the things [Nohl and Lell] discovered are what we heard about in the NSA catalogue.”

But to say that the USB Flashdrive is fundamentally flawed and you can’t trust anymore any kind of USB device is a massive overstatement.

No matter if the USB controller is infected somehow, that code doesn’t run on the computer to which the USB drive is connected. It runs *in* that microprocessor on the USB device.

The PC’s USB controller is programmed to react in a certain way when a particular USB device is found. So, if you plugin a USB drive, it will read it. If you plug in a USB HID (keyboard, mouse) it will do something else. But, it will not read/write on a keyboard.

And, it can’t also trigger some kind of execution of a file on the PC, unless there is a autorun.inf on the USB drive.

The attack vector

 

The only attack vector I see is:

– USB drive contains hidden code that can infect the PC. This could be contained in the storage or even in the firmware of the drive (very unlikely, but possible)

– There is a zero-day vulnerability that is triggered by some combination of events when that particular type of USB drive is plugged in

and this vulnerability executes the malware hidden on the USB Drive. We assume that it is invisible to the AV software and humans.

Additionally, the malware running on the PC can recognize future USB drives that are reprogrammable and can infect them in the same way (very unlikely).

The chain of events must be in place for something to happen. And this is very unlikely.

The threat disappears once the zero-day exploit is patched and the malware is detected by the AV.

Some hardware-software concepts

The code in the USB microprocessor NEVER runs in the PC host.

The USB device and the PC communicate via the USB Hub using hardware device categories:

 

usb-controllers

 

This is how a Flashdrive looks like (left) and how a keyboard looks like (right):

usb-ex

To my understanding, if the normal USB device says it is a keyboard, then it can’t be a memory stick.

A normal device can’t have more than one USB Class. So, it is either USB Mass Storage or USB HID.

If it is a HID, then it doesn’t have storage. And even if it has, the PC will not interpret it as a Mass Storage.

 

 Conclusion

 

This is what bothers me in this issue: they generalize the entire discussion and say that you can’t trust ANY USB drive ever again.

It might be true that their scenario CAN happen, but it is happening only in CERTAIN scenarios, only when CERTAIN types of hardware is used.

 


© Copyright 2014 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch