USB devices such as mice, keyboards and thumb-drives can be used to hack into personal computers in a potential new class of attacks that evade all known security protections.
CSE Labs, noted that hackers could load malicious software onto tiny, low-cost computer chips that control functions of USB devices but which have no built-in shields against tampering with their code.
The finding shows that bugs in software used to run tiny electronics components that are invisible to the average computer user can be extremely dangerous when hackers figure out how to exploit them. Security researchers have increasingly turned their attention to uncovering such flaws.
Hackers performed attacks by writing malicious code onto USB control chips used in thumb drives and smartphones. Once the USB device is attached to a computer, the malicious software can log keystrokes, spy on communications and destroy data. Computers do not detect the infections when tainted devices are inserted into a PC because anti-virus programs are only designed to scan for software written onto memory and do not scan the “firmware” that controls the functioning of those devices
As SRLabs security researchers Karsten Nohl and Jakob Lell propose to show at Black Hat, an ordinary USB pen drive can be turned into an automated hacking tool.
Nohl and Lell have discovered that USB controller chips’ firmware offer no protection from reprogramming. Using a set of proof-of-concept tools they call BadUSB, they claim that an ordinary USB device, even a thumb drive, can be used to compromise computers in the following ways:
- A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
- The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
- A modified thumb drive or external hard disk can — when it detects that the computer is starting up — boot a small virus, which infects the computer’s operating system prior to boot.
SR Labs tested the technique by infecting controller chips made by major manufacturer Taiwan’s Phison Electronics Corp, and placing them into USB memory drives and smartphones running Google Inc’s Android operating system.
Similar chips are made by Silicon Motion Technology Corp and Alcor Micro Corp . Nohl said his firm did not test devices with chips from those manufacturers.
Phison and Google did not respond to requests for comment. Officials with Silicon Motion and Alcor Micro could not immediately be reached.
Nohl said he believes hackers would have a “high chance” of corrupting other kinds of controller chips besides those made by Phison, because their manufacturers are not required to secure software. He said those chips, once infected, could be used to infect mice, keyboards and other devices that connect via USB.
“The sky is the limit. You can do anything at all,” he said.
In his tests, Nohl said he was also able to gain remote access to a computer by having the USB instruct the computer to download a malicious program with instructions that the PC believed were comikeyboard
Before you start banning USB devices from your workplace — good luck with that — there are ways to fix this problem. First, USB chipset manufacturers can start hardening their firmware so it can’t be easily modified. Security companies can start adding programs to check USB devices for unauthorized firmware alterations.
Those are all long-term fixes. In the short-term, BadUSB-created cracking tools will be able to create compromised devices that will have the potential to be a new and deadly attack vector for hackers.
ShareJUL
2014
