BadUSB is now a reality

usb stick
Around two months I wrote how security researchers, Karsten Nohl & Jakob Lell from Security Research Labs in Berlin had discovered a major flaw in USB that could potentially affect billions of USB devices worldwide and they have dubbed it BadUSB. Karsten &Jakob developed several proof-of-concept attacks that they presented at the Black Hat security conference in Las Vegas two months ago. I also said I would keep you updated on any further developments. What I am reporting will be a wakeup call to all businesses and computer users.

At the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl and Lell and reproduced several BadUSB proof-of-concept attacks. They have also published the code for those attacks on Github, which will force USB makers to confront the problem and fix it or potentially leave hundreds of millions of users vulnerable.

Caudill and Wilson managed to reverse engineer the firmware of USB microcontrollers sold by the Taiwanese firm Phison, who are one of the world’s top USB makers. They then reprogrammed the firmware to perform various attacks including one which showed that the infected USB can impersonate a keyboard to type any keystrokes the attacker chooses on the victim’s machine. Since it affects the firmware of the USB’s microcontroller, that attack program would be stored in the rewritable code that controls the USB’s basic functions, not in its flash memory and it even deletes the entire contents of its storage so that you can’t find the malware.

BadUSB can’t be detected by antivirus and security software. The only fix is to prevent USB devices’ firmware from being rewritten, and their security architecture would need to be fundamentally redesigned ensuring that no code could be changed on the device without the unforgeable signature of the manufacturer. If that code-signing measure were put in place today, it could take at least 10 years to iron out the USB standard’s bugs and pull existing vulnerable devices out of circulation

In the meantime if you take the following steps you can help prevent BadUSB from spreading:

1. Only use USB devices that you trust.
2. Have a strict USB policy in place ensuring that USB memory sticks can’t be used if you are in an office environment. Once your USB memory stick has been used in more than one device then it’s safe to assume that it has been compromised.
3. Always use the same brand of USB peripherals thus ensuring less chance of issues occurring.
4. Have each USB port designated to only take a certain device.
5. If your computer has PS2 ports then start using PS2 keyboards and mice.

Hopefully my next update on BadUSB will bring some good news.