USB Gone Bad

By Lee Gitzes ·

There has been a lot of talk in the press and across the industry about a new vulnerability called bad USB. It was unveiled a short time ago at the Black Hat conference and although there has been a lot of discussion about it, the overall details about it are largely unknown.

The first thing that comes to mind is that USB vulnerabilities have been around forever (particularly with thumb drives and hard drives). These have, and always will be a giant attack vector that many users and organizations are already protected against.

However this threat is different. As a matter of fact it is downright freighting, as there really is no surefire way (currently) to fully protect ourselves from it.  To make matters worse, it has been around since USB itself has been around. Making the potential scope of the threat enormous.

The issue stems from the very nature of USB itself. The way that it works is that a USB device is a computer. It is a computer that has software running on it, or more specifically firmware.

When a USB device is plugged into a computer, it tells the computer what it is and the computer trusts it implicitly. Drivers are installed and the device works. The problem is that in the case of most USB devices, particularly storage devices, this firmware is not ROM or Read Only. This means that anyone, at any time, could modify that firmware to do various types of damage.

For example, an attacker could deploy software that installs a USB drive device as drive and a keyboard. This would happen unbeknownst to the user, as they would only be notified that a drive was installed. The hidden keyboard drivers could then turn the device into a key logger and send passwords back to a command and control server. Even worse, the keyboard driver could be used to take over the BIOS of the computer, making it completely undetectable. Malware can also easily be deployed and/or executed from hidden partitions without requiring user knowledge or interaction. This could be in the form of traditional zero day malware that is used to propagate, morph and exfiltrate data. Or it could be used to do malicious activity such as modifying DNS configurations, pointing machines to bad DNS servers.

The most troubling aspect of this is that there is little to nothing that end users (and organizations) can do about it. Anti-Malware software cannot detect it as they do not have access to USB firmware. A USB firewall could be a future measure to protect devices, but they do not exist at this time. Formatting an infected operating system and re-installing it will not destroy the threat because plugging it back in will reinstall the driver and execute the malware again. Most devices have mice, keyboards, webcams, drives and a multitude of other USB devices that are connected at all times.

Today the only real prevention mechanism is endpoint software that uses whitelisting to only allow “trusted devices”. However, this is only a partial solution as not all USB devices have unique serial numbers. Whitelisting solutions such as Bit9+Carbon Black can also provide good forensic data, which can help identify anomalies in behavior to identify it, but that takes time. The response and resolution will be less than immediate, which unfortunately is not fast enough. Although these whitelisting technologies are not complete, they are the best solution that exists today. Operating systems themselves only have limited white listing capabilities, making a third party essential to leverage it.

The only true fix will come when USB manufacturers change their methods by either moving to a ROM based model for firmware, or by digitally signing the code to make identifying modified firmware possible. Systems could then block code that has been modified based on the digital signature.