Why the Security of USB Is Fundamentally Broken | Threat Level | WIRED

Computer users pass around USB sticks like silicon business cards. Why the Security of USB Is Fundamentally Broken http://www.wired.com/2014/07/usb-security/ article tells that we typically depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work. The security of USB devices has long been fundamentally broken: USB firmware,(which exists in varying forms in all USB devices) can be reprogrammed to hide attack code and USB device can completely take over a PC. USB firmware on many USB devices could be reprogrammed by malware on that PC, converting an innocent device to attack tool. All this is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue. The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets.



  1. Tomi Engdahl says:

    Turning USB peripherals into BadUSB

    USB devices are connected to – and in many cases even built into – virtually all computers. The interface standard conquered the world over the past two decades thanks to its versatility: Almost any computer peripheral, from storage and input gadgets to healthcare devices, can connect over the ubiquitous technology. And many more device classes connect over USB to charge their batteries.

    This versatility is also USB’s Achilles heel: Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing.

  2. Tomi Engdahl says:

    BadUSB: Big, bad USB security problems ahead

    Summary: Everyone knows that USB thumb-drives can spell security trouble, but a German security group has found new and nasty ways to use USB devices to wreak havoc on computers.

  3. Tomi Engdahl says:

    This thumbdrive hacks computers. “BadUSB” exploit makes devices turn “evil”
    Researchers devise stealthy attack that reprograms USB device firmware.

    When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran’s heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can’t be detected by today’s defenses.

    Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities.

  4. Tomi Engdahl says:

    Plug and PREY: Hackers reprogram USB drives to silently infect PCs
    BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more

  5. Tomi Engdahl says:

    Turning USB peripherals into BadUSB

    USB devices are connected to – and in many cases even built into – virtually all computers. The interface standard conquered the world over the past two decades thanks to its versatility: Almost any computer peripheral, from storage and input gadgets to healthcare devices, can connect over the ubiquitous technology. And many more device classes connect over USB to charge their batteries.

    This versatility is also USB’s Achilles heel: Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing.

    Reprogramming USB peripherals. To turn one device type into another, USB controller chips in peripherals need to be reprogrammed. Very widely spread USB controller chips, including those in thumb drives, have no protection from such reprogramming.

  6. Tomi Engdahl says:

    News & Analysis
    How Secure Is Your USB?

    The recent report from researchers at Security Research Labs on the vulnerability of USB devices has seen equal amounts of soul searching and indignation from the industry. While the advice has been to make sure you use devices from trusted sources, some USB IP companies have been highlighting what device makers can do to ensure that their systems are secure.

    Rather than use malware on a USB device, SR Labs researchers Karsten Nohl and Jakob Lell reverse-engineered the code in the USB controllers and used it to inject a virus or trojan into a system.

    Gordon Lunn, customer engineering support manager at Glasgow, UK-based USB chip IP developer FTDI Chip, points out that the report highlights programmable devices, which are just one type of USB device.

    In the embedded market, many USB ASIC implementations provide a serial-to-USB bridge that is not vulnerable to this reprogramming.

    For example, if you have a WiFi dongle, it plugs in as a dongle, downloads the drivers and then reconfigures itself to be a data transfer device. If you have reconfigured the device, you can’t change the flash, but you could change the RAM locally. Once you re-power, it returns to its original state. What damage could be done before you realize there is a problem is then a question, but that is no different from any other programmable device, he says.

    He does acknowledge that programmability introduces a new and subtle route of turning a trusted device into a malicious device. “Although we shouldn’t dismiss this, we should remember that there are hundreds of different programmable cores on the market running thousands of different software stacks, with dozens of unique CPU instruction sets. Few of them allow direct in-the-field programming over USB.”

    He also points out that the recent security attacks using USB are not actually new. The threat has been known to USB insiders for years. “It’s been possible for at least 15 years to use COTS products to put together type-one malicious devices, even on a research budget,” he says.

  7. Tomi Engdahl says:

    Usb stick is more dangerous than ever

    Usb stick malware are a small phenomenon of cyber attacks alongside. But the phenomenon has become more dangerous than ever.

    Contaminated usb tkut were a few years ago Threat, which allows many-industry companies connected to computers USB ports off.

    The fear was not misplaced. According to current knowledge of Iran’s nuclear program was messed up also exactly usb memory supplied to the attack using the Stuxnet program.

    The risk is increased by the fact that the usb-attacks have evolved. You no longer need to open an infected document or automatic start on marketing.

    One of the most traitorous attack methods include the fair to be distributed sticks pollution: An attacker takes on a few sample stick, change the contents of their liking and take the sticks back to wait for the coming of picking out.

    Modern usb attacks are effective because they are against is no longer to protect themselves by taking the Autorun turned off or refraining from opening the drive as PDF or Office files.

    - USB is the most flexible technology that allows a wide range of attacks, Nuopponen says.

    Usb flash drive can be programmed to appear first, some time in the usual way as an external mass storage device, but later change microphone or keyboard. Keyboard work the usb-stick can be pre-programmed keyboard shortcuts that open a command prompt and charge it through the computer program, device capture.

    - If the infected drive down the machine, the game is lost

    The only sure way to protect yourself is to use sticks, whose origin is familiar with.

    Source: http://www.itviikko.fi/tietoturva/2014/09/16/usb-tikku-on-vaarallisempi-kuin-koskaan/201412828/7?rss=8

  8. Tomi Engdahl says:

    Security researchers publicly release code to Github for “practically unpatchable” exploit BadUSB:

    The Unpatchable Malware That Infects USBs Is Now on the Loose

    It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer.

    In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.

    “The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience on Friday.

    Phison 2251-03 (2303) Custom Firmware & Existing Firmware Patches (BadUSB)

  9. Tomi Engdahl says:

    FLASH drive… ARRRGH: BadUSB poses clear and present danger
    Researchers demonstrate serious flash drive flaws

    The seriousness of a USB security weakness, which potentially allows hackers to reprogram USB drives, has just been ratcheted up a notch, with the release of prototype code.

    Researchers Karsten Nohl and Jakob Lell, from German security skunkworks SR Labs, demonstrated how it might be possible to reprogram the firmware within some flash drives with malicious code at the Black Hat conference in Las Vegas, back in July. They dubbed the attack BadUSB.

    Then just last week, Adam Caudill and Brandon Wilson went one step further during a talk at the DerbyCon hacker conference in Louisville, Kentucky, by not only demonstrating the flaw but also publishing proof of concept code on Github. The move was designed to push USB makers into formulating a fix.

    The release of the prototype code that accompanied Caudill and Wilson’s Making BadUSB Work For You talk is controversial, as Nohl previously described BadUSB as practically unmatchable.

    We believe all of this should be public, Caudill told DerbyCon delegates Wired reports. “It shouldn’t be held back. So we’re releasing everything we’ve got.”

    Both pieces of research came from reverse engineered USB firmware. The threat of malicious USB thumb drives more generally has been well understood for years, even giving rise to the observation from cyber security types that USB devices are “plug and prey” (a security-themed spin on “plug and play”).

    “The idea of re-flashing the firmware of devices such as PCs bios or HIDs for malicious purposes has been around for some time now,”

    “For example, fraudsters have been using hacked firmware to sell USB drives which shows higher storage capacity than they actually have.”

  10. Tomi Engdahl says:

    USB has a huge security problem that could take years to fix

    In July, researchers Karsten Nohl and Jakob Lell announced that they’d found a critical security flaw they called BadUSB, allowing attackers to smuggle malware on the devices effectively undetected. Even worse, there didn’t seem to be a clear fix for the attack. Anyone who plugged in a USB stick was opening themselves up to the attack, and because the bad code was residing in USB firmware, it was hard to protect against it without completely redesigning the system. The only good news was that Nohl and Lell didn’t publish the code, so the industry had some time to prepare for a world without USB.

    As of this week, that’s no longer true. In a joint talk at DerbyCon, Adam Caudill and Brandon Wilson announced they had successfully reverse-engineered BadUSB, and they didn’t share Nohl and Lell’s concerns about publishing the code. The pair has published the code on GitHub, and demonstrated various uses for it, including an attack that takes over a user’s keyboard input and turns control over to the attacker.

    According to Caudill, the motive for the release was to put pressure on manufacturers. “If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it,” he told Wired’s Andy Greenberg. “You have to prove to the world that it’s practical, that anyone can do it.”

  11. Tomi Engdahl says:

    BadUSB Means We’re All Screwed

    Does anyone else get the feeling that the frequency of rather horrible vulnerabilities coming to light is accelerating? Off the top of our head, there’s Heartbleed, Shellshock, and now this one. The BadUSB exploit attack stems from the “invisible” microcontroller in most USB devices.

    Here’s how this one goes: all USB devices rely on a microcontroller to handle the peripheral-side of USB communications. The computer doesn’t care which microcontroller, nor does it have a way of knowing even if it wanted to. The uC is “invisible” in this situation, it’s the interface and data flowing through it that the computer cares about. BadUSB is an attack that adds malicious functionality to this microcontroller. To the computer it’s a perfectly normal and functional USB device, while all the bad stuff is happening on the peripheral’s controller where the computer can’t see it.

    How deeply do you think about plugging each and every USB device?

  12. Tomi Engdahl says:

    Protect Against BadUSB – IronKey

    IronKey Secure USB devices are not vulnerable to BadUSB malware which was revealed at Black Hat on August 7. BadUSB is the first USB malware designed to attack the device itself instead of attacking the data on the device.

    As revealed at the Black Hat session on BadUSB, the attack changes the firmware that controls the behavior of the USB hardware, allowing the USB device to become a host that can subsequently infect other computers and USB devices. The modified controller firmware cannot be detected by today’s anti-malware solutions, and in many cases, may remain undetectable.

  13. Tomi Engdahl says:

    BadUSB: threats, risks and how to protect yourself

    BadUSB is a way to theoretically manipulate any USB device to be infected with a virus (or other type of malware). This means in plain terms that an attacker will take a regular USB hardware which contains a small microprocessor, manipulate the firmware (which is actually a small operating system for the microcontroller to work) and infect it with malware. This will turn the USB hardware into a tool to manipulate your computer further.

    In reality this is very hard to do for an attacker but not impossible. The security researchers that show this threat are usually using a specific USB flash drive (for which they have the firmware) and manipulate it.

    This threat is real but it has also been present since the introduction of USB, more than a decade ago. It is a weakness of the USB standard and of the most common operating systems such as Windows. Since the operating system has no built-in option to verify the firmware of USB hardware, it trusts that a device that is connected to the USB port is the device type it tells the operating system it is.

    What you can do to protect yourself now.

    Connect only USB devices from vendors you know (e.g. keyboard and mouse from vendors like Logitech) and that
    come from a trusted source.

    Use a device control solution like Endpoint Protector that will monitor the use of devices connected to your computer.
    In one of our next updates we will include a feature to mitigate the BadUSB risk.

    Keep your anti-malware updated.

  14. Tomi Engdahl says:

    How You Can Avoid a BadUSB Attack

    Thanks to a couple of enterprising (or thoughtless) security experts and hackers presenting at Derbycon in Louisville, Kentucky, last week, BadUSB is now out in the wild — Or at least downloadable on GitHub. It’s enough to make your stomach turn and certainly leave you wondering: How do I avoid BadUSB?

    To know how to stop BadUSB, the seemingly unstoppable USB stick hack that can turn a USB memory stick into a system-lethal weapon, it’s instructive to understand what it is and isn’t. BadUSB is not malware. It’s not a file you can download from email or off an infected device that can then run rampant on your computer and network. BadUSB is, as the name suggests, a bad USB drive that has been altered to connect to a computer in ways that normal USBs do not.

    While it’s not easy to create these kinds of dangerous USB devices, it’s also impossible for you to tell the difference between a regular USB and an altered one. Worse yet, since the files stored on the USB will not likely be infected, standard security software probably won’t even detect that these are dangerous little pieces of hardware when you plug them into your computer.

    We spoke to some security software firms about their best advice for avoiding BadUSB and their recommendations were remarkably analog.

    For consumers they recommend:

    Only insert trusted USB devices into computers

    Do not use or purchase pre-owned USB devices (they could potentially contain malicious software).

    Never leave your computer or mobile devices unlocked or unattended.

    “The best practical advice McAfee can give consumers regarding the BadUSB attack is to avoid thumb drives that are not from a credible source, such as a big box retailer or they have not previously used. Additionally, we would discourage consumers from using promotional thumb drives that are given away at events.”

    Davis’ last bit of advice points to what may be one of the chief distribution vectors for BadUSB. Trade show exhibitors long ago gave up handing out pamphlets and folders to show goers and now favor bowls full of USB sticks pre-loaded with information about their products and services.

    Businesses are, perhaps, even more vulnerable than homes. The USB drive is the 21st Century 3.5-inch floppy. While everyone is on a network, it’s not unusual to sneakernet it and hand someone a USB drive with the needed file or presentation. And how often are we handing around reused USB sticks?

    Administrators can lock USB port use on Windows 7 and 8 PCs or they can install endpoint software like Symantec Endpoint Protection, which offers a device control module that prevents USB devices from mounting on systems. There are actually a wide variety of tools for system administrators including Safend Protector, Sophos Endpoint Security and Data Protection and Skyrecon StormShield Endpoint Security.

    Fears over how to manage and share files and documents across a company and between partners without running into BadUSB may prompt more people to adopt the cloud. (Cloud storage is, of course, an Internet-only option for sharing and synchronizing all kinds of files. )

    If you do plug a BadUSB into your computer, there is a chance that security software could protect you. Symantec points out that while the BadUSB may be able to cloak its nefarious purpose, as soon as it tries installing or running malware on a protected system, resident security software should detect and block it. “So the threat may remain hidden,” said one Symantec analyst, “but it will not be able to infect a protected machine.”

  15. Tomi Engdahl says:

    How to prevent BadUSB attacks on linux desktop

    The idea behind BadUSB is that a malicious agent re-flashes a device’s USB controller chip to do something nasty. This is an interesting possiblity, but there are some serious assumptions here that people tend to gloss over:
    1: The USB controller chip has to allow firmware flashing over the USB connection
    2: The device has to be physically capable of the activity you’re attempting
    3: The computer has to be willing to play along

    This whole concept isn’t all bunk. If a device allows re-flashing by any connected host, that’s an issue. I can safely state with 100% certainty that it won’t lead to the calamities pushed by the associated breathless news articles. But it’s worth attention.

    The BadUSB attack bases on the fact that computers allow and enable HID devices on all usb ports. Faked network adapters are no real danger. My answer tries do describe how to use udev to temporarily disable the addition of new HID devices

    BadUSB isn’t an attack. It’s a tool used when designing attacks.

  16. Tomi Engdahl says:

    » Kernel & Hardware
    » [Solved] BadUSB protection?

  17. Tomi Engdahl says:

    Controlling USB device access on Linux (e.g. BADusb defense)

    So, there was a lot of fuzz about a recent talk by Karsten Nohl et al. at BlackHat about the the unsecurity of current USB implementations (on the computer side) which happily load drivers for all kinds of devices as soon as a (potentially malicious) USB stick is connected.

    I completely agree that, as shipped, most computer systems will be susceptible to this attack, and assume that all of their attacks will work as advertised. What I don’t agree with at all is their conclusion, which boils down that no effective defenses exist.

    the mechanism in current Linux kernels to limit binding of potentially dangerous drivers to specific devices, so that e.g. a inserted USB-stick would only be mounted as a block device, and its malicious keyboard interface be ignored.

    A linux-module can claim ownership of certain usb vendor/device ids or device classes.

    On connection of a USB device, the kernel will look through all its currently registered modules that claim to support USB devices (by registering those tables with the kernel) and bind devices to drivers (and if it doesn’t succeed, it will call udev/hotplug to load a module that does).

    But, you can easily turn off this automatic binding, at least on Linux, with one single command:
    [root@optiplex ~]# echo 0 >/sys/bus/usb/drivers_autoprobe

  18. Tomi Engdahl says:

    USB coding anarchy: Consider all sticks licked
    Thumb drive design ruled by almighty buck

    Thumb drives are so inconsistently manufactured it is all but impossible to know if any unit could be reprogrammed to own computers, researcher Karsten Nohl says.

    The conditions that determined if a unit could be hacked varied not only between vendors but also within product unit lines due to manufacturers buying different hardware components due to fluctuating prices.

    “As long as USB controllers are reprogrammable, USB peripherals should not be shared with others,” the team said.

    “Once infected through USB, malware can use peripherals as a hiding place, hindering system clean up.”

    It was bad news for the most security conscious organisations and individuals and good news for attackers, notably given the release last month of BadUSB attack code.

    Android phones they said were the simplest BadUSB attack platforms due to its pre-configured ethernet over USB setup.

    The team also detailed attacks booting hidden rootkits using a BadUSB that could determine Windows, from Mac and Linux, and a large number of attacks including keyboard emulation, and network card spoofing.

    Whitelisting USBs was hindered due to lack of serial numbers and mechanisms to apply the measure, while malicious firmware could easily spoof its legitimacy to foil malware scans.

  19. Tomi Engdahl says:

    Security warning: do not ever lend your mobile phone charger!

    Information security pioneer, Harri Hurst of the USB devices lies in the huge security problem, which may require drastic action to stop.

    The internationally acclaimed Finnish security expert Harri Hurst had to give Slushin audience a warning that would make wide use of this technology difficult.

    - Never allow a mobile phone charger or any other USB-enabled device from others, Hursti advises.

    Such a drastic advice Hursti distributes the fact that USB devices lies in this, the huge security issue. USB interface can be found on almost all computers that work with digital devices, including modern mobile phones, chargers, and memory sticks.

    USB devices are Hurst basically small computers that are programmable and can be contaminated with malware. The danger lies in the fact that current technology does not Hurst maintains that there is no way to even contaminated USB devices to detect, let alone to clean.

    - We rely blindly on these sticks, which lie all the time! We have no way to know whether they are contaminated or not.

    Ap to half of the available USB devices can be bent to attack piece. Infected USB stick can make different kinds of damage to the machine, for example, infected flash drive can pretend to be a keyboard, and thus gives the machine commands.

    Source: http://www.iltalehti.fi/digi/2014111918850834_du.shtml

  20. Tomi Engdahl says:

    Charging Your Smartphone… What Can Possibly Go Wrong?

    Energizer’s Duo USB charger is infected with a trojan virus – See more at: http://www.mobilemag.com/2010/03/08/energizers-duo-usb-charger-is-infected-with-a-trojan-virus/#sthash.JiWsZbz3.dpuf

  21. Tomi Engdahl says:

    Horrible Apple iOS virus; vectored via USB: WireLurker is ‘new brand of threat’ [u]

    Plugging in your iPhone? Don’t blindly trust Macs or chargers, even if you’re not in China

    According to researchers at Palo Alto Networks, the so-called WireLurker virus can infect your iPhone or iPad from a simple USB connection. Hundreds of thousands of users have been infected already, say researchers.
    Featured Resource
    Presented by Scribe Software
    10 Best Practices for Integrating Data

    Data integration is often underestimated and poorly implemented, taking time and resources. Yet it
    Learn More

    Apple says it’s already fixed the problem, but independent infosec geeks say the company still has a long way to go, and that the problem isn’t limited to China

  22. Tomi Engdahl says:

    USB Condoms: play it safe and avoid viruses on Android

    All kidding aside, the USBCondom exists and it’s a beautifully simple idea that follows the logic of its namesake: it provides a protective barrier between your USB cable (and thus, your phone) and whatever it is being plugged into. This means that when you connect your phone to an internet cafe computer, a USB charging station at the airport, or a friend’s laptop, you’re protected.

    How does it work? Simple: the USBCondom is an adapter that simply strips away the data transferring capabilities of a standard USB port, meaning that only the 5V current is transferred, but no data can be passed back or forth.

  23. Tomi Engdahl says:

    This Little USB Necklace Hacks Your Computer In No Time Flat

    Quick! The bad guy/super villain has left the room! Plug in a mysterious device that’ll hack up their computer while an on-screen progress bar ticks forward to convey to the audience that things are working!

    It’s a classic scene from basically every spy movie in history. In this case, however, that mystery device is real.

    Samy Kamkar — developer of projects like that massive worm that conquered MySpace back in 2006, or SkyJack, the drone that hijacks other drones — has released a video demonstrating the abilities of a particularly ridiculous “necklace” he sometimes wears around.

    Called USBdriveby, it’s a USB-powered microcontroller-on-a-chain, rigged to exploit the inherently awful security flaws lurking in your computer’s USB ports. In about 60 seconds, it can pull off a laundry list of nasty tricks:

    It starts by pretending to be a keyboard/mouse.
    If you have a network monitor app like Little Snitch running, it uses a series of keystrokes to tell LittleSnitch that everything is okay and to silence all warnings.
    It disables OS X’s built-in firewall.
    It pops into your DNS settings and tweaks them to something under the hacker’s control, allowing them to replace pretty much any website you try to visit with one of their own creation.
    It opens up a backdoor, then establishes an outbound connection to a remote server which can send remote commands. Since the connection is outbound, it eliminates the need to tinker with the user’s router port forwarding settings.
    It closes any windows and settings screens it opened up, sweeping up its footprints as it heads for the door.

    So in 30-60 seconds, this device hijacks your machine, disables many layers of security, cleans up the mess it makes, and opens a connection for remote manipulation even after the device has been removed. That’s… kind of terrifying.

    So what can you do to protect yourself from things like this? Not a whole lot, really — that’s why attacks like this and BadUSB are so freaky.

  24. Tomi Engdahl says:

    Plug Into USB, Get a Reverse Shell

    Computers blindly trust USB devices connected to them. There’s no pop-up to confirm a device was plugged in, and no validation of whether the device should be trusted. This lets you do some nefarious things with a simple USB microcontroller.

    The USBdriveby targets OS X. When connected, it changes the DNS server settings to a custom IP, to allow for DNS spoofing of the victim’s machine. This is possible without a password through the OS X System Preferences, but it requires emulating both keystrokes and clicks.

    After modifying DNS, a reverse shell is opened using netcat. This allows for remote code execution on the machine.

    The Teensyterpreter gives a reverse shell on Windows machines. It runs command prompt as administrator, then enters a one-liner to fire up the reverse shell using Powershell. The process happens in under a minute, and works on all Windows versions newer than XP.

    Teensyterpreter: Reverse TCP Shells In Seconds!

  25. Tomi Engdahl says:

    Using HID Tricks to Drop Malicious Files

    [Nikhil] has been experimenting with human interface devices (HID) in relation to security. We’ve seen in the past how HID can be exploited using inexpensive equipment. [Nikhil] has built his own simple device to drop malicious files onto target computers using HID technology.

    The system runs on a Teensy 3.0.
    you can trick a computer into believing the Teensy is a keyboard.

    [Nikhil’s] device uses a very simple trick to install files on a target machine. It simply opens up Powershell and runs a one-liner command. Generally, this commend will create a file based on input received from a web site controlled by the attacker.

    Protecting from this type off attack can be difficult. Your primary option would be to strictly control USB devices, but this can be difficult to manage, especially in large organizations.

    Dropping infected/weaponized files using a Human Interface Device

  26. Tomi Engdahl says:

    Malware Alert: E-Cigarettes Could be Bad for Computer Health

    Some e-cigarettes from China have malware hard coded into the charger, providing cyber-criminals with an unusual but effective infection vector, according to online reports.

    Reddit user ‘Jrockilla,’ who claims to be ‘an IT guy,’ posted a story last week about a data breach at a large enterprise.

    The IT team apparently couldn’t work out the cause of a malware infection on an executive’s computer, given that the user had up-to-date anti-malware protection installed.

    He continued:

    “They finally asked the executive, ‘have there been any changes in your life recently?’. The executive answered, ‘well yes, I quit smoking two weeks ago and switched to e-cigarettes.’ And that was the answer they were looking for. The made-in-China e-cigarette had malware hard-coded into the charger and when plugged into a computer’s USB port the malware phoned home and infected the system.”

    Phil Barnett, EMEA general manager at Good Technology, argued that the news should serve as a warning on the dangers of “a new generation of intelligent devices.”

    “While laptops have increasingly sophisticated protection against malware attacks, mobile phones, tablets and wearable technologies do not yet. Malware can spread to these devices very quickly and cause risk to consumers and businesses alike,” he added.

    While malware from China is nothing new, there have been allegations in the past that US-produced technology products may also be at risk.

  27. Tomi Engdahl says:

    The new MacBook’s single port comes with a major security risk

    After years of development, USB Type-C is making a very big debut. Last week, Apple announced its new MacBook would come with just a single Type-C plug for both power and data, a move that allowed for the slimmest MacBook ever. A few days later, Google unveiled the new version of its flagship Chromebook Pixel with the same Type-C port. To the extent that hardware components can have a moment, USB Type-C is having one.

    But while the new port is powerful, it also comes with serious security problems. For all its versatility, Type-C is still based on the USB standard, which makes it vulnerable to a nasty firmware attack, and researchers are also concerned about other attacks that piggyback on the plug’s direct memory access. None of these vulnerabilities are new, but bundling them together with the power cord in a single universal plug makes them scarier and harder to avoid. On a standard machine, users worried about USB attacks could simply tape over their ports, but power is the one plug you have to use. Turning that plug into an attack vector could have serious security consequences.

    The biggest concern is the BadUSB vulnerability, first published last year.

    Type-C has a lot of advantages over previous models, but security experts say it does little to fix the core problems of BadUSB. “The additional openness and flexibility of USB Type-C comes with more attack surface,” says Karsten Nohl, one of the researchers who first discovered BadUSB. “No solution for BadUSB is in sight even with this new standard.”

    In part, that’s by necessity. USB is an open standard built on backwards compatibility and easy third-party access. You’ll need an adapter to plug in old USB devices to Type-C ports, but the old software protocols still work, leaving open the same vulnerabilities. Even giants like Apple and Google need to abide by the rules of the USB standard, which rule out some of the tough sacrifices necessary to securing the standard overall. The result for users is a major security flaw with no easy fix.

    In practical terms, that means MacBook and Chromebook Pixel users are now exposed to what you might call a “borrowed charger” attack. The new chargers don’t have the firmware needed to carry the BadUSB virus, but it would be easy for an attacker to install it herself, then spend a day in a coffee shop waiting for some unsuspecting target to plug in.

    Fixing the vulnerability at an ecosystem level is surprisingly difficult. No single company can change the way USB works, so the only real fix is to move away from the standard at large. In the past, Apple has built authentication chips into connectors like Lightning — primarily to protect Apple’s lucrative licensing business, but with stronger hardware security as a nice side effect. That’s not possible on an open standard like USB.

    The best protection is simple: just avoid any chargers or devices you didn’t buy yourself. But it’s a serious downgrade in device security, set against major upgrades in power transfer and data speed.

  28. Tomi Engdahl says:

    Attackers actively exploit Windows bug that uses USB sticks to infect PCs
    In-the-wild exploit is reminiscent of those used to unleash Stuxnet worm.

    Attackers are actively exploiting a vulnerability in all supported versions of Windows that allows them to execute malicious code when targets mount a booby-trapped USB on their computers, Microsoft warned Tuesday in a regularly scheduled bulletin that patches the flaw.

    The vulnerability is reminiscent of a critical flaw exploited around 2008 by an NSA-tied hacking group dubbed Equation Group and later by the creators of the Stuxnet computer worm that disrupted Iran’s nuclear program. The vulnerability—which resided in functions that process so-called .LNK files Windows uses to display icons when a USB stick is plugged in—allowed the attackers to unleash a powerful computer worm that spread from computer to computer each time they interacted with a malicious drive.

    When Microsoft patched the .LNK vulnerability in 2010 with MS10-046, company officials classified the vulnerability as “critical,” the company’s highest severity rating.

    In addition to fixing the bug, Microsoft is also releasing software that allows patched computers to log attempts to exploit the bug. That will make it easier for people to know if they were targeted by attackers.

    Defending against CVE-2015-1769: a logical issue exploited via a malicious USB stick

  29. Tomi Engdahl says:

    USBdriveby – exploiting USB in style

    USBdriveby (http://samy.pl/usbdriveby) is a device you stylishly wear around your neck which can quickly and covertly install a backdoor and override DNS settings on any unlocked machine via USB in a matter of seconds. It does this by emulating a keyboard and mouse, blindly typing things, flailing the mouse pointer around and weaponizing mouse clicks.

  30. Tomi Engdahl says:

    USB Rubber Ducky Deluxe

    If it quacks like a keyboard and types like a keyboard, it must be a keyboard.

    Humans use keyboards. Computers trust humans.

    Take Social Engineering to the next level with a USB Rubber Ducky Deluxe hidden inside an inconspicuous “thumb drive” case. All the fixings included.

    Since 2010 the USB Rubber Ducky has been a favorite among hackers, penetration testers and IT professionals. With origins as a humble IT automation proof-of-concept using an embedded dev-board, it has grown into a full fledged commercial Keystroke Injection Attack Platform. The USB Rubber Ducky captured the imagination of hackers with its simple scripting language, formidable hardware, and covert design.

    Quack Like a Keyboard!

    Nearly every computer including desktops, laptops, tablets and smartphones take input from Humans via Keyboards. It’s why there’s a specification with the ubiquitous USB standard known as HID – or Human Interface Device. Simply put, any USB device claiming to be a Keyboard HID will be automatically detected and accepted by most modern operating systems. Whether it be a Windows, Mac, Linux or Android device the Keyboard is King.

    By taking advantage of this inherent trust with scripted keystrokes at speeds beyond 1000 words per minute traditional countermeasures can be bypassed by this tireless trooper – the USB Rubber Ducky.

  31. Tomi Engdahl says:

    Turning USB peripherals into BadUSB

    USB devices are connected to – and in many cases even built into – virtually all computers. The interface standard conquered the world over the past two decades thanks to its versatility: Almost any computer peripheral, from storage and input gadgets to healthcare devices, can connect over the ubiquitous technology. And many more device classes connect over USB to charge their batteries.

    This versatility is also USB’s Achilles heel: Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing.

    No effective defenses from USB attacks are known.

  32. Tomi Engdahl says:

    Unexpected Betrayal From Your Right Hand Mouse

    We’ve heard of the trusted peripheral being repurposed for nefarious uses before. Sometimes they’ve even been modified for more benign purposes. All of these have a common trend. The mouse itself must be physically modified to add the vulnerability or feature. However, the advanced mice with macro support can be used as is for a vulnerability.

    The example in this case is a Logitech G-series gaming mouse. The mouse has the ability to store multiple personal settings in its memory. That way someone could take the mouse to multiple computers and still have all their settings available.

    Your Mouse Got Sick and You Don’t Know it. aka “Reverse Shell via Mouse”

    Ever got a backdoor installed on your computer by your beloved mouse? Here’s the story of a poor mouse that got really, really sick.

    Do you remember the times where people put Teensy-boards and USB hubs in their mouses? [Chris? ;)] Their aim was to attach an additional Human Interface Device (HID, like keyboards or mouses) with some payload in kind of e.g. keystrokes or mouse movements. Also, there are devices available like the USB Rubber Ducky in the housing of a USB thumb drive.
    The principle is easy: The tools are using a programmable microcontroller with the capability to emulate USB HID. That’s it. Just program your board of choice with the payload fitting your needs and plug it in at the target computer. The latter will recognize it as a keyboard/mouse and the payload-keystrokes will be entered.
    But why should external hardware be used? Many modern gaming peripherals provide functions to store macros on them, including enough onboard memory for little payloads.

    But wait – macros and profiles stored on the mouse? Recall the lines above concerning the HID story.
    Could it be possible to store a macro big enough to drop a reverse shell on a Windows target?
    Actually – it could.
    It’s just as simple as using the Logitech Gaming Software’s Command Editor. Choose a button, put a macro on it, fit the timings and go!
    The only thing you should consider, that you’re limited to about 100 keystrokes. If there should be something dropped on the target, like an executable or a script, you should think about using FTP or Powershell to download it externally, like I did here.

    In this Proof of Concept the marco opens the Windows Command Line and downloads

  33. Tomi Engdahl says:

    Universal Serial Abuse

    So as part of that awareness, it’s likely you’ll be wary of strange USB devices. If someone drops a Flash drive in the parking lot the chances of one of you blithely plugging it into your laptop is not high at all. USB ports are trusted by your computer and its operating system, and to have access to one is to be given the keys to the kingdom.

    Our subject today is a DEF CON talk courtesy of [Dominic White] and [Rogan Dawes] entitled “Universal Serial aBUSe“, and it details a USB attack in which they create an innocuous USB stick that emulates a keyboard and mouse which is shared across a WiFi network via a VNC server. This gives an attacker (who can gain momentary physical access to a USB port to install the device) a way into the machine that completely bypasses all network and other security measures.

    Their hardware features an AVR and an ESP8266, the former for USB and HID work and the latter to do the heavy lifting and provide WiFi.

    Universal Serial aBUSe

    The Hardware

    We initially prototyped the attacks on April Brother’s, Cactus Micro revision 2. Think of it like a Teensy 2 with an ESP8266 stuck on it. This is still the cheapest way to get the hardware for this attack ($11).

    The device has two microcontrollers, an Atmega32u4 and an ESP8266. The Atmega32u4 (hereafter AVR) gives us USB device capability using the LUFA stack. The ESP8266 (herafter ESP) is much faster than the AVR, and provides a WiFi interface, however, it doesn’t have USB support. We based our code for the ESP on the esp-link TCP-UART firmware.

    The ESP runs a modified version of the esp-link firmware. This provides a VNC server to the attacker, which is how HID events are received. The telnet interface is used to send binary data. Originally, Rogan built a Java client and custom protocol to take HID input, but soon realised that this is what VNC was designed for, and built a VNC server into the esp-link firmware instead.

    The ESP is connected via UART to the AVR. The AVR is running our own firmware built on the excellent LUFA stack. The AVR’s job is mostly to be the UART to USB interface. The AVR will present itself as three devices to the host OS. A keyboard and mouse, which are used to replay HID events from the ESP’s VNC server, and a “binary pipe” device. Currently, we’re using a Generic HID device, as it has standard drivers that don’t require privileges in Windows.

    On the host, a two or three stage process is run, depending on the type of attack.

    1. The initial “typed” payload is run. The “typing” is automated using a vnc automation tool, vncdotool.
    2.The second stage no longer has size restrictions as it’s sent as a binary blob over the generic HID device. The simplest payload here just spawns a command shell on the host and sends it back to the telnet port on the ESP. There’s also a screenshot payload,
    3. There’s an alternate second stage, that is used to spawn a TCP to USB proxy bound to localhost, that can be used to stage other more common network-based payloads, such as meterpreter.

    Theoretically, this attack is nothing new. However, the gap between theory and implementation was pretty big.

  34. Tomi Engdahl says:

    From http://hackaday.com/2016/11/06/hackaday-links-november-6-2016/

    The USB Rubber Ducky is a thumb-drive sized device that, when plugged into a computer, presents itself as a USB HID keyboard, opens up a CLI, inputs a few commands, and could potentially do evil stuff. The USB Rubber Ducky costs $45, a Raspberry Pi Zero and a USB connector costs $6. [tim] built his own USB Rubber Ducky, and the results are great.

    Project Details
    For DIY USB Rubber Ducky
    Why spend $45+ on a USB Rubber Ducky, when you can build one yourself for $5?

    Now you need to write an image to the SD card you’ll be using with the Pi so that it will be recognized as a HID device and run scripts. The one I used in the project is called DuckBerry Pi

  35. Tomi Engdahl says:

    PoisonTap – siphons cookies, exposes internal router & installs web backdoor on locked computers

    When PoisonTap (Raspberry Pi Zero & Node.js) is plugged into a locked/password protected computer, it:

    emulates an Ethernet device over USB (or Thunderbolt)
    hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface)
    siphons and stores HTTP cookies and sessions from the web browser for the Alexa top 1,000,000 websites
    exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding (thanks Matt Austin for rebinding idea!)
    installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning
    allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain
    does not require the machine to be unlocked
    backdoors and remote access persist even after device is removed and attacker sashays away

  36. Tomi Engdahl says:

    The $5 PoisonTap quickly, completely hijacks even a locked computer’s internet

    After I learned of this clever exploit from Samy Kamkar, my poor 2012 MacBook Air looks more vulnerable than venerable: Asleep on the table, its USB ports exposed, it could be hijacked in seconds by a malicious Raspberry Pi Zero called PoisonTap. No need for passwords, zero-days or million-dollar back doors — although a little social engineering to get me to leave the room might help.

    Kamkar’s latest project shows another chink in the armor of our computers’ security: In this case, it’s about briefly tricking the computer into thinking that the entire internet resides on the $5 barebones computer it first met a few seconds earlier.


  37. Tomi Engdahl says:

    PoisonTap Makes Raspberry Pi Zero Exploit Locked Computers

    PoisonTap – siphons cookies, exposes internal router & installs web backdoor on locked computers

  38. Tomi Engdahl says:

    MalDuino — Open Source BadUSB

    MalDuino is an Arduino-powered USB device which emulates a keyboard and has keystroke injection capabilities. It’s still in crowdfunding stage, but has already been fully backed, so we anticipate full production soon. In essence, it implements BadUSB attacks much like the widely known, having appeared on Mr. Robot, USB Rubber Ducky.

    It’s like an advanced version of HID tricks to drop malicious files which we previously reported. Once plugged in, MalDuino acts as a keyboard, executing previous configured key sequences at very fast speeds. This is mostly used by IT security professionals to hack into local computers, just by plugging in the unsuspicious USB ‘Pen’.


  39. Tomi Engdahl says:

    Good USB – Protecting Your Ports With Two Microcontrollers

    If you’ve ever needed an example of why you should not plug random USB peripherals into your computer, you need only look at BadUSB. The BadUSB attack relies on the fact that the microcontroller inside every USB device is a black box. If you plug a USB thumb drive into your computer, the microcontroller could quickly set up an additional network interface, forward all your traffic to the attacker’s server, and still keep serving up all those files and documents on the drive. Do you want a thumb drive that attaches a virus to every file? Bad USB can do that.

    Until now, there is no cure or fix for a device using an implementation of BadUSB. [Robert Fisk] just came up with the first prophylactic USB device, designed to keep BadUSB off your computer. He’s calling it USG, and it’s basically a hardware firewall for USB devices.

    The USG is Good, not Bad

    The USG is a firewall for your USB ports. It connects between your computer and an untrusted USB device, isolating the badness with an internal hardware firewall.

    Why should I use a USG?

    Say you just bought yourself a shiny new USB flash drive. You rip it out of the packaging and plug it straight into your computer. Oops, big mistake!

    Do you know who developed your flash drive’s firmware? (It’s probably not the company name printed on the packaging)
    Has the firmware been audited for backdoors and malicious functionality?
    Can you confirm that the firmware running on your drive hasn’t been maliciously modified during or after manufacture?

    Antivirus will not save you

    Antivirus scanners cannot detect BadUSB because there is no virus to detect. Malicious USB commands reach directly into your USB driver stack, bypassing file-based scanners.

  40. Tomi Engdahl says:

    The tool monitors your USB ports

    Of unknown USB sticks tucking the ports of the device can be very harmful, even fatal, in terms of equipment. GitHub is now published coded in Python tool that monitors the USB ports on the activity and sends the unauthorized activity to either a text message or a message Slack service.

    USB Canary tool was born as a hobby.

    Source: http://www.etn.fi/index.php/13-news/6117-tyokalu-valvoo-laitteesi-usb-portteja

    USB Canary Sends an SMS When Someone Tinkers with Your USB Ports

  41. Tomi Engdahl says:

    New “USB Canary” Keeps Close Watch on USB Ports

    New “USB Canary” Tool for Linux Monitors USB Ports 24/7

    A new open source tool can provide Linux users with the ability to receive an alert any time someone attempts to plug a device into one of their machine’s USB ports.

    Dubbed USB Canary, the tool uses pyudev to monitor USB devices and can be set to do so either at all times or only when the computer is locked. More importantly, the tool can be configured to alert users when someone is tampering with their USB ports. It can either send an SMS via the Twilio API, or send a Slack notification via an inbuilt Slack bot.


  42. Tomi Engdahl says:


    A Linux tool that uses pyudev to monitor devices while your computer is locked. In the case it detects someone plugging in or unplugging devices it can be configured to send you an SMS or alert you via Slack of the potential security breach.

  43. Tomi Engdahl says:

    Honeywell SMX Protects Industrial Sites From USB Threats

    Honeywell announced on Tuesday the launch of a new product designed to protect industrial facilities from USB-borne threats by providing a simple way for organizations to track the removable media devices connected to their systems.

    The new product, Secure Media Exchange (SMX), has two main components: an intelligence gateway and a piece of software installed on endpoints.

    When a contractor wants to use a USB drive in a protected organization, they need to check the device at the intelligence gateway, a touchscreen system that can reside at the physical front desk or another location where it can be easily accessed by visitors.

    Before entering the facility, users are prompted to complete a check-in procedure by connecting their USB drive to the gateway. The files stored on the drive are verified by Honeywell’s Advanced Threat Intelligence Exchange (ATIX) cloud service, which relies on both signatures and behavior analysis (i.e. running suspicious files in a special ICS sandbox) to identify known and zero-day threats.

    According to Honeywell, the check-in process typically takes as long as a regular malware scan, depending on the size of the drive and the number of files. The ATIX service checks for known good and known bad files to expedite the process, and the scan can also be sped up by quarantining all files except for the ones that need to be used.

    In order to prevent malware from entering an organization, suspicious files are quarantined inside a password-protected archive file. Administrators can also block specific file types from getting into the facility

    When a contractor leaves the site, they will need to complete a check-out process at the SMX gateway. Failure to complete the process can result in the inability to access the files on the removable media device from a different computer. However, Honeywell says there are mechanisms in place to allow users to conduct the check-out process at a later time (e.g. a contractor could forget to complete the process when leaving an offshore platform via helicopter).

    In addition to giving the user access to his/her files, the check-out process is designed to scan the device once again for malware in an effort to identify any threats that may already be inside the plant.

  44. Tomi Engdahl says:

    Canary for USB Ports

    f you’re a paranoid system admin, [errbufferoverfl] has your back with software that keeps track of whenever someone plugs in or disconnects an USB-based device from a workstation.

    Christened USB Canary, [errbufferoverfl’s] tool is written in Python. However, even though Python is cross-platform, USB Canary only works on Linux currently. But, fret not: [errbufferoverfl] is already working on Windows and Mac versions.

    Primarily, USB Canary watches USB connectors for any activity and logs anything it sees. Moreover, when a USB device is plugged in or unplugged, USB Canary can alert the owner of the workstation via an SMS message courtesy of the Twilio API, post a message in a Slack channel or even make a noise to alert a nearby sysadmin. Additionally, USB Canary can be configured to only run when the workstation is locked (if you’re not completely paranoid).


  45. Tomi Engdahl says:

    This Device Works as a Firewall for Your USB Ports

    The USG is an USB attachment that allows users to connect USB flash drives and other USB devices to their computer without any of the risks.

    Attacks like BadUSB have shown how a rogue device can mimic a benign USB interface, but secretly send malicious low-level commands and take over a computer via its USB port.
    USG works like a firewall for USB connections

    USG, created by New Zealander Robert Fisk, works as an intermediary between the computer and the USB device (flash drive, USB keyboard, USB mouse) and behaves similar to a firewall, inspecting the data that passes through it.

    USG, which runs on custom firmware, only lets data pass, ignoring any kind of low-level interactions between the USB device and computer.

    Furthermore, USG protection goes both ways, meaning you can use USG to protect USB flash drives when connecting to unknown computers.

    USG drawbacks

    Of course, this has its drawbacks. A lot of the noise traffic on USB devices is the firmware negotiating connections and improving data transfer speeds. These things are not included in USG, as they are the attack vectors for BadUSB.

    As such, the recently released USG v1.0 only supports a data transfer speed of up to 1 MB/s, much inferior to commercial USB devices that work in the range of tens of MB/s.

    In addition, USG only supports USB mass storage (flash drives), keyboards, and mice, but Fisk promises to add support for other types of USB devices in the future.

    People can buy or make their own USG

    Fisk says that anyone can make their own USG devices using off-the-shelf development boards, but if they don’t have the skills, he’s also selling USG devices for around $60 + shipping.

    “My reputation hinges on the integrity of this project,” Fisk explains. “This includes the integrity of the hardware I am offering for sale. This is why I will never outsource the manufacture of USG hardware to another country.”

    “The USG is assembled in New Zealand under my direct supervision, and the firmware is programmed from a secure device by yours truly,” the developer adds. “USG devices delivered by post have tamper-evident seals placed around the case, so any attempt to reprogram the firmware is visible.”

    The only downside to USG (by design) is that it doesn’t distinguish between good data and bad data. Malware stored on an USB flash drive can pass through USG without any warnings since the malware is just a random blob of data to USG. For malware attacks, you’ll have to rely on an antivirus.


Leave a Comment

Your email address will not be published. Required fields are marked *