At the Black Hat Event USA 2014, Karsten Nohl e Jokob Lell from SRLabs illustrated a serious problem in how many USB devices are implemented. USB peripherals run their own processor and firmware to talk to the PC they are connected to, and the problems arise when the firmware on the USB peripheral is changed to be malicious. All major platforms such as Windows, Mac OS X, and Linux are affected since these problems are in the USB devices themselves, not the platforms they are connected to.
YouTube Presentation: “BadUSB – On Accessories that Turn Evil” https://youtu.be/nuruzFqMgIw
From the antimalware perspective, a problem arises if the firmware for a USB peripheral can be overwritten with new firmware from actors other than the manufacturer without the user making a physical change to the device (eg. flip a physical switch on the device). Unfortunately, the researchers showed that for many common USB thumb drives, software on the machine connected to the USB thumb drive can rewrite the firmware with code not from the manufacturer without any physical changes. In essence, this means malware can rewrite USB thumb drive firmware.
The researchers proposed several ways a malicious firmware can propagate like a worm upon overwriting the firmware. For example, the USB peripheral can change its device type at any time to become a keyboard. This allows the firmware to send a series of keystrokes to download and install a virus on the computer it is connected to. Or, the network connection can be modified by man-in-the-middle techniques by pretending to be a network card connected by USB and replying to DHCP queries with a malicious DNS server while letting the Internet traffic flow through the normal adapter. This can allow for credentials to be stolen from the user’s browser session, and can allow for malware to be loaded onto the machine from infecting downloaded binaries in transit.
As the researchers pointed out, the solution to the USB peripherals problem lies primarily with the device manufacturers. The manufacturers should make USB devices secure by default by either:
These defenses would largely prevent the worm-like propagation of firmware-rewriting malware through USB peripherals.
If any enterprise users require USB thumb drives, they should look into upgrading to a USB model with non-writable firmware or models that require digitally signed firmware updates. Mass storage devices are one of the most important USB peripherals to secure given that they are often plugged into multiple machines over their lifetime.
Employees should be careful of connecting their phones to their enterprise computers by USB (eg. to charge them). Connecting enterprise phones to personal computers should be avoided to reduce their risk of infection. Smartphones running outdated operating systems may be particularly susceptible to an infection that could then carry-out USB attacks on computers they are connected to.
Enterprises with highly sensitive data may need to evaluate the firmware update process for all the peripheral devices they currently use and are purchasing. Depending on the type of data held by the corporation, the country of manufacture as well as the distribution path of the devices may need to be considered.
Enterprise security software needs to start investing in protecting computers from USB peripherals. A software solution may be able to resist a USB peripheral from changing device types, for example, or detect sequences of keystrokes deemed malicious or too quick to be human-controlled.
Similarly, hardware security USB hubs may be built to enforce device types on USB ports and prevent firmware rewriting – analogous to a traditional network firewall. The USB port that each device is plugged into could define the device types allowed by the USB peripheral. Although this defeats the design advantage of USB, it partially mitigates the risk by preventing USB peripherals from arbitrarily changing their types.
In conclusion, the enterprise security surrounding USB devices is heading towards an overhaul. The process may be painful, but it is necessary.
SPYRUS Windows to Go Live Drive safeguard the integrity of the operational environment even when booted on compromized systems. The SPYRUS ToughBoot™ loader, digitally signed by Microsoft, mitigates against hacking attacks during the boot sequence when using the UEFI Secure Boot available on newer computers. If any tampering or malfunction of hardware or firmware is detected, the boot process will not continue.
Discover the best solution among today’s market wide and different encryption offerings, and look at the GDPR’s introduction as a new opportunity to improve your organization’s cybersecurity.
A Windows To Go Live Drive allows your OS to boot and run from an USB flash drive or an external hard disk drive which have been certified by Microsoft as compatible, providing you with a fully manageable corporate Windows environment.
More and more sophisticated technologies and high-speed connections allow to gain access to and control machines thousand of miles far, in total security. Discover how a remote desktop software solution can improve your business.
Did you know that 91% of successful data breaches started with a spear-phishing attack? Cyber-attacks are rapidly getting more sophisticated. An adequate training can help you train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks.