The billions of USB ports in use in PCs are vulnerable to a new attack – which can undetectably install malware, steal data and seize control of machines.
Almost all desktop and laptop computers can be overtaken and stripped of data via malicious devices inserted into the USB port – a technique which bypasses all current security measures, and is described as “almost like a magic trick” by Karsten Nohl of Berlin’s SR Labs.
By inserting a control chip into a device’s USB connector (ie when plugging in a modified keyboard) an attacker could gain complete control of a machine, spy on a user using malware, and steal data. No current security measures could even detect the attack – which Wired described as having the potential to cause an “epidemic.”
Gizmodo reports that Nohl’s team wrote malware, titled BadUSB, specifically for the attack: “It can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic.”
Ever since the Nineties, the various evolutions of USB ports have become ubiquitous – used in almost every laptop and desktop, and relied on to connect gadgets such as phones and cameras to other machines. Billions of the ports are shipped each year. Current PC security measures do not scan the firmware of the devices – allowing for this new attack.
“You cannot tell where the virus came from. It is almost like a magic trick,” Nohl told Reuters.
Malware is ‘like a magic trick’
The attack is possible because current security measures do not inspect the firmware of devices connected to them – only (in some cases, such as USB sticks) for software programs. The problem, Karsten Nohl of SR Labs says, is that the controller chips used inside USB devices can be spoofed – ‘fooling’ a computer that, for instance, a USB drive is connecting, and thus it is OK to move data.
Nohl’s team experimented with different devices, and found that malware inserted via such devices could compromise machines entirely, or inject malware.
The researcher is to present his findings at the Black Hat security conference in Las Vegas. ESET Senior Research Fellow David Harley points out that, as yet, no such devices are known to be ‘in the wild’. Nohl, however, said he would be unsurprised to find out that intelligence agencies knew of the technique.
“No cause for panic, as far as I can tell from the information I have so far,” Harley says. “It’s not as though your 10-year-old thumb drive will suddenly be infected by Stuxnet, at any rate via this vector. Of course, lots of malware does propagate through USB and other removable media, but that’s just because they are media capable of carrying executable code. It’s not as though USB devices routinely get their firmware flashed when connected to a computer.”
USB malware – storm in a port
Problems would only arise if attackers were able to insert malicious devices into the supply chain – or a malicious insider substituted such devices for office equipmment.
“It’s really a supply chain issue: in principle, any hardware (or software supplied with it, as in the case of the Energizer DUO USB battery charger fuss a few years back) might be compromised at source. “
Nohl says, “USB has become so commonplace that we rarely worry about its security implications. USB sticks undergo the occasional virus scan, but we consider USB to be otherwise perfectly safe — until now. USB sticks, as an example, can be reprogrammed to spoof various other device types in order to take control of a computer, exfiltrate data, or spy on the user.”
Wired Magazine’s Threat Level blog described USB as “fundamentally broken” and suggested that devices based on Nohl’s technique could cause “an epidemic.”
The blog wrote, “The security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.”