Communications Bad USB... New Security Fears on the Use of USB Devices by Ross Hendry
During the past twenty years USB devices have revolutionised the connectivity between personal computers and a plethora of other equipment. Of course the USB memory stick has replaced the floppy disk as the medium for the temporary storage and transport of our data too. Almost any computer peripheral, from storage and input gadgets to health care devices, can connect over this ubiquitous technology. And many more device classes connect over USB to charge their batteries.
Further that this code is probably undetectable at present and it is quite possible for this code to be uploaded to your device whenever the devices are connected to another. Until reading this news article I thought, as most did, that by carefully protecting my USB memory Sticks, photo cards etc and scanning them regularly, it would prevent the spreading of malware. This research has shown that ALL USB devices are capable of carrying and propagating malware even a simple keyboard or mouse, camera or scanner.
The ability of USB devices to store data and interconnect devices is controlled by imbedded control programs called firmware. This enables the USB devices to function defining their class and tasks, giving them their enormous flexibility and connectivity. Recent extensive research by two specialist researchers for the security consultancy, SR Labs, called Karsten Nohl and Jakob Lell, has discovered that the firmware on USB devices could carry malicious programs such as viruses, trojans and other more sinister malware.
The security implications are quite alarming, considering that we exchange USB Memory in the form of sticks/dongles and photo cards freely between one and other, in the future I am certainly going to be far more careful with whom I exchange USB devices.
Firmware is simply a program and this means that these devices may be reprogrammed. Here lies the problem: by reprogramming a USB device, unscrupulous people can turn one USB type into another, possibly a malicious one. Nohl and Lell have called this ‘BadUSB’.
In fact, there is no defence for the BadUSB problem at present, simply because anti-malware scanners cannot access the firmware area of a USB device. I am certain that this will be addressed very soon by the Security Industry.
Once the device has been reprogrammed it can be turned into an active malicious device, so a simple beneficial device may be turned bad in many ways :
The USB working party, who are the group responsible for USB Standards have not yet commented on the issue raised by Nohl and Lell, save to say that USB manufacturers control the security of their devices. Current specifications do allow for additional security so it may be possible to reduce the threat in the future.
1. A modified USB memory stick or external hard disk can, when it detects that the PC is starting up, install a small virus that infects the computer’s operating system before the boot up process has completed, turning your computer into a potential slave to the malicious author’s will. 2. The USB device could emulate a network card and change the computer’s settings to redirect all internet traffic. For example to the writer’s PC to log your keystrokes, steal your data or identity etc. 3. The device could be used to implement code on your PC that could infect any USB device connected and turn that into a malicious device, to onward infect others, who knows where it could end. This information was released in Las Vegas at the annual Black Hat security conference in the first week of August 2014. This means that there is currently no defence that has been created for the problem. Anti-virus/anti-malware programs cannot access the firmware on USB devices. Firewall software has not been designed for blocking this type of threat.
The best defence against this potential threat is to control the use of USB devices on your electrical devices from your PC to your SatNav, including your mobile telephone and digital camera. Think before using any USB device, do you know and trust the source? Here are my guidelines for safety: Simply do not plug in a USB device you are not 100% sure of. Do not exchange USB devices unless you trust the source/recipient. Only purchase USB devices from trusted sources. If you suspect a USB device, do not use it. Watch out for your children’s use of USB devices, including games. I am confident we will hear much more about this problem, let’s hope it is the AV industry advising us that they have a solution! Ross Hendry is the proprietor of Interface Consulting and Engineering, who has over 42 years experience in Communications, Computer Technology and Direct Marketing. (See advert below).
The Deux-Sèvres Monthly | 41