THE UNPATCHABLE MALWARE THAT INFECTS USBS IS NOW ON THE LOOSE
THE UNPATCHABLE MALWARE THAT INFECTS USBS IS NOW ON THE LOOSE
IT'S BEEN JUST two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it's possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl's fellow researchers aren't waiting any longer.
In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they've reverse engineered the same USB firmware as Nohl's SR Labs, reproducing some of Nohl's BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.
"The belief we have is that all of this should be public. It shouldn't be held back. So we're releasing everything we've got," Caudill told the Derbycon audience on Friday. "This was largely inspired by the fact that [SR Labs] didn't release their material. If you're going to prove that there's a flaw, you need to release the material so people can defend against it."
More Threat Level:Why the Security of USB Is Fundamentally BrokenCops Are Handing Out Spyware to Parents—With Zero OversightThe $1,200 Machine That Lets Anyone Make a Metal Gun at HomeThe two independent security researchers, who declined to name their employer, say that publicly releasing the USB attack code will allow penetration testers to use the technique, all the better to prove to their clients that USBs are nearly impossible to secure in their current form. And they also argue that making a working exploit available is the only way to pressure USB makers to change the tiny devices' fundamentally broken security scheme.
"If this is going to get fixed, it needs to be more than just a talk at Black Hat," Caudill told WIRED in a followup interview. He argues that the USB trick was likely already available to highly resourced government intelligence agencies like the NSA, who may already be using it in secret. "If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it," he says. "You have to prove to the world that it’s practical, that anyone can do it...That puts pressure on the manufactures to fix the real issue."
Like Nohl, Caudill and Wilson reverse engineered the firmware of USB microcontrollers sold by the Taiwanese firm Phison, one of the world's top USB makers. Then they reprogrammed that firmware to perform disturbing attacks: In one case, they showed that the infected USB can impersonate a keyboard to type any keystrokes the attacker chooses on the victim's machine. Because it affects the firmware of the USB's microcontroller, that attack program would be stored in the rewritable code that controls the USB's basic functions, not in its flash memory—even deleting the entire contents of its storage wouldn't catch the malware. Other firmware tricks demonstrated by Caudill and Wilson would hide files in that invisible portion of the code, or silently disable a USB's security feature that password-protects a certain portion of its memory.
"People look at these things and see them as nothing more than storage devices," says Caudill. "They don’t realize there's a reprogrammable computer in their hands."
In an earlier interview with WIRED ahead of his Black Hat talk, Berlin-based Nohl had said that he wouldn't release the exploit code he'd developed because he considered the BadUSB vulnerability practically unpatchable. (He did, however, offer a proof-of-concept for Android devices.) To prevent USB devices' firmware from being rewritten, their security architecture would need to be fundamentally redesigned, he argued, so that no code could be changed on the device without the unforgeable signature of the manufacturer. But he warned that even if that code-signing measure were put in place today, it could take 10 years or more to iron out the USB standard's bugs and pull existing vulnerable devices out of circulation. "It’s unfixable for the most part," Nohl said at the time. "But before even starting this arms race, USB sticks have to attempt security."
Caudill says that by publishing their code, he and Wilson are hoping to start that security process. But even they hesitate to release every possible attack against USB devices. They're working on another exploit that would invisibly inject malware into files as they are copied from a USB device to a computer. By hiding another USB-infecting function in that malware, Caudill says it would be possible to quickly spread the malicious code from any USB stick that's connected to a PC and back to any new USB plugged into the infected computer. That two-way infection trick could potentially enable a USB-carried malware epidemic. Caudill considers that attack so dangerous that even he and Wilson are still debating whether to release it.
"There's a tough balance between proving that it’s possible and making it easy for people to actually do it," he says. "There's an ethical dilemma there. We want to make sure we’re on the right side of it."
Most USB thumb drives can be reprogrammed to silently infect computers
Most USB devices have a fundamental security weakness that can be exploited to infect computers with malware in a way that cannot easily be prevented or detected, security researchers found.
The problem is that the majority of USB thumb drives, and likely other USB peripherals available on the market, do not protect their firmware—the software that runs on the microcontroller inside them, said Karsten Nohl, the founder and chief scientist of Berlin-based Security Research Labs.
This means that a malware program can replace the firmware on a USB device like a thumb drive by using secret SCSI (Small Computer System Interface) commands and make it act like some other type of device, for example, a keyboard, Nohl said.
The spoofed keyboard could then be used to emulate key presses and send commands to download and execute a malware program. That malware could reprogram other USB thumb drives inserted into the infected computer, essentially becoming a self-replicating virus, the researcher said.
Proof-of-concepts
Researchers from Security Research Labs have developed several proof-of-concept attacks that they plan to present at the Black Hat security conferencein Las Vegas next week.
One of the attacks involves a USB stick that acts as three separate devices—two thumb drives and a keyboard. When the device is first plugged into a computer and is detected by the OS, it acts as a regular storage device. However, when the computer is restarted and the device detects that it’s talking to the BIOS, it switches on the hidden storage device and also emulates the keyboard, Nohl said.
Acting as a keyboard, the device sends the necessary button presses to bring up the boot menu and boots a minimal Linux system from the hidden thumb drive. The Linux system then infects the bootloader of the computer’s hard disk drive, essentially acting like a boot virus, he said.
Another proof-of-concept attack developed by Security Research Labs involves reprogramming a USB drive to act as a fast Gigabit network card.
As Nohl explained, OSes prefer a wired network controller over a wireless one and a Gigabit ethernet controller over a slower one. This means the OS will use the new spoofed Gigabit controller as the default network card.
The USB device also emulates a DHCP (Dynamic Host Configuration Protocol) server that automatically assigns a DNS (Domain Name System) server to the spoofed controller, but not a gateway address. In this case, the OS will continue to use the gateway specified by the real network card—so the Internet connection will not be disrupted—but the DNS server from the spoofed controller, Nohl said. By controlling the DNS server, which translates domain names into IP (Internet Protocol) addresses, an attacker can hijack the Internet traffic, he said.
To show that this attack is not only possible with USB thumb drives, the researchers will also use an Android phone connected to the computer to emulate a rogue network card.
Any USB connection can turn evil, Nohl said. If you let someone connect a USB thumb drive or charge a phone on your computer you essentially trust them to type commands on your computer, he said.
The price of convenience
The attacks developed by Security Research Labs underline the difficulty of having both the versatility of the USB standard and security at the same time. The greatest feature of USB—its plug-and-play capability—turns out to be its greatest vulnerability as well, according to Nohl.
Unfortunately, there’s no easy fix for this problem. The Security Research Labs researchers have identified several ways to address this issue, but none of them solve the problem completely or in a timely manner.
One place where the issue could be fixed is in the USB specification by requiring that a secure pairing process is used when adding new USB devices to a computer, similar to the one used for Bluetooth devices. However, even if the USB specification is changed, it could take years before the new standard is adopted and new devices replace the old ones.
OSes could also ask users to confirm the addition of new USB devices to their computers and then remember the approved devices—a sort of USB firewall. However, this might not even be possible because many USB devices use a string of zeros for their serial number and there’s no way for the OS to distinguish between them, Nohl said. Also, this doesn’t solve the attack vector where the USB device infects the boot sector from outside the OS.
An obvious place to fix the issue would be in the USB microcontrollers themselves by requiring firmware updates to be digitally signed or by implementing some sort of hardware locking mechanism that prevents overwriting the firmware once the device leaves the factory. Nohl said that he and his team haven’t seen such protections in any of the USB thumb drives they tested.
Even if manufacturers start implementing such protections there would have to be a way to tell new USB thumb drives apart from old, insecure ones, so that users can make an informed decision about which devices they connect to their computers.
Finally, a more short-term solution would be for users to start understanding the risks and be cautions about which USB devices they plug into their computers, Nohl said. For the purpose of exchanging files with other people an SD (Secure Digital) memory card would be a safer choice than a USB thumb drive, he said.
Comentários
Postar um comentário