17 November 2014

THE NEXT ‘DIGITAL EPIDEMIC?’ HALF OF ALL USB DEVICES HAVE AN UN-PATCHABLE FLAW; WIDELY AVAILABLE HACKING TOOLS CAN CONVERT USB DEVICES INTO STEALTH MALWARE INSTALLER

November 13, 2014 

The Next ‘Digital Epidemic?’ Half Of All USB Devices Have An Un-Patchable Flaw; Widely Available Hacking Tools Can Convert USB Devices Into Stealth Malware Installer

fortunascorner.wordpress.com

Andy Greenberg, writing November 12, 2014 on the website Wired.com, begins first by giving us the good news: “that un-patchable flaw in USB devices first brought to light over the summer, affects only about half of the things you plug into your USB port. The bad news is, it’s nearly impossible to sort out the secure gadgets from the insecure ones — without ripping open every last thumb drive.”

“At the PAC Security Conference in Tokyo last week, hacker Karsten Nohl presented an update to his research on the fundamental insecurity of USB devices…he’s dubbed — BadUSB,” Mr. Greenberg wrote. “Nohl, and his fellow researchers Jakob Lell and Sascha Krissler have analyzed every USB controller chip sold by the industry’s eight biggest vendors to see if their hack would work against each of those slices of silicon. The results: Roughly half of the chips were immune to the attack. But, predicting which chip a device uses is practically impossible for the average consumer.”

“It’s not like you plug [a thumb-drive] into your computer; and, it tells you this is a Cypress chip, and this one is a Phison chip,” says Noll, naming two of the top USB chip manufacturers. “You really can’t check other than by opening the device and doing the analysis yourself….The scarier story is that we can’t give you a list of safe devices.”

“Nohl’s BadUSB attack, which he revealed at the Black Hat security conference in August, takes advantage of the fact that a USB controller chip’s firmware can be reprogrammed,” Mr. Greenberg wrote. “That means a thumb drive’s controller chip’s itself, rather than the Flash storage on that memory stick, can be infected with malware that invisibly spreads to computers, corrupt files stored on the drive, or quietly begins impersonating a USB keyboard to type commands on the victim’s machine.”

“You’d Never Get Away With This In A Laptop”

“Nohl’s research team [recently] tested that re-programmability problem in USB controller chips sold by the industry’s biggest vendors: Phison, Alcor, Renesas, ASmedia, Genesys Logic, FTDI, Cypress, and Microchip,” Mr. Greenberg noted. “They checked versions of each chip — both by looking up its published specs; and, by plugging a device using it into a computer, and attempting to rewrite the chip’s firmware.”

“They found an unpredictable, patchwork of results,” Mr. Greenberg wrote. “All of the USB storage controllers from Taiwanese firm Phison that Nohl tested, for instance, were vulnerable to reprogramming. Chips from ASmedia weren’t Nohl’s tests found. Controller chips from fellow Taiwanese company Genesys that used the USB 2 standard were immune, but ones that used the newer USB 3 standard were susceptible. In other categories of device like USB hubs, keyboards, webcams and mice, the results produced an even messier Excel spreadsheet of “vulnerable,” “secure,” and inconclusive.”

“Those findings go far beyone Nohl’s initial research, which focused only on Phison, the USB storage chipmaker with the largest market share. He’s published a rundown of his findings about all the chips his team analyzed; however, consulting Nohl’s data won’t do consumers much good,” Mr. Greenberg contends. “Unlike computer makers that advertise “Intel Inside,” USB device makers don’t label their products with the obscure Taiwanese company’s chip they’ve integrated. And, they often switch chips — even in the same product — to take advantage of whichever supplier can give them those semiconductors for a few pennies cheaper that month. In an analysis of USB controller chips at the security conference Shmoocon earlier this year, security researcher Richard Harman found that Kingston used a half a dozen different companies’ USB chips.” “That Kingston flash drive could have USB controllers from any of five or six vendors,” Nohl said.

“Nohl says that means that combating BadUSB will require device makers to clearly label the chips their products use. You’d never get away with this in a laptop. People would go crazy if they bought a computer; and, it wasn’t the chip they saw in the review they read,” he says. “It’s just these USB devices that come as black boxes.”

“The difficulty of creating such a labeling system adds yet another hurdle to fixing underlying issues that make BadUSB the problem,” Mr. Greenberg wrote. “Those difficulties convinced Nohl not to release the proof-of-concept for his BadUSB attack when he demonstrated it at Black Hat, for fear it might be replicated by malicious hackers. But, two independent researchers reverse engineered the attack and published their own BadUSB code last month, in the interest of allowing further study of the problem; and, pressuring companies to fix it.”

“At least one company already does purposefully protect against BadUSB attacks: Imitation-owned USB maker Ironkey requires that any new updates to its thumbdrives’ firmware be signed with an unforgeable cryptologic signature that prevents malicious reprogramming. Other USB makers could follow that model, Nohl says.

Nohl added that “among major vendors, even the USB chips that he and his researchers found to be immune from BadUSB were only protected “by accident,” Nohl argues. Those chips, he said, were custom-designed for a unique application to save money, making them impossible to reprogram. But, “every chip that could be reprogrammable, is reprogrammable,” and, thus vulnerable to BadUSB,” Nohl said..

“Nohl’s research,” Mr. Greenberg concludes, “is in part a rebuttal to critics who argued his original BadUSB presentation focused too narrowly on leading chipmaker Phison. In some sense,” he writes, “those critics were right: some USB chips from other vendors do seem to be immune from the problem. But, in a broader sense, Nohl argues that the tangled mix of secure, and insecure USBs and the total lack of transparency in the USB device industry means that practically every device is suspect.” “Some people have accepted that USB is insecure. Others remember BadUSB only as a Phison bug. That second group needs to wake up to the same level of awareness of the first group,” Nohl said. “For practical purposes, it affects…potentially everything.”

Bad USB Malware Code Released — Turns USB Drives Into Undetectable Cyber Weapons; Widely Available Hacking Tools Can Convert USB Devices Into USB Devices Likely Carrying ‘The Next Digital Epidemic’

Swati Khandewal, in an October 4, 2014 article on the website, The Hacker News, wrote that “once again, [the] USB has come up as a major threat to a vast number of users…who use USB devices — including USB sticks and keyboards.” He adds that “security researchers have released a bunch of hacking tools that can be used to convert a USB drive into a silent malware installer. This vulnerability has come about to be known as “BadUSB,” whose source code hosting website — Github — demanding manufacturers to either beef up protections for the USB flash drive firmware and fix the problem; or, leave hundreds of millions of users vulnerable to being hacked.”

“The code, released by researchers Adam Caudill and Brandon Wilson, has the capability to spread itself by hiding in the firmware meant to control the ways in which USB devices connect to computers. The hack utilizes the security flaw in the USB that allows an attacker to insert the malicious code into their firmware,” Mr. Khandewal wrote.

“But Wait!,” Mr. Khandewal warns, “What this means is that this critical vulnerability is now available online for hackers, cyber criminals and everybody to use so as to infect as many computers as they want.”

Source Code Available Online — To Everybody

“In a talk at the Derbycon Hacker Conference in Louisville, Kentucky last week, the duo were able to reverse engineer the USB firmware, infect it with their own code, and essentially hijack the associated device,” Mr. Khandewal wrote. “The researchers also underlined the danger of the BadUSB hack by going in-depth of the code.”

“The security hole was first revealed by researchers from the Berlin-based Security Research Labs (SRI Labs in Germany) at the Black Hat security conference in Las Vegas this summer. The German researchers didn’t publish their source code…because they though it to be too dangerous; and, too hard to patch,” Mr. Khandelwal wrote.

“We really hope that releasing this will push device manufacturers to insist on signed firmware updates, and that Phison will add support for signed updates to all of the controllers it sells,” Caudill said in a blog post. “Phison isn’t the only player here, though they are the most common — I’d love to see them take the lead in improving security for these devices.”

The Good News — And, The Bad

“The good news,” Mr. Khandewal contends, “is this vulnerability presents in only one USB manufacturer, Phison electronics, a Taiwanese electronics company. But, the bad side of it,” he says, “that Phison USB sticks can infect any given device they are plugged into, and the company has not yet revealed who it manufacturers USB sticks for. This is the fact it is still unclear as to how, widespread the problem may be at the moment.”

“A Phison USB stick can infect any type of computer, but it isn’t clear if its able to infect any other USB device that is plugged into them — afterwards, or not. However, Phison controllers are found in a very large number of USB thumb drives available on the [commercial] market.”

BadUSB Vulnerability Is Unpatchable

Mr. Khandewal warns that “the flaw in USB basically modifies the firmware of USB devices, which can easily be done from inside the operating system, and hides the malware in USB devices in a way that it became almost impossible to detect it. The flaw goes worst, when complete formatting, or deleting the contents of a USB device wouldn’t vanish the malicious code, since its embedded in the firmware.”

According to Wired.com, “the vulnerability is “practically unpatchable,” because it exploits the very way that USB is designed.” “Once infected, each USB device will infect anything it’s connected to, or any new USB stick coming into it.”

Impact Of BadUSB Attack

Once compromised, the USB devices can reportedly:

— enter keystrokes;

— alter files;

— affect Internet activity;

— infect other systems, as well, and then spread to additional USB
devices;

— spoofs a network card and change the computer’s DNS setting to
redirect traffic;

— emulates a keyboard, and issues commands on behalf of the logged-in
user, for example to exfiltrate files, orinstall malware.

“During the Derbycom demonstration,” Mr. Khandewal writes, “the two researchers replicated the emulated keyboard attack; but, also showed a hidden partition on thumb drives to defeat forensic tools; and, how to bypass the password for protected partitions on some USB drives that provide such a feature.”

Manufacturer Denies The Problem

Mr. Khandewal writes that “security researchers tried to contact Phison Electronics, the manufacturer of the vulnerable USB devices; but, the company “repeatedly denied that the attack [described] was possible.”

USB Devices Likely Carrying The Next Digital Epidemic’

Andy Greenberg, writing in the October 2, 2014 edition of Wired.com, notes that “Caudill and Wilson reverse engineered the firmware of USB microcontrollers, sold by the Taiwanese firm, Phison, one of the world’s top USB makers. Then, they [the researchers] reprogrammed that firmware to perform disturbing attacks: In one case, they showed that the infected USB can impersonate a USB a keyboard to type any keystrokes the attacker chooses on the victim’s machine. Because it affects the firmware of the USB’s microcontroller, that attack program would be stored in the rewritable code that controls the USB’s basic functions, not in its flash memory — even deleting the entire contents of its storage wouldn’t catch the malware. Other firmware tricks demonstrated by Caudill and Wilson would hide files in that invisible portion of the code, or silently disable the USB’s security feature that password protects a certain portion of its memory.”

“People look at these things and see nothing as nothing more than storage devices,” Caudill said. “They don’t realize there ‘s a reprogrammable computer in their hands.”

Mr. Greenberg had a previous article on this same subject in the July 31, 2014 edition of Wired.com. He wrote at that time, “”computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections. we depend on antivirus scans and the occasional reformatting to keep our thumb-drives from becoming the carrier of the next digital epidemic. But, the security problems with USB devices run deeper than you think,” he says: Their risk isn’t just what they carry, it’s built into the core of how they work.”

“The problem isn’t limited to thumb drives,” Mr. Greenberg wrote at the time. “All manner of USB devices, — from keyboards and mice, to smartphones — have firmware that can be reprogrammed. In addition to USB sticks, Nohl and Lell say they’ve also tested their attack on an Android handset, plugged into a PC. And, once a BadUSB-infected device is connected to a computer, a grab bag of evil tricks it can play havoc on the infected network/IT system. It can, for example, impersonate a USB keyboard to suddenly start typing commands.” “It can do whatever you can do with a keyboard, which is basically everything a computer does. The malware can silently hijack Internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases. Or, if the code is planted on a phone, or another device with an Internet connection, it can act as a man-in-the-middle, secretly spying on communications — as it relays them from the victim’s machine,” Nohl added.

The Alternative Is To Treat USB Devices Like Hypodermic Needles

“Nohl, and his colleague, Jakob Lell, reached out to a Taiwanese USB device maker, whom he declines to name, and warned the company about their BadUSB research,” Mr. Greenberg writes. “Over a series of emails, the company repeatedly denied that the attack was possible. When Wired contacted the USB Implementers Forum, a nonprofit corporation that oversees the USB standard, spokeswoman Liz Nardozza responded in a statement: “Consumers should always ensure their devices are from a trusted source; and, that only trusted sources interact with their devices,” she wrote. “Consumers safeguard their personal belongings; and, the same effort should be applied to protect themselves — when it comes to technology.”

“Nohl agrees. The short-term solution to BadUSB isn’t a technical patch, so much as a fundamental change in how we use USB gadgets.” writes Mr. Greenberg. “To avoid the attack, all you have to do is not connect your USB device to computers you don’t own; or, have good reason to trust — and, don’t plug untrusted USB devices into your own computer. But, Nohl admits that makes the convenient slices of storage we all carry in our pockets, among many other devices, significantly less useful.” “In this new way of thinking, you can’t trust a USB — just because it’s storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” said Nohl. “You have to consider USB infected; and, throw it away as soon as it touches a non-trusted computer. And, that’s incompatible with how we use USB devices right now,” he added.

“The two researchers haven’t yet decided just which of their BadUSB device attacks they’ll release at Black Hat, if any. Nohl says he worries that the malicious firmware for USB sticks could quickly spread,” wrote Mr. Greenberg. “On the other hand, he says users need to be aware of the risks. Some companies could change their USB policies, for instance, to only use a certain manufacturer’s USB devices; and, insist that vendor implement code-signaling protections on their gadgets.”

“Implementing that new security model will first require convincing device makers that the threat is real,” Mr. Greenberg concludes. “The alternative,” Nohl says, “is to treat USB devices like hypodermic needles that can’t be shared among users — a model that sows suspicion; and, largely defeats the devices’ purpose. “Perhaps you remember once when you’ve connected some USB device to your computer from someone you don’t completely trust,” says Nohl. “That means you can’t trust your computer anymore. That is a threat on a layer that’s invisible. It’s a terrible kind of paranoia.”

If any of you are using a USB device, it is best to assume they are “dirty” and whatever you have on it; and, wherever/whatever you plug it into — all can and may be infected. It isn’t safe out there. And, if you’re USB device is clean — how do you really know that? V/R, RCP

No comments: