HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Attack Code For 'Unpatchable' USB Flaw Released
- Thread starter HardOCP News
- Start date
dgingeri
2[H]4U
- Joined
- Dec 5, 2004
- Messages
- 2,830
It sure isn't going to push the electronics firms to do anything about it. The firmware and methods to handle USB devices can't be easily changed. That would involve replacing every single computer and every single USB device in existence and rewriting every single driver for every single USB device. That's not something we can change overnight, or even over the course of a year. It would take a decade, at least. Since they have already written the code and methods for USB 3.1, any change would have to be in the next version of USB, probably 4.0, and that is pretty much still on the drawing board.
These people are idiots for releasing this code. They've just made a big problem even bigger for the next decade, at least.
These people are idiots for releasing this code. They've just made a big problem even bigger for the next decade, at least.
Is it better to be quiet and let this issue linger in the shadows, or to bring it to light so someone can be informed, do something about it, or make sure it doesn't happen again in the next version or someone else's product/standard.
As a security dood at my company, I'd prefer issues be out in the open. A hidden, less-spoken-about issue is still an issue I need to know about. At least this way, I can try to deal with it and get some leverage from management to care about it themselves.
(This is an arguable situation, I'm playing devl's advocate since someone else took the other side. I do believe in my position, but I'm more than willing to have people disagree vehemently and respectfully.)
As a security dood at my company, I'd prefer issues be out in the open. A hidden, less-spoken-about issue is still an issue I need to know about. At least this way, I can try to deal with it and get some leverage from management to care about it themselves.
(This is an arguable situation, I'm playing devl's advocate since someone else took the other side. I do believe in my position, but I'm more than willing to have people disagree vehemently and respectfully.)
Meh. The sky isn't falling. If the means to inject malicious code exists in the firmware of existing devices then that same code path can be used to patch the firmware. LOL decade.
Source: Engineer who writes embedded firmware for USB host controllers
Source: Engineer who writes embedded firmware for USB host controllers
jojo69
[H]F Junkie
- Joined
- Sep 13, 2009
- Messages
- 11,267
harbingerofdoom
Gawd
- Joined
- Apr 17, 2007
- Messages
- 845
sorry but a move like this benefits exactly EVERYONE.
It is not injecting malicious code into the existing firmware; it is replacing the firmware entirely with malicious firmware.
It can't be preemptively patched because the attack simply overwrites the existing code.
You're not paying attention. Details of the BadUSB flaw were released by Karsten Nohl and Jakob Lell in August. They did not release code that exploits the flaw.
This is two different guys, Adam Caudill and Brandon Wilson, who have released code that exploits the flaw. They figured it out a lot faster than two months. If they could figure out, the bad guys already have.
How does the OS read the firmware on the device? This is something that would need to be engineered into the USB standard.
- Joined
- Aug 20, 2006
- Messages
- 13,000
Just buy a Mac. They don't get viruses.
I thought it would be an option with a separate driver, but according to discussion on Slashdot, the portion of firmware being replaced can not be read (and therefore checked), only erased and rewritten. No joke. Not by the OS, not even by manufacturers of the USB devices themselves.
Wow.
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,211
This requires physical access to exploit though right? If someone wanting to do something malicious gains physical access to your systems that is a problem on it's own.
GaryJohnson
[H]ard|Gawd
- Joined
- Feb 1, 2010
- Messages
- 1,053
Theoretically they can infect the firmware on a USB device, then use the infected firmware to infect any computer it's plugged in to, then use the infected computer to infect any other USB devices plugged into it.
I'm not sure how practical any of that is though. Is Windows, for example, really that vulnerable to malicious code execution from the USB device? The paper doesn't cover that - it's primarily concerned with the infection of the USB devices themselves. I think UAC would bark when a USB device you plugged in tried to install something.
I'm not sure how practical any of that is though. Is Windows, for example, really that vulnerable to malicious code execution from the USB device? The paper doesn't cover that - it's primarily concerned with the infection of the USB devices themselves. I think UAC would bark when a USB device you plugged in tried to install something.
The real problem is that you talk to the device through the controller which is compromised. It can pretend to do a check and report everything is ok. Its a flaw in the standard in that all communication with the storage and firmware itself is through the device controller which can be compromised. That's 50% of the problem. The other 50% is that the controller firmware is re-writable. You think they would have figured out USB drives well enough by now they don't need to be re-flashable.
The device can pretend to be a keyboard, open a command window and shutdown anti-virus and/or download malicious code form the internet. If you're looking you might see a cmd window for an instant.
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,211
Sadly it would not surprise me if the NSA has been doing this with every day devices like mice and keyboard or USB storage devices. They tend to intercept random hardware to plant stuff in it.
jojo69
[H]F Junkie
- Joined
- Sep 13, 2009
- Messages
- 11,267
they would go straight to the foundry
This is not surprising at all. There is no need for the host PC to read back the firmware and therefore that functionality was not designed into the hardware.
EEPROMs hosting firmware binaries for embedded applications are usually "write only" in that sense.
ShamisOMally
[H]ard|Gawd
- Joined
- Apr 24, 2010
- Messages
- 1,480
This move benefits everyone because it forces chip makers to update their shit, despite knowing about this for about a year they did nothing to fix the problem
Now that this is out there, they are forced to upgrade/patch their shit, and yeah the consumer will hate these guys in the short run, but love them in the long run
Now that this is out there, they are forced to upgrade/patch their shit, and yeah the consumer will hate these guys in the short run, but love them in the long run
ShamisOMally
[H]ard|Gawd
- Joined
- Apr 24, 2010
- Messages
- 1,480
Also guys, I'm amazed at how few people know how this works, these USB attack devices work by simulating keyboard/mouse input to get your machine to execute code which is stored and hidden on the USB device, it does not magically interface with the controllers firmware
No, "your machine" does not "execute code which is stored and hidden on the USB device". That is not how the attack works. The code stored on the USB device executes on the USB device's microcontroller.
Now there is.
What surprised me is that manufacturers have no way of reading back firmware in order to check for corruption or to verify updates have installed properly etc.
Also, does Windows or any major OS maintain the USB stack in its kernel?
The OS's pretty much need to start asking the user to verify things like new keyboards. Although I would never run any thing off a USB drive directly. The Controller can bait and switch a .exe between a malware scanner and actually running. You have to copy the .exe to a local drive, scan and execute from there. So in addition to Autoplay settings, there needs to be code execution blocking for different drives and storage devices.
The problem with recognizing devices is that they are often generic and no real way to tell the difference between generic keyboard A you've had attached for years and you just moved to a different USB port and a compromized flash drive pretending to be a keyboard. Basically a new standard need to have these serialized via some hidden key method, if you normally can't read a device's firmware, the actual key should remain a mistery to malware. This way you can start trusting specific devices.
amddragonpc
[H]ard|Gawd
- Joined
- Sep 20, 2012
- Messages
- 1,996
Well, if those two who released the code get the crap beat out of them, it wouldn't surprise me.
Monkey34
Supreme [H]ardness
- Joined
- Apr 11, 2003
- Messages
- 5,140
Oh, btw......I'm going to have a fire sale of usb keyboards, mice, cameras, and printers real soon! Good stuff CHEAP! These items are especially good for the home office, any computer you use for banking, and any computer you store all your personal stuff on!
I know who benefits from the code release...
I know who benefits from the code release...
Can't believe people still think releasing this kind of info is a bad thing. If someone figures out an exploit/attack is possible, that possibility alone will encourage the hackers to work on it and figure out how to use it to their advantage. Do you really think they are going to sit there and do nothing when money is on the line?
Not releasing the code is not going to stop them, at best it will delay them until they figure it out on their own. This kind of info should be released, hopefully it will encourage companies to change things and fix the problems.
Not releasing the code is not going to stop them, at best it will delay them until they figure it out on their own. This kind of info should be released, hopefully it will encourage companies to change things and fix the problems.
D
Deleted member 93354
Guest
hmmmm....Seems to be the flaw is in the USB standard, not the individual products. So hardware vendors couldn't fix the problem.
And oh yes, who's going to pay for my replacement firmware on my keyboard, mouse, Game pad, monitor USB Hub, 5 year old printer, usb memory sticks, portable hard drives, $300 motherboard, and docking station?
You all are freaking idiots.
D
Deleted member 93354
Guest
That's the same as saying, "Put the secrets to a nuclear bomb out there including the implosion design. I mean someone is going to work on it right?"
Many manufacturers will have a method for reading back the firmware, however it:
- May not be through the USB interface. ie: requires cracking open the device and hooking some pins up to a tester.
- May be in the application stack of USB, in which case the device is already started and doing untrustworthy things (such as returning a fake approved firmware).
So help me out here - how does this work? The chip firmware on a USB flash drive or smartphone could become compromised, and it then does what? It flashes the USB controller on my PC? Which then spreads to all other USB firmware that gets plugged into that computer?
OR,
Are we just talking about a flash drive getting compromised and doing nasty things to my PC (but not flashing firmware ON the PC, and spreading to all other devices on it's own). This is presumably undetectable to say, a virus scanner, because the USB stick is presenting itself as a keyboard?
The first scenario is straight up scary. The second is no different than the typical dangers of using flash drives - except virus scanners can't detect it. (I don't let people plug their USB drives into my PC, nor is there really any need for that).
If it's the first scenario - are we screwed here? This basically means we have to turn off USB to keep our critical systems safe. (which I do at work on our mission critical servers but still)
OR,
Are we just talking about a flash drive getting compromised and doing nasty things to my PC (but not flashing firmware ON the PC, and spreading to all other devices on it's own). This is presumably undetectable to say, a virus scanner, because the USB stick is presenting itself as a keyboard?
The first scenario is straight up scary. The second is no different than the typical dangers of using flash drives - except virus scanners can't detect it. (I don't let people plug their USB drives into my PC, nor is there really any need for that).
If it's the first scenario - are we screwed here? This basically means we have to turn off USB to keep our critical systems safe. (which I do at work on our mission critical servers but still)
It's the second scenario; however that largely enables the first scenario.
Once the device has control over your computer, it can do whatever it wants.
Well, except for the first keyboard / mouse / touchscreen ...
but that's a great idea. One more prompt for UAC then.Agreed, first off, releasing the vulnerability was enough, that was proper. But releasing the attack code itself, that was just moronic and criminal if you ask me. I'd sure as shit send them to jail for it.
Next, yes you do pretty much need to get physical access to a system to take advantage of this, or at least to the USB devices. But, in many cases physical access is by design, Library anyone?
Now I am thinking the EPROM for most of these devices is not very big so attack code would have to be small for many of them and that would limit what you could do with them. But I would also think that our fancy gaming devices might have much larger EPROM allocations and serve much better as attack platforms. Then again, a gammer's machine is harder to gain physical access to.
I don't think I am going to buy any more USB shit off ebay anymore.
jojo69
[H]F Junkie
- Joined
- Sep 13, 2009
- Messages
- 11,267
so the answer is to shoot the messenger...right