3

Using Linux, is there anyway to detect that an arbitrary USB device is a BadUSB or not?

For example:

  1. Booting a Linux into multi-user.target.
    • No graphical interface / tty (getty login).
  2. Plug the USB into the PC.
  3. Wait and see if it starts typing any character on tty.

Are these steps enough to detect a BadUSB?


This answer states that:

A compromised device can easily imitate any and all responses of a "good" device until and unless certain conditions are met, when it will deploy a payload.

However, this one says:

The hacked firmware have limited access to the computer, cannot detect the OS being used, and cannot infer anything about the computer status. So if you plug it on a computer with the screen locked, the "program" on the USB cannot detect the screen is locked, and usually will send keystrokes that cannot do anything because the screen is locked.

FooBar
  • 41
  • 4
  • Well, those answers are about slightly different things. The first one is talking about whether it is possible to check the firmware of a USB to determine if it is infected (and yes, in that context, the quoted sentence is somewhat confusing). The other talks about how a usb cannot tell what is going on the computer, so it blindly has to send the payload and simply hope that it gets executed. – nobody Jul 01 '21 at 12:00
  • 1
    Both have a point though. In most cases, a BadUSB will try to send it's payload as quickly as possible to maximize the chances that the payload gets executed before the USB is removed. But if a particular BadUSB is trying to evade detection, I think it could be theoretically possible to program it so that it starts sending the keystrokes say, 2 minutes after it is connected. – nobody Jul 01 '21 at 12:03
  • Try a live distro like Tails that is not persistent, so that a malicious device cannot make lasting changes to your system. Then you can use the lsusb command for a start. The device may be a composite USB device, meaning that it may emulate more than one class of device. Maybe it is not a keyboard à la Rubber Ducky but it could be a network card or something else. Thus, it will not necessarily type any characters but could still act in the background. – Kate Jul 01 '21 at 20:04

3 Answers3

3

BadUSB cannot only come in the form of an HID Device mimicking a keyboard and injecting keystrokes when plugged in. There are also variations like the BashBunny from hak5 and logitacker that install a network device to communicate with the host system.

So I would suggest the following approach:

  1. Use an air gapped system with a read only live system

  2. watch system log while plugging the device into the host with tail -f /var/log/messages (depends on used distro)

Alternative:

Use udevadm monitor to see any kernel events and installations of new devices

Stefan Lorenz
  • 338
  • 1
  • 9
0

Depending on the device you can try to disassemble it, see if it looks "normal". If there is some EEPROM you can dump it and try to compare it to the official firmware if available. You can also try to analyze the USB traffic and see if it matches expected behavior. There are some hardware tools out there (GreatFet, Facedancer, Luna ...) or software like Wireshark can also analyze what is send between device and PC.

Also this:

The hacked firmware have limited access to the computer, cannot detect the OS being used, and cannot infer anything about the computer status. So if you plug it on a computer with the screen locked, the "program" on the USB cannot detect the screen is locked, and usually will send keystrokes that cannot do anything because the screen is locked.

is maybe true if the device just mimics some other device. But depending on the capabilities of the firmware and on which kind of USB device this firmware is installed it might very well know on what kind of OS it is plugged in, know what is going on, install malicious drivers, give you arbitrary data back ....

  • I don't know how an USB device could know which OS is on the other side. Do you have any info on this? – ThoriumBR Jul 02 '21 at 16:26
  • USB Firmware is just an OS communicating with another OS (Linux,Windows ...) It acts as kind of proxy between the OS where it is plugged in and whatever is at the other end (sensors, nand flash, ...) Operating systems can be fingerprinted depending on their (USB) behavior. There is some lengthy post somewhere on this Website on what (malicious) capabilities USB devices can have. This is not just limited to emulating some NIC or keyboard. Some firmware comes with drivers for the OS. – SauceAsAService Jul 08 '21 at 07:57
  • Also when the OS is installed on an USB stick firmware would see OS files flying by. Snowden leaks also showed HDD malware which is kind of similar. Would be po intless to have persistence if you don't know what you persist on. – SauceAsAService Jul 08 '21 at 07:58
  • Care to link that lengthy post? I am interested. – ThoriumBR Jul 08 '21 at 14:54
  • Sry I did not save the link :/ But I came across it not too long ago. It was either bumped/active or linked to from another question. – SauceAsAService Jul 09 '21 at 14:25
  • I think it was this one: https://security.stackexchange.com/questions/176207/is-all-the-alarmism-around-badusb-really-called-for-with-respect-to-host-devices also this from one of the BadUSB authors is interesting: https://security.stackexchange.com/questions/109576/can-sd-card-be-a-vector-of-a-badusb-type-attack-when-used-with-a-usb-reader – SauceAsAService Jul 09 '21 at 14:43
  • Thanks for those links, they are interesting. Still none of those say anything about the USB device knowing about the running OS at all. I did some research and still could not find anything on how a device could behave different depending on the OS. – ThoriumBR Jul 09 '21 at 20:42
  • If you can fingerprint the OS depending on its behavior you can react differently.Also this: https://github.com/daveti/badusb/blob/master/ppt/SRLabs-BadUSB-Pacsec-v2.pdf taken from https://security.stackexchange.com/questions/107846/can-autoplay-usb-stick-spread-virus-to-windows-8-or-10 – SauceAsAService Jul 10 '21 at 09:07
0

Shor answer: no common secure approach.

"BadUSB" (or, for that matter, badAnyHardware) can come in pretty diverse flavours.

First, it can simply kill the hardware electrically. https://hackaday.com/2015/10/10/the-usb-killer-version-2-0/ This one in particular doesn't care if your OS is Linux or not.

It may attack vulnerabilities in the driver stack. The hard truth that the hardware may misbehave intentionally in a sofisticated manner is rather new for the software community. The attack may come at any level - a simple insertion of an USB device invokes a whole stack of drivers - HCI, UsbHID, USB Storage, SCSI-whatever, SCSI disk, filesystem, network device driver, etc... There may always be some obscure USB device driver in the OS that has some vulnerability and the device may represent itself by the VID/PID that calls for this particular device driver. It may as well try few of them, just to be sure.

In most modern OS (including Windows and Linux) the device drviers run at quite high priviledges. Exploiting a vulnerability in one of them can get root/administrator/whatever.

Just representing itself as a keyboard and a fast-typing hacker is also an option. In this case, only a locked screen can be a safe test - just opening a text editor in order to see what the device "types" may end up it using few popular keyboard shortcuts in order to escape the application and open a command prompt. Then your computer is "pwned".

... and, on the top of everything, the device may be programmed to fingerprint the host system and misbehave only against particular computer. It will look innocent and even useful for anyone else.

fraxinus
  • 3,458
  • 6
  • 20