4

Wired, and others are reporting on a research paper by Karsten Nohl and Jakob Lell. The paper apparently shows how any USB device (not just memory sticks) can be infected with malware at the firmware level. This can then be used to attack any device the USB device is attached to. As the malware resides in the firmware, even wiping the memory stick of data is insufficient, as the firmware remains untouched.

USB is such an entrenched standard; can this be fixed in the next version?

Bruce Schneier suggests that this is the kind of attack the NSA would favour.

Note: There will be a presentation at BlackHat 2014 by the authors.

Edit: Adam Caudill and Brandon Wilson have released proof of concept code for this at DerbyCon 4.

JoltColaOfEvil
  • 850
  • 1
  • 7
  • 13
  • 2
    How devices can be reprogrammed, how new firmware is verified, and whether it is signed, are out of the scope of the standard. – curiousguy Aug 01 '14 at 00:19
  • @curiousguy: Does that being out of the standard currently prevent it from ever being brought in? – JoltColaOfEvil Aug 01 '14 at 00:47
  • I have no idea what you would like to standardise. I bet firmware, firmware loaders, and chips are **not** standard. A USB standard's aim is interoperability, not security. It's about standard protocols. If people want to play and reprogram USB devices, it isn't the task of a standard to rule on that. – curiousguy Aug 01 '14 at 01:30
  • 1
    USB isn't a standard about flash memory design, or mouse design, it's a **networking** standard. A networking standard, even PXE, has no business ruling on loader signature, kernel signature, etc. – curiousguy Aug 01 '14 at 01:36
  • Firmware bugs have been around for years. The reason you don't see them deployed much in practice is that the money isn't there -- exploits only work against a specific firmware / board / system. It isn't like a browser or Flash or similar you can expect to be on a large percentage of the world's computers. – Billy ONeal Aug 01 '14 at 02:07
  • I suggest changing from the word "fixed" to "enhanced", and broadening the subject to other ways users can protect themselves. Or we need another questions to cover that. – nealmcb Aug 01 '14 at 14:01
  • @Gilles Since this question is older, wouldn't the other question be a possible duplicate of this one? – JoltColaOfEvil Oct 13 '14 at 19:31
  • Short answer "No." Long answer: "Sure, just set the [evil bit](https://www.ietf.org/rfc/rfc3514.txt) on all data transfer that could result in firmware modification." – tylerl Oct 13 '14 at 19:58

2 Answers2

6

I think this WIRED story is way out of proportion. While it's true that a USB device can act as a keyboard, or mouse, or a hub with both, it would only act with the privileges of the current user, and the attack wouldn't be stealthy: the device would have to open a command window, type commands, etc. with no way to read commands output.

You absolutely don't need to assume that a computer is potentially compromised just because a USB device was attached to it once.

The proposed solution "only allow a specific brand" is ridiculous too (how can you reliably measure that when the USB stick is lying?). A much simpler, more robust solution would be to block additional keyboards and point device, unless the user confirm that a wants to have two keyboards or two point devices.

Being able to reprogram any device firmware without a user manipulation (good old jumper...) is still a serious security issue, obviously.

curiousguy
  • 5,038
  • 3
  • 25
  • 27
  • +1. By the Wired standard, nothing could ever connect to anything, because everything may have come in contact with something untrusted somewhere in the past. Firmware is everywhere, and quite a lot of it is buggy. – Billy ONeal Aug 01 '14 at 02:05
  • The WIRED story goes too far, but you don't go far enough. Much depends on the device, and the host. Not all keyboard or mouse input is evident to the user, especially if it happens after some inactivity. USB devices which can be dynamically reprogrammed in firmware to become a USB communications device class (or USB CDC) can launch networking attacks. Zero-day host vulnerabilities are widespread. So some USB devices should be treated as "hypodermic needles", and others are much safer. – nealmcb Aug 01 '14 at 13:56
  • @nealmcb "can launch networking attacks" how? – curiousguy Aug 01 '14 at 21:24
  • @curiousguy My networking attacks comment may be an overinterpretation or stretch. But it seems that the usb device firmware could emulate a bluetooth or ethernet or other network device, and then inject packets into the host. – nealmcb Aug 02 '14 at 00:50
  • @nealmcb Probably, but you would first need to configure the networking device; maybe with the keyboard and pointing device included in the same USB chip? – curiousguy Aug 02 '14 at 01:27
4

The "firmware attack" is not an issue of the USB protocol, but results from the fact that apparently some manufacturers allow the firmware of their device to be manipulated via USB. This is not part of the USB standard and cannot be fixed by altering the USB standard.

kllmnn
  • 86
  • 2