Posted on 10/25/2014 10:35:47 AM PDT by null and void
Security experts prove it’s possible to infect USB sticks’ MCU
Next time you find a foreign USB lying around, think twice before plugging it into your computer. A pair of security researchers named Karsten Nohl and Jakob Lell demonstrated before an audience at Black hat security conference in Las Vegas a fundamental flaw in USB firmware could be exploited to create an undetected malware that cannot be patched. Realizing the kind of power they were dealing with, the pair opted to keep the code secret – until fellow colleagues decided to post it publically on Github.
Two other researchers – Adam Caudill and Brandon Wilson – reversed engineered the same USB firmware that Nohl and Lell did and released it into the wild in an effort to coerce USB makers into fixing the problem or risk leaving millions of users vulnerable.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” said Caudill, speaking before an audience at Derbycon on Friday. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.” In other words, publically releasing the hack allows security experts, and White hat hackers alike, to test the technique and discover all the possible angles of exploit.
Caudill argues that some form of BadUSB – as the exploit has been named – is probably already available to resourceful government intelligence agencies, and manufacturers are less likely to act if the only people who can use it are large entities with “significant budgets.” If one were to prove that everyone can perform the hack, then “that puts pressure on the manufactures to fix the real issue” adds Caudill.
To put the incident into perspective, consider the fact that USB sticks are not simply “storage devices,” but rather minicomputers with microcontrollers. By reprogramming firmware directly onto the microcontroller of a USB stick, Caudil and Wilson created a malware that lurks within the machine-level code which controls the USB’s basic functions, not its flash memory. Thus, deleting the content of the USB will not eliminate the malware.
Caudil demonstrated that the reprogrammed firmware could be used to initiate a number of grievous attacks such as impersonating a keyboard to type any strokes on the victim’s machine, hide files in the invisible portion of the code, or secretly disable the USB’s security feature that password protects content.
Fixing USB devices would involve rewriting the entire security architecture so that firmware cannot be altered without the manufacturer’s security key. Even if this plan is set in motion, it may take up to a decade before the older bug-ridden memory-sticks are phased out.
Caudil and Wilson are currently working on a new angle of attack that creates a two-way infection capable of contaminating any additional USBs that come into contact with infected PCs. So dangerous is this possibility of this type of attack creating an USB-carried malware epidemic, that even Caudil and Wilson are hesitant in releasing this code.
Nut-job Conspiracy Theory Ping!
To get onto The Nut-job Conspiracy Theory Ping List you must threaten to report me to the Mods if I don't add you to the list...
Sounds like an easy fix to preclude this would be a service that checks for tampering in this area. There are several publishers of security tools with apps in this area that I would think could be extended a bit to cover this vulnerability. For that matter so could Microsoft.
“Next time you find a foreign USB lying around, think twice before plugging it into your computer.”
Really? Even if it’s labelled “Durty Pichers”?
This isn’t new (maybe to these “researchers”). There have been news articles floating around for a couple years about government spy agencies doing this, tinkering with the electronic guts of attachable devices including USB sticks, so that they can do malware attacks. One even detailed how a modified USB stick included a radio transmission of stolen data that would be transmitted without detection of the user. Not likely that most people would ever run across any modified USB sticks, unless a government agency is out to get you.
There are lots of governments out there.
Chinese appliances are shipping with malware-distributing WiFi chips
I would imagine that more than a few Chinese USB chips have embedded malware as well.
The microcontrollers that power USB Thumb Drives and SD cards are typically 32bit ARM cores running at 100mhz. This is quite a powerful computer. They cost about a quarter each when bought in huge quantities. The power is needed since the flash memory is littered with defects...it’s a buggy technology. The ARM chip juggles the bad bits and tests good bits to ensure they are not failing...and all this while handling all the data transfers and ensuring that usage of the flash bytes are leveled out since flash can only be written so many times before it fails.
The 32 bit ARM cores in these cheap devices are each more powerful than all the mainframe IBM System 360 computers that were used to handle the Apollo Moon shots..combined!
Or put another way, each of those ARM cores is more powerful than a couple hundred of the 6510 processors that powered the legendary Commodore 64 :-)
You can modify the program code (firmware) that the ARM processor in a flash drive runs.... just imagine the mischief that can be done. You can also modify the firmware of the processor in a HD, a USB hub, a WiFi router, A mouse, A keyboard..etc etc
_____________________________________
The original IBM 360 was capable of only 34,500 instructions per second! lol
Later models got up to around 16 million instructions per second and that is still a long way from the power of the little 25 cent 32 bit ARM in an SD card running at 100mhz.
I use small and cheap processors called SoCs (System on a Chip) that are so powerful that they dwarf the power of the first few generations of Cray super computers. These powerful chips typically have 2 or 4 ARM cores running at 1Ghz or more and several other processors as well as a powerful GPU (graphics processor) and typically have 256MB to 1GB of ram integrated into the tiny package. The firmware can be tampered with on these mighty little beasts as well...and they are so complicated that it’s nearly impossible to figure out if the things are not compromised on a hardware level to be insecure on purpose. THIS is what powers your smart phones and tablets....hmmm
These tiny surface mount parts are called oscillators, they take the place of crystals in electronic circuits since they are smaller and more reliable. They are in effect tiny transmitters that can be switched on/off easily by a microcontroller. If you add one of these to a USB thumb drive and modify the firmware to send out data using on/off pulses you have created a thumb drive that can transmit data to a nearby eavesdropper. This is an easy thing to do.
I used a sm oscillator a while back to make a Morse code contact on the 10 meter ham band at greater than 600 miles. It required very slow Morse that had to be deciphered by a computer at the receiving end as the signal was beneath the noise floor. The oscillator was connected directly to an excellent antenna (no feedline loss) and was keyed by an ATtiny85 microcontroller in exactly the same way the ARM in a thumb drive would do it..
The typical reception distance you could expect from a modified thumb drive with an oscillator inside would be a couple of blocks or perhaps a few miles to a high gain antenna at a line-of-sight location. It needs to be said that the sub-milliwatt power from such an oscillator operating at 100mhz or higher could be picked up by one of the very large NRO satellites (greater than 85db total gain) in geo orbit above the Earth...something to ponder.
Advancing technology will take care of that. A lot of those older USBs will be discarded as obsolete. A fews years ago I paid $20 for a 1-gig stick, now 64-gigs are in the $25 range - and 128-gig versions are coming on line. My older, smaller capacity USBs are just gathering dust in a drawer - they are useless now now, but I hate to throw 'em out. Hell, I still have some 3 1/2" floppies. :-)
Another article with similar concerns was referenced here a few months ago, FYI:
http://freerepublic.com/focus/f-chat/3187364/posts
Heheh. Onto the watch list for you...
hmmmm another bit of information that makes the Snowden incident all the more intriquing
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.