The real danger of BadUSB

The last BlackHat USA conference presented a hack technique, BadUSB, that has recently gained much attention. Although not completely new, it does pose serious security vulnerability to  USB devices.

A BadUSB attack basically involves reprogramming a normal USB device (usually a pen drive based on a reprogrammable microcontroller with a well-known architecture) to act maliciously.

As pointed out in the BlackHat talk, using USB devices for malicious activities was already a widely-known technique. Examples include:

  1. Virtual CD-ROM Attacks through AutoRun using a U3 USB flash drive.
  2. Malicious keyboard attacks using Rubber Ducky or Teensy.

The creators of BadUSB also propose other interesting tactics. For instance, configuring a USB device to spoof an Ethernet network card and through the DHCP assign a new gateway or a new DNS server that can then intercept traffic.

All of these attacks pose a risk to your computer. But there are a number of security measures to prevent these threats.

The act of reprogramming a USB device to behave maliciously isn’t new either. In 2013 a technique was presented for reprogramming Webcam firmware to disable the LED that shows that the camera is capturing pictures . The same paper mentions the possibility of using this firmware update to perform other malicious tasks.

But extending this technique to any USB device with updatable firmware is what makes this idea dangerous.

And what makes a BadUSB attack truly frightening is the possibility of combining these techniques and reprogramming several legitimate and apparently innocuous USB devices to create a combined attack.

These attacks also carry a series of difficulties when it comes to detection:

  1. Infection is more difficult to detect since the modified device is external to the main system.
  2. Some USB devices are portable and can therefore easily be used to spread infection.
  3. The infection remains even if the hard drive is formatted or the CPU is changed.

Some USB devices are internal (for example, the majority of webcams, SD card readers, smartcard readers, biometrics in new laptops), which makes it easier for hackers to maintain the infection.

By combining this technique with other types of devices we can find serious cyber-attack scenarios. An example is using a USB stick as the initial attack vector and a device that is permanently connected to the computer (such as a webcam or printer) as a persistent infection vector. For example: making the device detect when the computer is booting, becoming a bootable pen drive that loads a modified version of the operating system.

They could even be made to work in anti-forensic mode. The microcontroller can allow the device to function in its original state or erase itself after infecting the system.

It is likely that we’ll shortly see real cases of the combined use of several infected devices of this type functioning as implanted devices like the ones listed in the NSA’s ANT catalog.

Ramón Pinuaga
S21sec assessment

Deja un comentario