Tuesday, October 07, 2014

BadUSB – it’s a real threat and not easily fixable;


On Saturday I was sent a news article about “An unfixable USB bug could lead to unstoppable malware

Yesterday the BBC published a story about the same topic, and via a FreeBSD mailing list thread, I found this BlackHat 2014 video from August.

Plus a github repository with code to test the exploit and here is the website for the folks in the video, in case you were curious.

Basically, the take away is two-fold, don’t trust any USB devices that aren’t yours (don’t accepts gifts/swag/freebies) and aside from disabling the physical USB ports on PCs/Servers there isn’t much at the moment you can do to prevent an exploited USB device from doing potential harm to your systems.

On Windows, USB ports can be disabled via Group Policy, Registry hacks, 3rd party software and of course within the BIOS/UEFI.  Non Windows systems have similar abilities to disable USB ports.

That’s right, for those who didn’t check out the links above this exploit is not OS dependent and relies only on a USB port being available on a device.

It’s also not limited to flash drives, even smart phones and other USB peripherals can be exploited, perhaps it is time to wish that your PC/Server still had a PS/2 port…

Not that I am endorsing them in any way, but IronKey claims their USB devices aren’t vulnerable because they sign their firmware as does Kanguru.
This is also the recommendation made by the researchers who discovered the flaw and presented their findings in the above video.

So, basically until all USB device vendors decide to sign their firmware and only allow their hardware to accept their signed firmware this exploit will be in the wild.

The downside is all devices created before USB device vendors decide to sign their firmware will likely continue to remain exploitable, but on the plus side(?) USB device vendors will get richer!

My guess is within 1 to 2 years some of the more mainstream USB vendors will begin signing their firmware, but it will probably be a few years after that before most are signed by default.