Security

Why your USB flash drive is ripe for a hack attack

Above: Black Hat logo

Image Credit: Dean Takahashi

The next thing we need to start worrying about is hackers targeting USB devices.

That’s the doomsday scenario that German cybersecurity researchers Jakob Nohl and Karsten Lell from the Berlin-based SR Labs presented last week at the Black Hat security conference in Las Vegas. The duo said trojan malware posed a threat to mouses, keyboards, and flash drives in their talk, “Bad USB — On Accessories that Turn Evil.”

Their argument was that all of these devices are susceptible to malware and other forms of viral bugs, with an eye to data-siphoning and wreaking havoc. More specifically, they warned about the security issues with the tiny chips used to give command and control directives to the operating systems that power the devices, which they say makes them vulnerable.

The big problem, if it can be called that, is a topic now on the minds of cybersecurity experts wordwide, the two men said.

“The sky is the limit what a hacker can do,” Lell told an assembled crowd of about 500 people at a conference room at the Mandalay Bay.

The good news for hackers is that USB thumb drives don’t have unique identifiers, unlike laptops and mobile devices.

The German security duo said they had recently reversed and patched USB firmware in less than two months. Their research illustrated a host of vulnerabilities, they said. For starters, they pointed to keyboards.

“Keyboard emulation, for example, is enough for infection and privilege escalation without the need for seeing software vulnerabilities. This provides malicious potential,” Lell said. According to their blog post:

“USB devices are connected to — and in many cases even built into — virtually all computers. The interface standard conquered the world over the past two decades thanks to its versatility: Almost any computer peripheral, from storage and input gadgets to health care devices, can connect over the ubiquitous technology.

And many more device classes connect over USB to charge their batteries. This versatility is also USB’s Achilles’ heel: Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing.”

Lell said the situation transcends just having your USB thumb drive while ported into your desktop or laptop being infected. The family of potential USB attack threats is flexible, Lell said, and their research indicated that the Android operating system is the most vulnerable.

“This is not just a situation where somebody gives you a USB peripheral” that is bugged, Lell said.

The researchers said Android comes with an ethernet-over-USB connection that needs very little configuration, thus presenting hackers with even more avenues to potentially exploit. The family of possible attacks, according to SR Labs, is what they called keyboard emulation, network card spoofing, and USB boot sector viruses.

And they have more bad news. The two researchers posited that if your USB thumb drive or keyboard is infected, there is, at this point, “no clear path to disinfecting them. So, how do you recover from a virus infection? It won’t be resolved with a software patch,” Nohl said.

Their research into the nascent topic included writing and inserting virulent code directly to the control chips used in devices like tablets and smartphones. First, the researchers infected controller chips made by Phison Electronics, a Taiwanese firm. The infected chips were then slotted into USB memory drives running Google’s Android operating system.

SR Labs’ theory was tested by infecting controller chips made by the large Taiwanese manufacturer Phison Electronics Corp. The chips were then placed in USB memory drives and smartphones that run Google Inc’s Android operating system.

Alas, one of SR Labs main conclusions was to, quite simply, avoid unknown USB sticks.

2 comments
Aad Dekker
Aad Dekker

Yep, is ook een variant op bijvoorbeeld "The Evil Mouse" waar onze vrienden van KPMG al een poos voor waarschuwen.

Michel de Goede
Michel de Goede

Aad Dekker, gelukkig hadden we deze al lang in 't snotje :-)