Researcher develops BadUSB code to compromise USB sticks - and their computer hosts

Karsten Nohl also reveals how an enhanced security approach can beat his USB architecture compromise.

Researcher develops BadUSB code to compromise USB sticks - and their computer hosts
Researcher develops BadUSB code to compromise USB sticks - and their computer hosts

The humble USB stick - developed joined by Israel's M-Systems and IBM at the turn of the century - has been shown to be subject to firmware abuse by Karsten Nohl, the chief scientist with Berlin's SR Labs, who says that hackers can easily load malicious software onto the control chips seen on modern low-cost sticks.

Originally known as a DiskOnKey, the Universal Serial Bus (USB) stick has evolved considerably over the years, mainly with the addition of on-device chipsets to speed up the rate at which data can written to, and read from, the flash member held on the unit.

With the assistance of fellow researcher Jakob Lell, Nohl claims to have reverse-engineered the firmware that controls the basic communication functions of the USB stick.

Nohl is well known in research circles for having reverse engineered and expanded on the GSM and 3G encryption technologies used by most of the world's cell phone companies. In recent years, he has refined his research to the point where - using a handset and some simple electronics - he can intercept and eavesdrop on cellular traffic for an entire GSM base station.

Now Nohl has turned his attention to the USB flash memory standards, developing a proof-of-concept (POC) application called BadUSB, that can be installed on a USB stick and, when the unit is plugged into a host system, allow the remote takeover of that computer, across the Internet.

Whilst security purists will dismiss Nohl and Lell's research - which will be fully revealed at the next week's Black Hat event in Las Vegas - on the basis it requires physical access to the computer, the reality is that researchers have proven many times that leaving `spare' high capacity USB sticks in cafes and even in car parks, leads curious users to plug them into a computer in the office to discover the content and re-use the stick for their own purposes.

In an interview with Wired magazine, which broke the story earlier today, Nohl says that the bad news is that it all but impossible to detect if a USB stick has been compromised, mainly because any incursion is exploiting the very way that USB is designed."

Commenting on the emerging story, Fran Howarth, a senior analyst with Bloor Research, said that the researchers' findings are potentially serious.

"Given the importance of USB sticks given their convenience and portability, this is indeed something that should be taken seriously," she said, adding that it does appear that the researchers have not only discovered the problem, but appear to be preparing to explain how the problem can be fixed and how the solution process should be carried out.

"That could improve the security of the next generation of USBs, but could still leave a gaping hole that could be exploited in USBs that are already in existence, especially since the flaw is apparently in the firmware and cannot be patched," she explained.

David Robinson, lead consultant with Context Information Security, said that, although the full details of this attack have not been released yet, from what has been released so far, it appears that this has the potential to have a significant security impact.

“If it turns out to be a viable attack, we may see an influx of malware which utilises this attack vector, along with its use in targeted attacks against individuals, businesses and national infrastructure - possibly in a similar way to Stuxnet, which also used USB as an attack vector,” he explained.

Robinson went on to say that, as it is the firmware of the USB controllers within target devices, such as computers and smartphones, that is compromised, it is going to be more difficult to detect, as this malicious code is not likely to be seen by the operating system or security software that the targeted device is running.

The uptake of BYOD and staff using company machines to charge mobile phones via USB, he says, are likely to increase the risk of being targeted by this attack.

“Vulnerabilities like this strengthen the already strong case for restricting the use of USB devices within business environments; either by allowing only trusted USB devices or, at least for now, removing support for them completely,” he said.

“It also suggests that the security of the firmware embedded in components within our devices needs to be better scrutinised, to prevent this type of attack from happening and to allow ways for any compromise to be detected,” he added.