BadUSB Security Flaw and What It Means

You might have heard the term BadUSB in the news sometime during the last couple of months, but it’s still not widely known. We first saw the presentation of the security flaw by Karsten Nohl during the Black Hat conference this year. While scary, it didn’t have the big impact they had hoped. Nohl decided to not release the code or anything specific on how it worked in the interest of safety. The intention behind that was to give the industry time to come up with a fix before the flaw would be widely abused by criminals.

When such a secret is known to exist, one that can have such severe consequences, people will investigate and reverse engineer it. And that is just what has happened. Two people took it upon themselves to find out just how easy this was to do and how much you actually can do with it. Security researchers Adam Caudil and Brandon Wilson presented their findings at the recent DerbyCon conference in Louisville, Kentucky.

So what is BadUSB actually. It is a dangerous USB security flaw that allows an attacker to turn a simple device such as a cheap of the shelve USB stick into almost anything. Mentioned functions are network controllers and keyboards among others. This wouldn’t just allow an attacker direct access to your system, but in theory your entire network including out of the house connections.

The really bad part about this, and the reason why Nohl didn’t release his findings to the public, these problems can’t be patched. This is a flaw and not an exploit and it works by using the very way USB is designed, to be a universal connection for anything. Since there had been complete silence from the industry about the issue since Nohl presented his findings, Caudil and Wilson decided to make everything publicly available via GitHUB. So the code is out there now, for everyone to study and use/abuse.

During the DerbyCon presentation the two showcased how they could turn a USB stick into an automated keyboard, sending keystrokes to the system as soon as it is connected. They could also completely hide partitions on the drive and turn the password protections into nothing more than a facade.

The first demonstration showcased the programmable keyboard, basically just rubber ducking. When the hacked USB thumb drive is put into their laptop, it launches a notepad and starts to send characters. In the demo it is Bart Simpson that reminds you to lock your computer when you leave your workstation.

In the second demonstration they showed how data can be hidden on the device. When the drive is plugged in you see the normal active partition with its files and folders. You can format the drive, look at it with forensic tools or whatever you can throw at it. It will not reveal anything more. That is until you eject the drive, and only then. A few seconds after you eject the drive it will come back with the second and completely hidden partition. Eject or unplug the drive again and it turns back to the public partition. This is a very effective way to hide and protect files.

The final demonstration showcases the mode 7 exploit for thumb drives, well it should have. They were pressed for time and the demo failed. Most people only know and use mode 3 that gives you a single normal partition. Mode 7 on the other hand provides you with a public and a secure partition which is protected by a user-set password. While the demonstration failed, we still got an explanation on how it works. You can turn this protection into nothing more than a facade by modifying a few bytes of the drives firmware. It will then allow you to unlock it with any eight characters you give it.

There is no defence against this, but it is possible to detect it. So you can sit and watch it happen or panic and unplug the drive. Windows can detect when a device disappears and comes back as something completely different. This doesn’t effect all demonstrations though, as the programmable keyboard doesn’t show up as HID device but only as composite storage device. So effectively there is no defence. Basically you’re dealing with a tiny computer that has full control over what happens on your USB port. It can lie to you, tell you whatever it wants and do whatever it wants.

The only way block this is by inventing a new USB standard, one that has at least some form security and validation built-in. We have to keep in mind that the thumb drives used are over the counter drives that cost about £6.00. Cheap enough to buy a bunch and just drop them around the city and public transportation; see what happens. Just wait, someone is sure to pick it up and take it home. Strategic drops could also make this an effective way of penetrating otherwise secure systems.

There are a few basic steps you can take to decrease the chance of something like this happening to you:

• Don’t pick up thumb drives you find. If you want to be nice you should actually pick it up, but throw it in the nearest trashcan.
• Only buy sticks from well-known brands and vendors. Don’t be tempted by cheap knock-off brands
• Don’t lend out your sticks to people you don’t fully trust and don’t use foreign sticks in your systems from people you don’t trust. Preferable don’t even use them if you trust people. They might not know the drive is “bad”.
• Keep your security software updated. While it might not be able to detect the flaw, it will at the very least be able to catch malware being installed.

Thank you Adrian Crenshaw providing us with these information