Last summer’s Black Hat presentation on “Badusb” by Karsten Nohl alerted the world to the possibility that malware could be spread undetectably by exploiting the reprogrammable firmware in USB devices — now, a second set of researchers have released the code to let anyone try it out for themselves.
Nohl didn’t publish the source for his Badusb exploit, explaining that he wanted to give vendors time to attempt to remediate the problem. But Adam Caudill and Brandon Wilson have presented their own version of Badusb at Derbycon in Louisville, KY, and simultaneously released the code on Github, saying that they’ve lost patience and faith with the vendors and want to get the source out there so that the community can get to work on patching.
I had an alarming conversation this summer with a person whom I trust who has worked at a very high level in the US intelligence complex, and he asserted that “most” Chinese USB devices were already infected with some variant of Badusb, and had been for some time. He said that the spooks he worked with would only trust USB thumb-drives from one vendor, a US-based firm that had been vetted by American spies.
I don’t know what to make of this claim. If true, then most computers in the world would already be infected and would be routinely transmitting keylogger files and other sensitive material to the malware’s control servers; if so, you’d expect that intrusion detection systems and network monitors would be constantly going crazy as every workstation in every enterprise tried to exfiltrate its payloads. The process might be very stealthy indeed, but it’s hard to understand how a pandemic of this scale would go undetected for years.
However, with Caudill and Wilson’s work in the wild, we may see updates to the malware- and network-scanning tools, and perhaps discover whether my informant was correct.
Like Nohl, Caudill and Wilson reverse engineered the firmware of USB microcontrollers sold by the Taiwanese firm Phison, one of the world’s top USB makers. Then they reprogrammed that firmware to perform disturbing attacks: In one case, they showed that the infected USB can impersonate a keyboard to type any keystrokes the attacker chooses on the victim’s machine. Because it affects the firmware of the USB’s microcontroller, that attack program would be stored in the rewritable code that controls the USB’s basic functions, not in its flash memory—even deleting the entire contents of its storage wouldn’t catch the malware. Other firmware tricks demonstrated by Caudill and Wilson would hide files in that invisible portion of the code, or silently disable a USB’s security feature that password-protects a certain portion of its memory.
“People look at these things and see them as nothing more than storage devices,” says Caudill. “They don’t realize there’s a reprogrammable computer in their hands.”
The Unpatchable Malware That Infects USBs Is Now on the Loose [Andy Greenberg/Wired]
(Images: Macro USB, Paul, CC-BY; Evil monkey from the movie about the evil monkey that eats people, Jason Scragz, CC-BY)