Solve : BadUSB?

1.	Solve : BadUSB?
Answer» First read this article in Time magazine at work yesterday. Decided to share it for anyone who hasnt heard of this potential problem. To think that a single USB stick can be infected and its hidden from antivirus's due to that its a firmware exploit of USB flashable devices, and consecutive devices plugged in could be reflashed with the evil flash. I would think that you would know you had a problem possibly when the data you had on your flash DRIVE got wiped out as a result of the flash update to its firmware. Not sure if the data would reside through a firmware flash to still be able to be correctly and flawlessly indexed etc. It would be neat to play with this in a CONTROLLED ENVIRONMENT, although you would pretty much have to take a hammer to all flashable devices in the end as for it appears to act like a fire that cant be put out with a water cure, but the only means to stop if from spreading is to cut off its ability to spread to other sticks/fuel... http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/That link DaveLembke gave is a must read for anybody who buys USB sticks. Just a part of it: Quote Now, white-hat hackers have devised a feat even more seminal—an exploit that TRANSFORMS keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses. The 'white-hats' are the ones warning us. The 'black-hats' never tell until it is too late! Read the article!Such firmware infections would need to have knowledge of the specific device layout, and would only work if the EEPROM holding the firmware had traces going to the pins controlling write-back. (most don't). It would need to be specially crafted for each model of flash drive or device, and Not many infection items would fit; so a real "deployment" in a USB Flash drive that has been infected would be able to only flash certain specific devices. And when it comes to keyboards it would- again, rely on the specific model. If we assume that keyboard firmware is even flashable (Usually they are on EPROMs, not EEPROMs, and there is still the issue of the pins regarding being writable being set (or unset) as well as being somehow triggerable via sending data through the standard Mass Storage interface. From the sounds of it the actual infection of miscellaneous USB devices would require good knowledge of the internals of that device as well as the ability to explicitly CONTROL the voltages and data being sent through USB. it would rely on such devices supporting commands that allow the firmware of the device to be flashed- as well as the device itself having firmware to begin with. The ability for an infected USB device to emulate a keyboard would definitely act as an infection vector. It does raise some questions as to the usefulness of it as a way of actually taking over the machine. Considering the myriad of different software configurations even a few short keystrokes could do completely different things. It is most likely that such a device would assume Windows and use key scan codes such as Windows Key+R, cmd.exe, Enter, and then enter commands to do... well, stuff, I guess. Windows doesn't include a way to download files from http via command prompt so that couldn't be relied on as a way of infecting the system. And systems use different browsers as well so even that angle wouldn't be particularly trustworthy. It is currently a proof of concept and none of the technical details make it viable as a "in the wild" infection, but rather something more like penetration testing or targeted hacking of a company or other entity via local access.Good observations, BC_Programmer The article is about the Black Hat security conference in Lars Vegas. Here are some recent links from major sources: http://securitywatch.pcmag.com/hacking/326568-hackers-were-busy-at-black-hat http://www.nbcchicago.com/investigations/Inside-Defcon-What-Happens-at-the-Annual-Hacker-Convention-271436421.html If what they say is true, there will be more news later. Otherwise it could be a play to get us to invest in more security stuff.

Answer»

First read this article in Time magazine at work yesterday. Decided to share it for anyone who hasnt heard of this potential problem.

To think that a single USB stick can be infected and its hidden from antivirus's due to that its a firmware exploit of USB flashable devices, and consecutive devices plugged in could be reflashed with the evil flash.

I would think that you would know you had a problem possibly when the data you had on your flash DRIVE got wiped out as a result of the flash update to its firmware. Not sure if the data would reside through a firmware flash to still be able to be correctly and flawlessly indexed etc. It would be neat to play with this in a CONTROLLED ENVIRONMENT, although you would pretty much have to take a hammer to all flashable devices in the end as for it appears to act like a fire that cant be put out with a water cure, but the only means to stop if from spreading is to cut off its ability to spread to other sticks/fuel...

http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/That link DaveLembke gave is a must read for anybody who buys USB sticks.
Just a part of it:
Quote

Now, white-hat hackers have devised a feat even more seminal—an exploit that TRANSFORMS keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses.

The 'white-hats' are the ones warning us. The 'black-hats' never tell until it is too late! Read the article!Such firmware infections would need to have knowledge of the specific device layout, and would only work if the EEPROM holding the firmware had traces going to the pins controlling write-back. (most don't). It would need to be specially crafted for each model of flash drive or device, and Not many infection items would fit; so a real "deployment" in a USB Flash drive that has been infected would be able to only flash certain specific devices. And when it comes to keyboards it would- again, rely on the specific model. If we assume that keyboard firmware is even flashable (Usually they are on EPROMs, not EEPROMs, and there is still the issue of the pins regarding being writable being set (or unset) as well as being somehow triggerable via sending data through the standard Mass Storage interface. From the sounds of it the actual infection of miscellaneous USB devices would require good knowledge of the internals of that device as well as the ability to explicitly CONTROL the voltages and data being sent through USB. it would rely on such devices supporting commands that allow the firmware of the device to be flashed- as well as the device itself having firmware to begin with.

The ability for an infected USB device to emulate a keyboard would definitely act as an infection vector. It does raise some questions as to the usefulness of it as a way of actually taking over the machine. Considering the myriad of different software configurations even a few short keystrokes could do completely different things. It is most likely that such a device would assume Windows and use key scan codes such as Windows Key+R, cmd.exe, Enter, and then enter commands to do... well, stuff, I guess. Windows doesn't include a way to download files from http via command prompt so that couldn't be relied on as a way of infecting the system. And systems use different browsers as well so even that angle wouldn't be particularly trustworthy.

It is currently a proof of concept and none of the technical details make it viable as a "in the wild" infection, but rather something more like penetration testing or targeted hacking of a company or other entity via local access.Good observations, BC_Programmer
The article is about the Black Hat security conference in Lars Vegas.
Here are some recent links from major sources:

http://securitywatch.pcmag.com/hacking/326568-hackers-were-busy-at-black-hat

http://www.nbcchicago.com/investigations/Inside-Defcon-What-Happens-at-the-Annual-Hacker-Convention-271436421.html

If what they say is true, there will be more news later. Otherwise it could be a play to get us to invest in more security stuff.

Solve : BadUSB?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment