BadUSB: Researchers release tools into the wild

[Chicog]

Do you vet everything you plug into a USB drive?

Do you know where all your USB drives have been?

Tools for creating malicious USB thumb drives released by security researchers The tools can be used to modify the firmware on USB flash drives in order to infect computers with malware

By Lucian Constantin, IDG News Service | Endpoint Security

Add a comment

October 03, 2014, 10:55 AM — In a gambit aimed at driving manufacturers to beef up protections for USB flash drive firmware, two security researchers have released a collection of tools that can be used to turn those drives into silent malware installers.

The code release by researchers Adam Caudill and Brandon Wilson comes two months after researchers from Berlin-based Security Research Labs (SRLabs) demonstrated an attack dubbed BadUSB at the Black Hat security conference in Las Vegas.

The BadUSB attack showed how a USB thumb drive connected to a computer can automatically switch its profile to a keyboard -- and send keystrokes to download and install malware -- or emulate the profile of a network controller to hijack DNS settings.

The attack requires modifying the firmware on the USB controller, which can easily be done from inside the OS, the SRLabs researchers said at the time. However, they didn't release any tools or details on how to do it, because the vulnerability doesn't have an easy fix, they said.

This prompted Caudill and Wilson to replicate the attack in order to better understand how it works and the security risks it poses to computer users. They presented their findings last Friday at the Derbycon security conference in Louisville, Kentucky, but unlike the SRLabs researchers they actually released the tools they used, complete with firmware patches, payloads and documentation.

During their Derbycon demonstration, which is available on YouTube, the two researchers replicated the emulated keyboard attack, but also showed how to create a hidden partition on thumb drives to defeat forensic tools and how to bypass the password for protected partitions on some USB drives that provide such a feature.

The published tools were designed to work with thumb drives that use a USB controller called Phison 2251-03. However, they can easily be adapted to work for other controllers designed by Phison Electronics, a Taiwanese electronics company, the researchers said during their presentation. Phison controllers are found in a very large number of USB thumb drives available on the market.

"We really hope that releasing this will push device manufactures to insist on signed firmware updates, and that Phison will add support for signed updates to all of the controllers it sells," Caudill said in a blog post. "Phison isn't the only player here, though they are the most common -- I'd love to see them take the lead in improving security for these devices."

The presentation from Black Hat:

https://www.youtube.com/watch?v=nuruzFqMgIw

And from DerbyCon:

https://www.youtube.com/watch?v=xcsxeJz3blI

[noahvail]

Thanks for sharing all of that. Food for thought, eh...

[dddave]

There was a lot of discussion on this forum four or five years ago along the same lines. There was a lot of suspicion among both Westerners and Thais about the integrity of memory devices being sold in Pantip and other IT malls; not just counterfeit devices but ones with malware installed as well.

As I recall, nobody with definitive proof ever contributed to the discussion but I think more than a few members of the forum, including myself became more selective when buying flash memory....most of the time.

Always hard to pass up a "bargain."

[Chicog]

I was watching this PBS documentary today, and one security researcher was hired by the government to test their defences.

Leaving USB drives laying around with company logos on them to make them look authentic got 70%+ of the finders plugging them into their company PCs.

A CD with "company payroll and benefits" scrawled on it with a pen was near 100%.