If you’ve ever needed an example of why you should not plug random USB peripherals into your computer, you need only look at BadUSB. The BadUSB attack relies on the fact that the microcontroller inside every USB device is a black box. If you plug a USB thumb drive into your computer, the microcontroller could quickly set up an additional network interface, forward all your traffic to the attacker’s server, and still keep serving up all those files and documents on the drive. Do you want a thumb drive that attaches a virus to every file? Bad USB can do that.
Until now, there is no cure or fix for a device using an implementation of BadUSB. [Robert Fisk] just came up with the first prophylactic USB device, designed to keep BadUSB off your computer. He’s calling it USG, and it’s basically a hardware firewall for USB devices.
The basic design of the system goes something like this: take an ARM microcontroller with a USB host port, take another microcontroller with a USB device port, and have these devices talk to each other over SPI. The command protocol between these two microcontrollers is very simple, and thus decreases the attack surface.
[Robert] is building USG dongles, but in the spirit of Open Hardware and verifiable hardware, he’s also released a design based on two dev boards wired together. This DIY version is basically two STM32F4 dev boards smashed together with bodge wires. The total cost – less solder and a JTAG programmer – is about $50 USD. No, it doesn’t look as pretty as [Robert]’s commercial version of USG, but it does the same job of keeping your computer safe from BadUSB devices.
One morning, a balaclava-wearing hacker walks into your office. You assume it’s a coworker, because he’s wearing a balaclava. The hacker sticks a USB drive into a computer in the cube next door. Strange command line tools show up on the screen. Minutes later, your entire company is compromised. The rogue makes a quick retreat carrying a thumb drive in hand.
This is the scenario imagined by purveyors of balaclavas and USB Rubber Duckys, tiny USB devices able to inject code, run programs, and extract data from any system. The best way — and the most common — to prevent this sort of attack is by filling the USB ports with epoxy. [pmsosa] thought there should be a software method of defense against these Rubber Duckys, so he’s created Duckhunter, a small, efficient daemon that can catch and prevent these exploits.
The Rubber Ducky attack is simply opening up a command line and spewing an attack from an emulated USB HID keyboard. If the attacker can’t open up cmd or PowerShell, the attack breaks. That’s simple enough to code, but [pmsosa] has a few more tricks up his sleeve. Duckhunter has a ‘sneaky’ countermeasure feature, where one out of every 5-7 keystrokes is blocked. To the attacker, the ‘sneaky’ countermeasure makes it look like the attack worked, where in fact it failed spectacularly.
There are a number of different attacks similar to what the Rubber Ducky can accomplish. Mousejack performs the same attack over Bluetooth. BadUSB is a little more technical, allowing anyone with access to a device’s firmware to turn your own keyboard against you. Because of the nature of the attack, Duckhunter shuts them all down.
Right now the build is only for Windows, but according to [pmsosa]’s GitHub there will be Linux and OS X versions coming.
USB has become pretty “universal” nowadays, handling everything from high-speed data transfer to charging phones. There are even USB-powered lava lamps. This ubiquity doesn’t come without some costs, though. There have been many attacks on smartphones and computers which exploit the fact that USB is found pretty much everywhere, and if you want to avoid these attacks you can either give up using USB or do what [Jason] did and block the data lines on the USB port.
USB typically uses four wires: two for power and two for data. If you simply disconnect the data lines, though, the peripheral can’t negotiate with the host for more power and will limp along at 0.5 watts. However, [Jason] discovered that this negotiation takes place at a much lower data rate than normal data transfer, and was able to put a type of filter in between the host and the peripheral. The filter allows the low-frequency data transfer pass through but when a high-frequency data transfer occurs the filter blocks the communication.
[Jason] now has a device that can allow his peripherals to charge at the increased rate without having to worry about untrusted USB ports (at an airport or coffee shop, for example). This simple device could stop things like BadUSB from doing their dirty work, although whether or not it could stop something this nasty is still up in the air.
Does anyone else get the feeling that the frequency of rather horrible vulnerabilities coming to light is accelerating? Off the top of our head, there’s Heartbleed, Shellshock, and now this one. The BadUSB exploit attack stems from the “invisible” microcontroller in most USB devices.
We first heard about it when we were attending DEFCON in August. The exploit had been announced the same week at Blackhat but there wasn’t much information out yet. Now the talk has been posted and there’s a well-explained overview article at Big Mess o’ Wires.
Here’s how this one goes: all USB devices rely on a microcontroller to handle the peripheral-side of USB communications. The computer doesn’t care which microcontroller, nor does it have a way of knowing even if it wanted to. The uC is “invisible” in this situation, it’s the interface and data flowing through it that the computer cares about. BadUSB is an attack that adds malicious functionality to this microcontroller. To the computer it’s a perfectly normal and functional USB device, while all the bad stuff is happening on the peripheral’s controller where the computer can’t see it.
How deeply do you think about plugging each and every USB device? Check out what happens at 19:20 into the video below. The USB device enumerates and very quickly sets up a spoofed Ethernet connection. You can still load a webpage via WiFi but the fake connection is forwarding packets to a second server.
Once discovered, you can wipe the computer and this will stop happening; until you plug the same device again and reinfect. Worse yet, because the controller is invisible to the computer there’s almost no way to scan for infected devices. If you are smart enough to suspect BadUSB, how long will it take you to figure out if its your mouse, your keyboard, a thumb drive, a webcam, your scanner… you get the point.
Continue reading “BadUSB Means We’re All Screwed”