4 August 2014

CARRYING THE NEXT DIGITAL EPIDEMIC: WHY THE SECURITY OF A USB DEVICE IS FUNDAMENTALLY BROKEN — NEXT BIG DIGITAL INFECTION VECTOR?

August 3, 2014

Carrying The Next Digital Epidemic: Why The Security Of A USB Device Is Fundamentally Broken — Next Big Digital Infection Vector?
http://www.fortunascorner.wordpress.com

Andy Greenberg had an online article (July 31, 2014) on the website Wired.com, “Why The Security Of A USB Device Is Fundamentally Broken,”. He writes that “computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections,” writes Mr. Greenberg, “we depend on antivirus scans and the occasional reformatting to keep our thumb-drives from becoming the carrier of the next digital epidemic. But, the security problems with USB devices run deeper than you think,” he says: “Their risk isn’t just what they carry, it’s built into the core of how they work.”

“That’s why the takeaway from the findings [cyber] security researchers Karsten Kohl and Jakob Lell plan to present next week,” [at the annual Black Hat Conference in Las Vegas] Mr. Greenberg notes, “demonstrating a proof-of-concept malicious software that highlights how the security of USB devices — has long been fundamentally broken.” “The malware the two created,” notes Mr. Greenberg, “called BadUSB, can be installed on a USB device to completely take over a PC, — invisibly alter files [already] installed from the memory stick; or, even redirect the user’s Internet traffic. Because BadUSB resides — not in the flash memory storage of USB devices; but, in firmware that controls their basic functions, the attack code can remain hidden long after the content’s of the device’s memory would appear to the average user — to have been deleted. And, the two researchers say there’s no easy fix: the kind of compromise they’re demonstrating is nearly impossible to counter — without banning the sharing of USB devices; or, filling your port with superglue.”

“These problems can’t be patched. We’re exploiting the very way the USB is designed,” said Nohl.

“In this new way of thinking, you have to consider a USB infected; and, throw it away — as soon as it touches a non-trusted computer.”

Nohl and Lell, “researchers [cyber security] for the security consultancy firm, SR Labs, are hardly the first to point out USB devices can store and spread malware. But, the two hackers didn’t merely copy their own custom-coded infections into USB devices’ memory.” The two researchers “spent months reverse engineering the firmware that runs in basic communications functions of USB devices,” Mr. Greenberg writes, “the controller chips that allow the devices to communicate with a PC; and, let users move files on, and off them.” “Their central finding is that USB firmware, which exists in varying forms for all USB devices, can be reprogrammed to hide attack code.” “You can give it to your IT security people, they can scan it, delete some files, and give it back to you — telling you that it’s clean,” said Nohl. “But, unless the IT guy has the reverse engineering skills to find, and analyze the firmware,” [highly doubtful in most cases] “the cleaning process doesn’t even touch the files we’re talking about.”“The problem isn’t limited to thumb drives,” Mr. Greenberg observes. “All manner of USB devices, — from keyboards and mice, to smartphones — have firmware that can be reprogrammed. In addition to USB sticks, Nohl and Lell say they’ve also tested their attack on an Android handset, plugged into a PC. And, once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play. It can, for example, impersonate a USB keyboard to suddenly start typing commands.” “It can do whatever you can do with a keyboard, which is basically everything a computer does,” says Nohl.

“The malware can silently hijack Internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases. Or, if the code is planted on a phone, or another device with an Internet connection, it can act as a man-in-the-middle, secretly spying on communications — as it relays them from the victim’s machine,” wrote Mr. Greenberg.

“Most of us learned long ago not to run executable files from sketchy USB sticks,” Mr. Greenberg notes. “But, old-fashioned USB hygiene can’t stop this new flavor of infection: Even if users are aware of the potential for attacks, ensuring their USB firmware hasn’t been tampered with — is nearly impossible. The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgettable cryptographic signature of its manufacturer. There’s not even a any trusted USB firmware to compare the code against,” Mr. Greenberg wrote.


“The element of Nohl and Lell’s research elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB device; and, vice versa,” Mr. Greenberg says. “Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on a PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer.” “It goes both ways,” Nohl says. “Nobody can trust anybody.”

“But, BadUSB’s ability to spread undetectably from USB to PC and back, raises questions about whether it’s possible to use USB devices securely at all.” “We’ve all known if that you give me access to your USB port, I can do bad things to your computer,” says University of Pennsylvania Computer Science Professor, Matt Blaze. “What this appears to demonstrate is that it’s also possible to go the other direction, which suggests the threat of compromised USB devices is a very serious practical problem.”

“Blaze speculates that the USB attack may in fact already be common practice for the NSA,” wrote Mr. Greenberg. “He points out to a spying device known as Cottonmouth, revealed earlier this year in the Edward Snowden leaks. The device, which is hid in the USB peripheral plug, was advertised in a collection of NSA internal documents, — as surreptitiously installing malware on a machine. The exact mechanism for that USB attack wasn’t described.” “I wouldn’t be surprised if some of the things [Nohl.and Lell] discovered are what we heard about in the NSA catalogue.”

The Alternative Is To Treat USB Devices Like Hypodermic Needles

“Nohl says he and Lell reached out to a Taiwanese USB device maker, whom he declines to name, and warned the company about their BadUSB research,” Mr. Greenberg writes. “Over a series of emails, the company repeatedly denied that the attack was possible. When Wired contacted the USB Implementers Forum, a nonprofit corporation that oversees the USB standard, spokeswoman Liz Nardozza responded in a statement: “Consumers should always ensure their devices are from a trusted source; and, that only trusted sources interact with their devices,” she wrote. “Consumers safeguard their personal belongings; and, the same effort should be applied to protect themselves — when it comes to technology.”

“Nohl agrees. The short-term solution to BadUSB isn’t a technical patch, so much as a fundamental change in how we use USB gadgets.” writes Mr. Greenberg. “To avoid the attack, all you have to do is not connect your USB device to computers you don’t own; or, have good reason to trust — and, don’t plug untrusted USB devices into your own computer. But, Nohl admits that makes the convenient slices of storage we all carry in our pockets, among many other devices, significantly less useful.” “In this new way of thinking, you can’t trust a USB — just because it’s storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” said Nohl. “You have to consider USB infected; and, throw it away as soon as it touches a non-trusted computer. And, that’s incompatible with how we use USB devices right now,” he added.

“The two researchers haven’t yet decided just which of their BadUSB device attacks they’ll release at Black Hat, if any. Nohl says he worries that the malicious firmware for USB sticks could quickly spread,” wrote Mr. Greenberg. “On the other hand, he says users need to be aware of the risks. Some companies could change their USB policies, for instance, to only use a certain manufacturer’s USB devices; and, insist that vendor implement code-signaling protections on their gadgets.”

“Implementing that new security model will first require convincing device makers that the threat is real,” Mr. Greenberg concludes. “The alternative,” Nohl says, “is to treat USB devices like hypodermic needles that can’t be shared among users — a model that sows suspicion; and, largely defeats the devices’ purpose. “Perhaps you remember once when you’ve connected some USB device to your computer from someone you don’t completely trust,” says Nohl. “That means you can’t trust your computer anymore. That is a threat on a layer that’s invisible. It’s a terrible kind of paranoia.”

Malicious USB Device Firmware Next Big Digital Infection Vector?

The website HealthNetSecurity had an online article with the title above. Their conclusion? “Researchers [cyber] from the Germany security consultancy firm SRLabs have created a whole new class of [digital] attacks that can [unwittingly] compromise computer systems via ubiquitous; and, widely used USB-connected devices (storage drives, keyboards, mice, smartphones, etc).

“The malicious firmware can’t be detected by anti-virus solutions, and reformatting the drive does nothing to remove it. And, if you don’t have advanced knowledge in computer forensics, it’s practically impossible to make sure that a USB’s devices’ firmware hasn’t been altered.”

“No effective defenses from USB attacks are known,” HealthNetSecurity notes. “Malware scanners cannot access the firmware running in USB devices. USB firewalls that block certain device classes do not [yet] exist. And, behavioral detection is difficult, since BadUSB device’s behavior when it changes its persona looks as though the user has simply plugged in a new device,” the researchers pointed out. And, cleanup, after an incident is hard,” they write. Once infected, computers and their USB peripherals can never be trusted again,” they write. How do you know your device is clean? You don’t.

It is a constant cat-and-mouse game; and, the only true to remain clear of a digital infection — is, to disconnect from the Internet and the Worldwide Web. But, for the vast majority of us, that isn’t s solution. In the meantime, and until we have a digital vaccine for this kind of thing — once you recognize that your USB device is in fact a Trojan Horse — you can never really, fully trust any of the systems it was connected to

No comments: