USB peripherals can turn against their users
Turning USB peripherals into BadUSB
USB devices are connected to – and in many cases even built into – virtually all computers. The interface standard conquered the world over the past two decades thanks to its versatility: Almost any computer peripheral, from storage and input gadgets to healthcare devices, can connect over the ubiquitous technology. And many more device classes connect over USB to charge their batteries.
This versatility is also USB’s Achilles heel: Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing.
Reprogramming USB peripherals. To turn one device type into another, USB controller chips in peripherals need to be reprogrammed. Very widely spread USB controller chips, including those in thumb drives, have no protection from such reprogramming.
BadUSB – Turning devices evil. Once reprogrammed, benign devices can turn malicious in many ways, including:
- A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
- The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
- A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
Defenses?
No effective defenses from USB attacks are known. Malware scanners cannot access the firmware running on USB devices. Behavioral detection is difficult since behavior of an infected device may look as though a user has simply plugged in a new device. Blocking or allowing specific USB device classes and device IDs is possible, however generic lists can easily be bypassed. Pre-boot attacks may be prevented by use of a BIOS password and booting only to the hard drive.
To make matters worse, cleanup after an incident is hard: Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root. The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive.
Once infected, computers and their USB peripherals can never be trusted again.
More details are available in the slides of our talk at PacSec 2014. (An earlier version of the talk was presentedat BlackHat 2014.) YouTube has a video of the BlackHat talk.
Proof-of-Concept. We are not yet releasing the modified USB controller firmwares. Instead we are providing a proof-of-concept for Android devices that you can use to test your defenses: BadAndroid-v0.2
Questions? – usb [you know what to put here] srlabs.de
最新文章
- 一条代码解决各种IE浏览器兼容性问题
- centos添加硬盘
- Windows去除快捷箭头
- 安装python爬虫scrapy踩过的那些坑和编程外的思考
- javascript实例学习之一——联动下拉框
- 浅谈Android手机木马手工查杀
- linux作业六——进程的描述和进程的创建
- 支付宝api教程,支付宝根据交易号自动充值
- nginx 去掉服务器版本和名称和nginx_status 状态说明
- 基于OpenCV性别识别
- hdu_3068 最长回文(Manacher算法)
- proxy ubunta
- tornado+jsonrpc
- 【XSY2730】Ball 多项式exp 多项式ln 多项式开根 常系数线性递推 DP
- Linux设备驱动模型之platform(平台)总线详解
- Coding in Delphi(前4章翻译版本) (PDF)
- 反射(I)
- PowerSploit: The Easiest Shell You'll Ever Get - Pentest Geek - Penetration Testing - Infosec Professionals
- UVa 11294 Wedding (TwoSat)
- 结对项目-四则运算出题程序(GUI版)