I first noticed news about BadUSB in late July. A smattering of articles were appearing in my RSS feed.
I read them with curiosity but don’t believe I actively posted anything about them.
However, recent new events and at least one security software counter release that I am aware of (so far) have led me to go back into the RSS feed archives.
At the very basic level, someone using the BadUSB vector would modify (almost any) USB device firmware to execute very low-level code. Detection may be possible, but could be very difficult using current techniques. A common attack code examples used would be a keylogger, replicating network-card behavior for exploitation, and malware delivery.
This appears to be a summary from their website: Turning USB peripherals into BadUSB - Security Research Labs
And here is are the presentation slides.
Nohl and Lell did not release the modified firmware but did provide POC for Android devices.
However, just this past week, a different team did release source code for a BadUSB-like exploit. According to the Wired article linked below, this team did so to get the security community going on developing on detection/protection methods and for the USB standards that allow this exploit to be closed.
Considering the ubiquitous nature of USB devices, this will be no small task. I expect to see either epoxy filled USB ports experience a fashion revival or even computing hardware (laptops/desktops/etc.) models that come sans USB ports entirely.
- The Unpatchable Malware That Infects USBs Is Now on the Loose - WIRED
- Thanks GitHub! Now Anyone Can Download This Unpatchable USB Malware - ReadWrite
- Sourcecode for "unpatchable" USB exploit now on Github - Boing Boing
- Researcher release BadUSB attack code - Help Net Security
- Known Unpatchbarer exploit for BadUSB (GTranslated) - Borns IT and Windows Blog
- BadUSB tools circulating on the Net, Attack Stick Build Your Own (GTranslated) - heise online
Here is some earlier and digestible linkage about the BadUSB concept as a security threat.
- USB firmware: An upcoming threat for home and enterprise users - Microsoft Malware Protection Center
- This thumbdrive hacks computers. “BadUSB” exploit makes devices turn “evil” - Ars Technica
- Why the Security of USB Is Fundamentally Broken - WIRED
My favorite USB brand, Kanguru, has come out with a statement about how their Kanguru Defender line of products isn’t impacted by BadUSB due to digitally signed secure firmware.
- Concerned about "BadUSB?" Don't Be. Kanguru Has You Covered - Kanguru Solutions
My only problem (so far) with these enhanced/encrypted high-security USB devices (like IronKey as well) is that I haven’t seen that you can make them into “bootable” USB devices for use with WinPE/WinFE type of configurations. While they can hold the data very secure, they can’t be used to load a bootable system onto and then “off-line” boot a target system. If anyone knows how to do so with IronKey or Kanguru Defender series device (even if limited to a specific model), please drop a reference/tip in the comments. I’d love to know!
Not to be outdone, one German company, G Data Software, has released a free anti-BadUSB software tool to help protect systems.
- USB KEYBOARD GUARD - G DATA Software, Inc.
According to my reading of the product description, running of the software before inserting a USB device allows it to benchmark the system state and then trigger an alert if a new keyboard device is detected loading when a USB device is connected. Initial access of the device is blocked allowing you to investigate before allowing.
I’ve not seen any “state-side” articles or postings about this software just yet, most all are German sourced but these may be a useful consideration. General consensus is that this is a kind and good first-effort by G DATA developers for basic attacks and that with time and contribution, a more hardened and expanded feature set of solutions could be developed.
- G Data BadUSB-Protector: Useful or snake oil? (Gtranslated) - Borns IT and Windows Blog
- Free G-Data tool protects against attacks BadUSB (Gtranslated) - heise online
- BadUSB: Free tool protection against new USB-gap (Gtranslated) - CHIP
So, time to add this threat to the watch-list, even if it isn’t likely to be that common for most folks, yet. For other high-value targets, it might be a nightmare just one seeded USB stick in the parking lot away.