Saturday, October 04, 2014

BadUSB News and Linkage

I first noticed news about BadUSB in late July. A smattering of articles were appearing in my RSS feed.

I read them with curiosity but don’t believe I actively posted anything about them.

However, recent new events and at least one security software counter release that I am aware of (so far) have led me to go back into the RSS feed archives.

At the very basic level, someone using the BadUSB vector would modify (almost any) USB device firmware to execute very low-level code. Detection may be possible, but could be very difficult using current techniques. A common attack code examples used would be a keylogger, replicating network-card behavior for exploitation, and malware delivery.

The initial POC presentation was offered at the Black Hat USA 2014 conference “BadUSB - On Accessories that Turn Evil” by Karsten Nohl and Jakob Lell. Presentation from YouTube below and here.

This appears to be a summary from their website: Turning USB peripherals into BadUSB - Security Research Labs

And here is are the presentation slides.

Nohl and Lell did not release the modified firmware but did provide POC for Android devices.

However, just this past week, a different team did release source code for a BadUSB-like exploit. According to the Wired article linked below, this team did so to get the security community going on developing on detection/protection methods and for the USB standards that allow this exploit to be closed.

Considering the ubiquitous nature of USB devices, this will be no small task.  I expect to see either epoxy filled USB ports experience a fashion revival or even computing hardware (laptops/desktops/etc.) models that come sans USB ports entirely.

Here is some earlier and digestible linkage about the BadUSB concept as a security threat.

My favorite USB brand, Kanguru, has come out with a statement about how their Kanguru Defender line of products isn’t impacted by BadUSB due to digitally signed secure firmware.

My only problem (so far) with these enhanced/encrypted high-security USB devices (like IronKey as well) is that I haven’t seen that you can make them into “bootable” USB devices for use with WinPE/WinFE type of configurations. While they can hold the data very secure, they can’t be used to load a bootable system onto and then “off-line” boot a target system. If anyone knows how to do so with IronKey or Kanguru Defender series device (even if limited to a specific model), please drop a reference/tip in the comments. I’d love to know!

Not to be outdone, one German company, G Data Software, has released a free anti-BadUSB software tool to help protect systems.

According to my reading of the product description, running of the software before inserting a USB device allows it to benchmark the system state and then trigger an alert if a new keyboard device is detected loading when a USB device is connected. Initial access of the device is blocked allowing you to investigate before allowing.

I’ve not seen any “state-side” articles or postings about this software just yet, most all are German sourced but these may be a useful consideration. General consensus is that this is a kind and good first-effort by G DATA developers for basic attacks and that with time and contribution, a more hardened and expanded feature set of solutions could be developed.

So, time to add this threat to the watch-list, even if it isn’t likely to be that common for most folks, yet. For other high-value targets, it might be a nightmare just one seeded USB stick in the parking lot away.

Constant Vigilance!

Claus Valca

No comments: