Possible time of origin : July, 2014
Circulation platforms : Internet
Circulation geography : Global
Original Message Version Under Analysis:
BadUSB writes or overwrites a USB device’s firmware code to carry out malicious actions. First announced in July 2014, BadUSB was discovered by a pair of computer researchers at Security Research Labs in Berlin, who then presented their discovery at the Black Hat Conference. The attack is feared because none of the traditional methods of checking for malice on a USB storage device do detect that. The malicious code is planted in the USB’s firmware, which is first executed only when the device is plugged into a host machine. The host machine can’t detect the firmware code, but the firmware’s code can interact with and modify software on the host machine. The malicious firmware code could then plant other malware, steal information, divert Internet traffic. All these may run while bypassing antivirus scans. Moreover this problem isn’t limited to USB devices. In fact, USB devices are the tip of the iceberg. Any hardware device plugged into your computer with a firmware component can probably be made malicious in a very similar manner.
BadUSB has no defense today, but it may be easily defended against, in the near future. After all, it’s simply a code/software (stored in firmware), so other protective code/software (to be developed) should be able to defeat it.
Analysis by Merofact Awareness Team:
Everything said above is entirely true. USB devices are reversibly connected to computers and often even built into virtually all computers. This universal interface standard revolutionized the world over the past two decades, thanks to its versatility. Almost any computer peripheral, from storage and input gadgets to healthcare devices, can connect over using this ubiquitous technology. This versatility is also it's Achilles heel; Since different device types can plug in via the same connector, one type of device can turn into a more capable or malicious type without the user noticing at all. This is what a BadUSB does. To turn one device type into another, USB controller chips present in peripherals need to be reprogrammed. Most widely spread USB controller chips, including those in USB thumb drives, hardly (if any) have any protection from such reprogramming.
Regular computer users shares USB drives like average business cards, even though we all know that they often carry malware and many of us can remember few bitter experiences. To protect our computer from such undue experience we all depend on antivirus & antimalware scans. In case of some unpatchable trouble, the occasional reformatting keeps our thumbdrives from becoming the carrier of the malware epidemic. But the security problems with USB devices run deeper than we all knew about: Their risk isn’t just in what they detectably carry, it can be built into the core of how they work and talk to the host computer.
The kind of compromise BadUSB is able to make, is nearly impossible to counter at present without banning the sharing of USB devices. The problem isn’t limited to thumb drives. All types of USB devices from keyboards, mice and webcam to smartphones have firmware that can be reprogrammed in a similar manner a USB memory sticks is made into BadUSB. BadUSB can do whatever one can do with a keyboard attached to a computer, which is basically everything a computer does. In summary BadUSB can do atleast the followings:
1. Can emulate a keyboard and issue commands on behalf of the logged-in user, for example to download files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
2. The device can also spoof a network card and change the computer’s setting to redirect traffic.
3. It can detect that the computer is starting up and then can boot a small virus, which infects the computer’s operating system prior to boot.
To make things worse, cleanup after an infection is hard, if not impossible. Simply reinstalling the operating system – the last resort response to otherwise ineradicable malware – does not address BadUSB infections at their root. The USB drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB connected components inside the computer. A BadUSB device may even replace the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the infected USB drive.
Once infected with BadUSB, the computer and all USB peripherals that came in contact with the infected machine can never be trusted again.
One apparent good news is that this susceptibility is reportedly tested only on one USB manufacturer that is Phison electronics – A Taiwanese Electronics Company. Though Phison sticks can initiate attack on any device they are attached to, but it is not clear whether the established infection will be able to spread to any other USB drive that will be attached into the infected device later on. The company has not yet publicly listed the vendors for whom they manufacture USB sticks. Therefore, currently it is still not very clear, whether the issue really can turn into a digital epidemic.
The other good news is, according to knowledge available over web, at least one company (Ironkey) already does purposefully protect against BadUSB attacks. Their new line of thumbdrive products require that any new updates to its thumbdrives’ firmware be signed with an unforgeable cryptographic signature that prevents malicious reprogramming.