The facts about BadUSB

Introduction

Since the BadUSB talk [1] by Karsten Nohl and Jakob Lell at Black Hat USA in August there has been much discussion about the implications of this class of USB attack.

The discussions gained additional momentum when Adam Caudill and Brandon Wilson investigated the attack further and publicly released working code [2] at the DerbyCon security conference.

This blog post is intended to dispel some of the misunderstandings that have arisen around BadUSB and provide some practical advice to organisations so they can protect their Enterprise IT infrastructure from this class of attack.

Dispelling some BadUSB misunderstandings

The media is reporting that BadUSB is the result of a fundamental flaw in the USB protocol that cannot be fixed. What is this flaw?

  • The “flaw” that some people have quoted relates to the fact that host operating systems implicitly trust devices that are plugged into a USB socket and as a result they cannot tell, for example, if a real keyboard has been connected and is being operated by a human or a fake keyboard has been connected that is being operated by software. This has been known and understood for many years and is the attack vector that is used by HID-based attack products such as the “USB Rubber Ducky”[3]. In fact, the technique that has become so widely known that it is being used by marketing companies, as we reported back in 2012[4].
  • The ability to upload modified firmware to some USB devices is not the result of a fundamental flaw in the USB protocol, rather the ability to reprogram a microcontroller that has not been sufficiently secured by the product vendor.

Apparently all USB devices are vulnerable to BadUSB. Is this true?

  • No, the BadUSB technique involves sending specific programming commands from the host computer to a connected USB device and will only succeed if:
    • the microcontroller on the USB device allows firmware updates to be performed
    • the firmware programming commands are compatible with the microcontroller used on the device
    • firmware cryptographic signing has not been implemented by the device

I don’t use Microsoft Windows, I only have Apple computers. Does that mean that BadUSB does not affect me?

  • No, the BadUSB technique involves reprogramming the microcontroller chip on a USB device. The interactions and trust model associated with USB communications is the same for all operating systems when they talk to USB devices.

How to mitigate the risks of BadUSB

How do I protect my Enterprise IT infrastructure from USB flash drives that may have been modified to act as a different device or that perform actions that I would not expect nor desire (for example, those “infected” with BadUSB)?

  • Use USB flash drives that only accept cryptographically signed firmware updates (there are a number of commercially available devices).
  • Do not insert untrusted USB devices into your computers

How do I protect my Enterprise IT infrastructure from other USB devices for which the firmware may have been modified to perform malicious actions?

  • Use a well configured Endpoint Protection System to implement your corporate policy of only allowing specific USB devices to be connected to your IT infrastructure.

How do I prevent my corporate USB flash drives from being “infected” or otherwise modified by microcontroller firmware updates issued by malicious hosts outside my IT infrastructure (e.g. via BadUSB)?

  • Use USB flash drives that only accept cryptographically signed firmware updates (there are a number of well-known commercially available devices).

How do I know if the USB devices I use only accept cryptographically signed firmware updates?

  • The easiest method is to trust the marketing material from the device vendor, however  this may not provide the level of assurance you require
  • For a greater level of assurance, seek in independent review of the device that clearly states that the device only accepts cryptographically signed firmware updates and this process has been correctly implemented.
  • For further assurance, commission a security review of the devices used within your organisation to provide independent confirmation that the device only accepts cryptographically signed firmware updates and this process has been correctly implemented.

NCC Group has been at the forefront of USB security for the last four years. We have released many whitepapers, presented at tier-one security conferences and discovered over 100 USB-related security vulnerabilities in all the major operating systems and devices. This has all helped us to secure the systems and devices used by our clients.

  1. https://www.blackhat.com/us-14/briefings.html#badusb-on-accessories-that-turn-evil
  2. https://github.com/adamcaudill/Psychson
  3. http://usbrubberducky.com/
  4. NCC Group Threat Brief – USB Keyboards

Published date:  08 October 2014

Written by:  Andy Davis