(LiveHacking.Com) – Security experts Karsten Nohl and Jakob Lell have demonstrated how any USB device can be reprogrammed and used to infect a computer without the user’s knowledge.
During a presentation at the Black Hat Security conference, and in a subsequent interview with the BBC, the duo have raised the question about the future security of USB devices.
As part of the demo, a normal looking smartphone was connected to a laptop, maybe something a friend or colleague might ask you to do so they can charge the device. But the smartphone was modified to present itself as a network card and not a USB media device. The result was that the malicious software on the phone was able to redirect traffic from legitimate web sites to shadow servers, which fake and the look and feel of the genuine sites, but are actually designed just to steal login credentials.
According to a blog entry posted by the pair, USB’s great versatility is also its Achilles heel. “Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing,” wrote the researchers.
The experts, who work for Security Research Labs in Germany, gave a presentation at the Black Hat conference called “BadUSB — On accessories that turn evil.” Every USB device has a micro-controller that isn’t visible to the user. It is responsible for talking with the host device (e.g. a PC) and interfacing with the actual hardware. The firmware for these microcontrollers is different on every USB device and what the micro-controller software does is different on every device. Webcams, keyboards, network interfaces, smartphones and flash drives all perform different tasks and the software is developed accordingly.
However, the team managed to reverse engineer and hack the firmware on different devices in under two months. As a result they can re-program the devices and get them to act as something they are not.
During their Black Hat presentation, a standard USB drive was inserted into a computer. Malicious code implanted on the stick tricked the PC into thinking a keyboard had been plugged in. The fake keyboard then began typing in commands – and forced the computer to download malware from the internet.
Defending against this type of attack includes tactics like code-signing of the micro-controller firmware updates or the disabling of firmware changes in hardware. However these must all be implemented by the USB device makers and isn’t something that end users can enforce.
You can download the slides from the presentation here: https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf