Sourcecode for "unpatchable" USB exploit now on Github


#1

[Permalink]


#2

What I’d love to see is a SDK for the USB controllers, including source of a “normal” USB disk. At least for some more common ones. All sorts of tricks would then be possible, with a microcontroller with a multigigabyte flash attached; the dataloggers alone are a worthy application. Then there’s the problematics of hidden data storage, hardened against even mid-grade forensics (as long as you don’t access the flash directly, and even then that part of data can be encrypted); a hidden disk could be unlocked e.g. by writing a file (which would not actually be written) with a key-string. And lots and lots more of white-to-gray hat possibilities.

The thumbdrives have quite fantastic capabilities and it is a shame they are so underused.


#3

I do not think I like the way you use “underused.” I suppose you could say the same thing about nuclear weapons - but don’t.

Hell, I never even knew there was a processor in there, and what you call “microcontroller” back in my day would have been called “supercomputer.” What was wrong with plugging in a couple of wires? Wires will never threaten to stab you and in fact cannot speak.


#4

That means just that you are unaware of the possible applications - for the low, low cost of a mass-produced chip.

Project Plowshare. Things like these will be a must-do for larger-scale planetary engineering on Moon and beyond.

The controllers like this are in next to everything, including SD cards. A rudimentary version is even in the Flash chips themselves. The xD cards have none, though, and are pretty much just a NAND flash with pins broken onto a connector - so the wear-leveling has to be done by the host computer, and there are way too many pins to bother with; silicon is cheaper than connectors these days.

And seeing this world of possibilities locked up and used only by the black hats is making me disappointed.

Electromagnetic emissions, my friend, Van Eck radiation. Wires speak. Wires talk. Wires SCREAM.


#5

So this is basically about those attacks now being cheeper by reusing existing USB devices? I mean, all of this could have obviously been done before by just using a regular micro controller and maybe putting it inside a USB stick case…

Also, those hacked devices can’t really do more than regular USB devices (e.g. hacked phones) were able to do before. Or am I missing something?


#6

basically, a usb thumb drive’s hardware itself can become infected and be a vector of attack without the user ever knowing or any anti-malware software being able to detect it, which is a frightening thought. usb devices are typically trusted and in the case of thumb drives can be plugged into computers at multiple locations work/kinkos/home/friends house/etc making it easy for such an attack to spread and be implemented offsite and transported inside of trusted networks.

this exploit in its current incarnation only affects the one manufacturer’s chipset, it is possible that exploits for other chipsets will also become available.


#7

I’ve been thinking lately about how primitive our computer hardware is compared to biological stuff, but the firmware seems to be getting up to the level of biological viruses. Doing naughty things with the microcontroller in a USB memory device? Sheesh!


#8

No, you’re not missing anything. This is a massively over-sensationalised non-story.

USB devices can do what ever a USB device does; hardly news. The news is that there are more devices with the facility for the firmware to be reprogrammed than a lot of people expected, but that doesn’t actually change much.

A great deal of the stuff in the article is pure bullshit. Eg: “To prevent USB devices’ firmware from being rewritten, their security architecture would need to be fundamentally redesigned, he argued”. Well, if he really argued that and it’s not just terrible reporting, he’s either a liar or an idiot.


#9

Of course, it’s impossible that you don’t understand the extent and implications of the problem, eh?


#10

Just break out a firmware_reflash_enable# signal out to a pin, with internal pull-up. By grounding the pin in the factory, the chip can be flashed. This would prevent hostile reflashing without the owner’s consent (e.g. by an infected computer), and would not prevent the owner from modding the thing (as he can easily split open the case and attach a wire) or a data rescue service from putting in an alternative firmware for dumping the raw NAND or other recovery assistance.

Voila, problem solved and nobody is harmed in progress…


#11

So this may be a dumb question asked out of complete ignorance of the factors involved, but:

If the USB’s memory is rewritable for bad uses in this way, couldn’t an external means be devised to just have the host computer just automatically rewrite it to something harmless every time the drive is used?


#12

A USB peripheral that’s been reprogrammed can’t possibly do anything that a purpose-designed USB peripheral can’t. That shouldn’t need stating.


#13

Has the disadvantage of being visible to physical examination (e.g. comparison of xray with known-good one). Otherwise true. Not just cheaper but also more elegant and you have the hardware already mass-produced.

You’re again right.

There is a possibility that this could spread around as a “flash virus”, though. An infected computer waits for a USB mass storage controller of a certain type. If it is plugged in, its firmware gets modified and hostile code is inserted. The code then can under certain circumstances (e.g. code injection into stored .exe files?) infect other machines. Kind of like the old boot-viruses spread during the floppy times…


#14

Ok, people cleverer than me:

Is this something I, as an ordinary punter, need to be alarmed about?


#15

My guess is “not yet”, or at least “not much yet”. The future may prove me wrong, though.

This is however a pretty interesting attack mode for special cases, e.g. networks disconnected from the Big Bad Internet. But that can be achieved even by “conventional” infecting of USB disks “lost” in convenient places (facility parking lot, for example); an autorun.inf combined with infected .exe or exploit-laden .pdf, sprinkled with user’s curiosity, can do wonders. It’s being said that the Natanz complex was breached in a way like this.


#16

Not practically. This kind of attack on the peripheral relies on reverse-engineering (or learning via some other means) the protocol that the device uses to make a firmware update, since the procedure is non-standardised and undocumented. Once you’ve done that, you’d need to write a custom firmware image that does what you want, which is going to be a major undertaking unless you’ve persuaded the manufacturer to give you the factory firmware image. Essentially, you’d need to duplicate the work of anyone devising malware, so you’d always be a step behind.

Even then, depending on the device there’s a good chance that the firmware update progress is mediated by software on the embedded microcontroller, so the malware could plausibly be programmed to silently ignore firmware update requests.


#17

Interesting. I’ve always thought of USB sticks as disposable. Specially the ones you carry to Kinko and other public places.


#18

Nothing. People are panicking over this like if it was another “Deadly Y2K BUG” (read: not deadly)


#19

‘Alarmed’, no. ‘Aware’, yes.

Most people by now should be at least cynical enough not to run programs they find on some random USB stick that’s left lying around. This kind of firmware hack extends that such that, in principle, it could be possible to make the firmware insert malware in files that are saved at a later date, even if the device has been reformatted. Alternatively, you could (for example) have a USB network device that copies the data sent over it to some other destination - though practically everything important will be encrypted anyway since people want to be able to use untrusted networks all the time - or subtly alters the data it’s sending to you.

Code can’t run itself; somehow the user or the user’s existing software needs to be tricked into running it. Practically speaking this means the device needs to inject it into something the user would run anyway, or into something file that the user would open if you could combine it with some other privilege escalation bug (unless the user is happy to run any old thing they see, in which case you don’t need to go to all this effort). That’s why I’m focussing on mass storage or network devices, though it’s not going to be specific to them - MTP devices spring to mind.

The ability to replace a device’s firmware with something nefarious isn’t specific to USB - the same applies to almost all devices: hard drives, SSDs, network interface devices, GPUs, modems, etc. In fact, USB is safer than most of those because USB devices can’t initiate DMA transfers, whereas all those other things (plus, notably, Firewire peripherals) can - meaning that they can potentially read and write arbitrary memory on your computer (Firewire has been actively exploited in this way).

There are basically two factors that make this slightly more notable:

  • One is that people are a lot more likely to plug a random USB device in to their computer than a random hard drive, say, and to move them between machines, theoretically making malware more transmissible, though that also means it’s much more likely to be detected.

  • The second is that people tend to consider the risk level of a USB device according to what the device looks like it can do, which is not necessarily the same as what it actually can do. In actuality, if there’s any USB device that can perform a function, then there’s nothing stopping some other USB device from being able to perform that function.
    In practice though, this is fairly unlikely to be a major issue. If you plug in a USB stick and it pops up as a keyboard, that would look pretty sus. Similarly if you plug in a USB keyboard and it pops up as a mass storage device, and Windows (or whatever) asks you if you’d like to open the files on it, you’re probably likely to wonder what’s going on.

Overall, the risk from any of these kind of attacks is extremely low, rising to merely very low if you have reason to believe you’re being personally targetted. There are far simpler avenues of attack to worry about long before this is really even on the radar.

Don’t plug in a Firewire device though. Those things really do need to be “fundamentally redesigned”, or at least completely isolated as a matter of course with an IOMMU, which probably the majority of even new CPUs don’t have.


#20

Is this how bluetooth reaches is apogee?