# BadUSB - BlackHat 2014 - That's serious shit!

## CarstenIQ

Hi 

I was researching about USB Flash Driver Controller for a project and never I thought that security would be much of an issue. 

We all use some form of protection and especially in Linux/Unix but this is serious shit!

I recommend that you all take a look at this presentation given by Turn Evil by Karsten Nohl about USB devices.

BadUSB - On Accessories that Turn Evil by Karsten Nohl + Jakob Lell

http://youtu.be/nuruzFqMgIw

----------

## ManDay

*disabling all CONFIG_USB*

 :Shocked: 

I think it's not as difficult to narrow down the list of potential risks. Keyboards are at the top, but I think they are the only risk that's really inherent to USB. For the rest, you should just generally assume that when you plug in an USB device, it could actually be any device and therefore configure computer so to not Up arbtirary network devices, etc.

Sure, this does not downplay the danger in this, since only computer experts can then protect themselves. I'm just pointing out that the keyboard seems to be ultimate danger (esp. with the BIOS) that can only very difficulty be protected from while the other risks seem, managable, at least?

----------

## khayyam

 *ManDay wrote:*   

> *disabling all CONFIG_USB*

 

ManDay ... you should just disable booting as its far safer ;)

Besides usb, there is disk firmware and many other possible vectors for such intrusion, including uefi (pdf and youtube). Currently it's possible to bypass secure boot (pdf) and I'm sure there are no end of other viable ways around any security feature in the kernel or userland ... if you have access to source code of the firmware included in all hardware.

best ... khay

----------

## ManDay

 *khayyam wrote:*   

>  *ManDay wrote:*   *disabling all CONFIG_USB* 
> 
> ManDay ... you should just disable booting as its far safer 
> 
> Besides usb, there is disk firmware and many other possible vectors for such intrusion, including uefi (pdf and youtube). Currently it's possible to bypass secure boot (pdf) and I'm sure there are no end of other viable ways around any security feature in the kernel or userland ... if you have access to source code of the firmware included in all hardware.
> ...

 

Hey khay, firmware viruses do not unsettle me. When they happen (like UEFI), they happen (and then they may be hard to impossible to get rid of). It's more dangerous with USB because, as the speaker pointed out, with USB it's not only a malicious firmware, but that firmware is automatically entitled to be your keyboard or, sometimes, network adapter.

When an arbtirary non USB device is infected (say, there is an infected SATA controller) and I plug it in, it will not have an immediate effect - only when I begin to trust the device's function, I may suffer the consequences.

When an USB device is infected, however, that will have an immediate effect because it will become a keyboard.

So though USB is not the only device class which can be firmware infected, it is one of the worst, because being connected alone causes the harm, not only operating it assumes trust.

(I believe UEFI infection may be similarly severe, since here, too, the code is executed upon connection and not only on explicit request)

And yes, the talk surprised me. I thought people as clever as to make USB thumbdrives firmware read-only because of the very risks pointed out (I never thought of the keyboard issue for general devices, though). And I'm indeed surprised that it took those two to point out the idiocy of it not being so. Had no one of the manufacturers the brains to foresee that danger? I, for one, have never witnessed a firmware-update on a thumb-drive.

----------

## khayyam

 *ManDay wrote:*   

> Hey khay, firmware viruses do not unsettle me. When they happen (like UEFI), they happen (and then they may be hard to impossible to get rid of). It's more dangerous with USB because, as the speaker pointed out, with USB it's not only a malicious firmware, but that firmware is automatically entitled to be your keyboard or, sometimes, network adapter.

 

hey MD ... did you read the link I provided, because with the disk (or other) firmware the question of a 'keyboard' doesn't particularly matter as 'eavesdroping' can supply control of the machine (login and such) or any of the data (keys, etc). OK, not everyone has access to such firmware, but I'm more inclined to see an issue here than worry about any USB devices I might connect.

best ... khay

----------

## ManDay

 *khayyam wrote:*   

>  *ManDay wrote:*   Hey khay, firmware viruses do not unsettle me. When they happen (like UEFI), they happen (and then they may be hard to impossible to get rid of). It's more dangerous with USB because, as the speaker pointed out, with USB it's not only a malicious firmware, but that firmware is automatically entitled to be your keyboard or, sometimes, network adapter. 
> 
> hey MD ... did you read the link I provided, because with the disk (or other) firmware the question of a 'keyboard' doesn't particularly matter as 'eavesdroping' can supply control of the machine (login and such) or any of the data (keys, etc). OK, not everyone has access to such firmware, but I'm more inclined to see an issue here than worry about any USB devices I might connect.
> 
> best ... khay

 

Which link in particular are you referring to? I'm not entirely sure you understand my point. The USB device is, contrary to any infected firmware which does not affect the computer unless used a vector when it just connects to the computer (and yes, I'm not saying it's the only of those, but it's a class above compromised HDD controllers et al).

----------

## khayyam

 *ManDay wrote:*   

>  *khayyam wrote:*   hey MD ... did you read the link I provided [...] 
> 
> Which link in particular are you referring to? I'm not entirely sure you understand my point. The USB device is, contrary to any infected firmware which does not affect the computer unless used a vector when it just connects to the computer (and yes, I'm not saying it's the only of those, but it's a class above compromised HDD controllers et al).

 

ManDay ... this one. Not sure I'm understanding it either, at least from the description above. I think you mean that regardless of infection a usb device is a vector (by the nature of the firmware) ... right?. Well, yes I see that, but in the above article they suggest that the method that firmware is acquired is via the relationship (contracts, etc) between the spooks and the manufacturer ... my point being that we simply don't know what any of the firmware does, and under such circumstances who knows the nature of the relationship and co-operation involved. So, in short, any of this firmware is suspect. The positive thing about the usb vector it that you do know, and so can take action of some kind.

best ... khay

----------

## CarstenIQ

Yes, firmware is a big issue since it is closed sourced and you never see what's going on on devises. It's a seamless process and there is no tool or mechanism to validate the firmware of its correctness and correct purpose. The main problem seams to be the update features of devices which permit firmware updates. There seams to be no mechanisms of preventing updates if not desired. It's just required to know how its being done by the manufacturer. Since most devices which have firmware, are nothing more than a Micro-controller, based mostly on the same principles and architecture (8051), it facilitates the injection of malicious code. It also provides a good foundation to spread fast and is platform independent. That's some serious nasty shit.

----------

## queen

more technical details can be found here:

http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

----------

## Navar

Impressive.  I had not looked at this for awhile, too depressing (and yet fascinating) at times.

 *arstechnica.com wrote:*   

> The stashing of malicious files in multiple branches of an infected computer's registry. By encrypting all malicious files and storing them in multiple branches of a computer's Windows registry, the infection was impossible to detect using antivirus software.

 

That ends a longstanding question concern I've had for over a decade.  It was already there due to DRM.

While the USB issue is a concern, the overall bigger one is powerful interdiction ability in general.  In other words, nothing is safe if you're targeted.  I haven't looked into what outfits like UPS/FedEx had to say regarding this.  It's hard to imagine being done on a large scale though.

----------

## CarstenIQ

As it looks like it is already being exploited quite efficiently  :Sad: 

The Biggest NSA "Backdoor Exploit" Ever

http://youtu.be/L8eO5BYHop8?t=5m36s

----------

