BadUSB – BadUSB exploit makes devices turn “evil – Ars Technica
“There’s no way to get the firmware without the help of the firmware, and if you ask the infected firmware, it will just lie to you,” Nohl explained.
Most troubling of all, BadUSB-corrupted devices are much harder to disinfect. Reformatting an infected USB stick, for example, will do nothing to remove the malicious programming. Because the tampering resides in the firmware, the malware can be eliminated only by replacing the booby-trapped device software with the original firmware. Given the possibility that traditional computer malware could be programmed to use BadUSB techniques to infect any attached devices, the attack could change the entire regimen currently used to respond to computer compromises.
“The next time you have a virus on your computer, you pretty much have to assume your peripherals are infected, and computers of other people who connected to those peripherals are infected,” Nohl said. He said the attack is similar to boot sector infections affecting hard drives and removable storage. A key difference, however, is that most boot sector compromises can be detected by antivirus scans. BadUSB infections can not.
The Black Hat presentation, titled BadUSB—on accessories that turn evil, is slated to provide four demonstrations, three of which target controller chips manufactured by Phison Electronics. They include:
- Transforming a brand-name USB stick into a computer keyboard that opens a command window on an attached computer and enters commands that cause it to download and install malicious software. The technique can easily work around the standard user access control in Windows since the protection requires only that users click OK.
- Transforming a brand-name USB stick into a network card. Once active, the network card causes the computer to use a domain name system server that causes computers to connect to malicious sites impersonating legitimate destinations.
- Programming a brand-name USB stick to surreptitiously inject a payload into a legitimate Ubuntu installation file. The file is loaded onto the drive when attached to one computer. The tampering happens only after it is plugged into a separate computer that has no operating system present on it. The demo underscores how even using a trusted computer to verify the cryptographic hash of a file isn’t adequate protection against the attack.
- Transforming an Android phone into a malicious network card.