BadUSB Attack: Now in The Wild; Exploits to Follow

Security researchers have purposely unleashed tools that could help hackers use USB drives to secretly spread malware on computers, including mobile devices with USB ports. The goal in releasing such tools is to coerce USB drive manufacturers into doing more to protect consumers against such attacks. The attack vector was initially reported in early August of this year, and until now was only theoretical.

The tools were released by security researchers Adam Caudill and Brandon Wilson. Their campaign is inspired by the unveiling of "BadUSB," a type of attack that uses a USB thumb drive that is capable of emulating keystrokes on keyboard in order to gain system administrator access, and subsequently the ability to deliver a malware payload to a computer.

The BadUSB attack, which was shown off by Germany's Security Research Labs at this year's Black Hat security conference in Las Vegas, Nevada, isn't hard to launch. The attack requires modifying the firmware on the USB controller, which can easily be done from inside the operating system. A USB thumb drive has the potential to become infected by launching a malicious executable file, such as: an email attachment, download, and similar. (Source: pcworld.com)

BadUSB Hack Demonstrated on YouTube

The tools released by Caudill and Wilson include patches, payloads, and documentation to demonstrate how to install BadUSB on a thumb drive. They've also posted a video to YouTube showing how to launch an effective attack. (Source: youtube.com)

Remarkably, there are very few security tools that can fight this kind of attack, Wilson insists. "[The USB thumb drive contains a complete system on a chip (soc); effectively, it's] ... a tiny little computer that has complete control over what happens over USB, so it can lie to you; it can do whatever," the security researcher said.

For his part, Caudill hopes the release of BadUSB tools prompts device makers to take malware threats like this one more seriously. Specifically, Caudill wants manufacturers to insist on signed firmware updates for USB controllers, meaning that USB firmware updates cannot be changed once a thumb drive is sent from the manufacturer to retailers, and eventually delivered to consumers. Right now, very few makers of USB storage devices use signed firmware updates, a trend that Caudill and Wilson want to change.

"We really hope that releasing this will push device manufactures to insist on signed firmware updates," Caudill said in a recent blog post.

Security Researchers Target USB Giant

Caudill and Wilson, who presented their research at last week's Derbycon security conference in Kentucky, focused much of their attention on Taiwan-based USB device manufacturer Phison Electronics, which produces many of the USB controllers available to consumers right now.

"Phison isn't the only player here, though they are the most common," Caudill said. "I'd love to see them take the lead in improving security for these devices." (Source: pcworld.com)

Ways to Help Protect Yourself from BadUSB

If a USB thumb drive has already been infected with BadUSB, all that is needed is to insert the thumb drive into a computer; a malware payload could then be delivered, especially if the system does not use real-time antivirus, or its heuristics are not up to date.

According to Symantec, one of the best ways to protect yourself from BadUSB is to "never leave your computer or mobile devices unlocked or unattended."

For example: if you are able to boot into Windows without requiring a user name or password, you are especially at risk. Anyone can walk up to your computer an insert an infected USB. Another way to protect help 'lock down' your PC is to have the Windows Screensaver log you out after a period of inactivity. In doing so, your user would be logged out and the USB would have limited functionality until the user has logged back in.

Symantec also recommends "only [inserting] trusted USB devices into computers, [and] do not use or purchase pre-owned USB devices [as] they could potentially contain malicious software." This latter is especially true for tradeshows where USBs are commonly given away free to customers. (Source: mashable.com)

What's Your Opinion?

Do you think that showing hackers how to use BadUSB is a wise move? Do you think it will force USB manufacturers to take security more seriously? Are you wary of using USB thumb drives because of threats like BadUSB?