Most USB thumb drives can be reprogrammed to silently infect computers

The firmware in such devices is unprotected and can be easily overwritten by malware, researchers from Security Research Labs said

Most USB devices have a fundamental security weakness that can be exploited to infect computers with malware in a way that cannot easily be prevented or detected, security researchers found.

The problem is that the majority of USB thumb drives, and likely other USB peripherals available on the market, do not protect their firmware -- the software that runs on the microcontroller inside them, said Karsten Nohl, the founder and chief scientist of Berlin-based Security Research Labs.

This means that a malware program can replace the firmware on a USB device like a thumb drive by using secret SCSI (Small Computer System Interface) commands and make it act like some other type of device, for example, a keyboard, Nohl said.

The spoofed keyboard could then be used to emulate key presses and send commands to download and execute a malware program. That malware could reprogram other USB thumb drives inserted into the infected computer, essentially becoming a self-replicating virus, the researcher said.

Researchers from Security Research Labs have developed several proof-of-concept attacks that they plan to present at the Black Hat security conference in Las Vegas next week.

One of the attacks involves a USB stick that acts as three separate devices -- two thumb drives and a keyboard. When the device is first plugged into a computer and is detected by the OS, it acts as a regular storage device. However, when the computer is restarted and the device detects that it's talking to the BIOS, it switches on the hidden storage device and also emulates the keyboard, Nohl said.

Acting as a keyboard, the device sends the necessary button presses to bring up the boot menu and boots a minimal Linux system from the hidden thumb drive. The Linux system then infects the bootloader of the computer's hard disk drive, essentially acting like a boot virus, he said.

Another proof-of-concept attack developed by Security Research Labs involves reprogramming a USB drive to act as a fast Gigabit network card.

As Nohl explained, OSes prefer a wired network controller over a wireless one and a Gigabit ethernet controller over a slower one. This means the OS will use the new spoofed Gigabit controller as the default network card.

The USB device also emulates a DHCP (Dynamic Host Configuration Protocol) server that automatically assigns a DNS (Domain Name System) server to the spoofed controller, but not a gateway address. In this case, the OS will continue to use the gateway specified by the real network card -- so the Internet connection will not be disrupted -- but the DNS server from the spoofed controller, Nohl said. By controlling the DNS server, which translates domain names into IP (Internet Protocol) addresses, an attacker can hijack the Internet traffic, he said.

To show that this attack is not only possible with USB thumb drives, the researchers will also use an Android phone connected to the computer to emulate a rogue network card.

Any USB connection can turn evil, Nohl said. If you let someone connect a USB thumb drive or charge a phone on your computer you essentially trust them to type commands on your computer, he said.

The attacks developed by Security Research Labs underline the difficulty of having both the versatility of the USB standard and security at the same time. The greatest feature of USB -- its plug-and-play capability -- turns out to be its greatest vulnerability as well, according to Nohl.

Unfortunately, there's no easy fix for this problem. The Security Research Labs researchers have identified several ways to address this issue, but none of them solve the problem completely or in a timely manner.

One place where the issue could be fixed is in the USB specification by requiring that a secure pairing process is used when adding new USB devices to a computer, similar to the one used for Bluetooth devices. However, even if the USB specification is changed, it could take years before the new standard is adopted and new devices replace the old ones.

OSes could also ask users to confirm the addition of new USB devices to their computers and then remember the approved devices -- a sort of USB firewall. However, this might not even be possible because many USB devices use a string of zeros for their serial number and there's no way for the OS to distinguish between them, Nohl said. Also, this doesn't solve the attack vector where the USB device infects the boot sector from outside the OS.

An obvious place to fix the issue would be in the USB microcontrollers themselves by requiring firmware updates to be digitally signed or by implementing some sort of hardware locking mechanism that prevents overwriting the firmware once the device leaves the factory. Nohl said that he and his team haven't seen such protections in any of the USB thumb drives they tested.

Even if manufacturers start implementing such protections there would have to be a way to tell new USB thumb drives apart from old, insecure ones, so that users can make an informed decision about which devices they connect to their computers.

Finally, a more short-term solution would be for users to start understanding the risks and be cautions about which USB devices they plug into their computers, Nohl said. For the purpose of exchanging files with other people an SD (Secure Digital) memory card would be a safer choice than a USB thumb drive, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags peripheralssecurityDesktop securityExploits / vulnerabilitiesmalwareSecurity Research Labs

More about Linux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts