USB-flashdrives contains unfixable security holes - exploitable sample codes out and about - Polidicks

[QUOTE=Tamschi;46143549] I know FireWire does that and it's a ridiculously bad idea, but USB? [/QUOTE] I remember from some tour at the Dutch Cybercrime unit they'd show dumping RAM via FireWire. Besides that they also had special outlets that let them move computers without interrupting the power. Sort of unrelated but pretty cool stuff. I also wouldn't be surprised if antivirus programs update in the near future to scan flash drives, which shouldn't be a problem seeing as you can write the firmware from Windows, i don't see why reading it would be a problem

The dangerous thing about this now is attacks on the USB manufacturers. Recall the few stories in the past where hackers were able to gather system info on the computers on the assembly lines (Something equivalent to Stuxnet), get manuals/documentation, breach and inject malicious code. If the same is done with the computers that program the USB controllers (And by changing the checksums, etc), then a massive backdoor could be installed upon countless USB drives potentially without any warning.

[QUOTE=Rixxz2;46143367]Yes, but that is a drive specifically designed for that purpose. The thing in the article is something that affects every single flashdrive currently in existence[/QUOTE][QUOTE=Killuah;46143485]All USB controlers produced until today and probably quite a few months into the future have the security hole.[/QUOTE] Potentially. They have only shown it to work on one manufacturer's USB controllers last I had read. The article even says this. They are exploiting the manufacturer allowing their USB devices' firmware to be overwritten without any secure measures in place to prevent it. Security measures which the USB standard provides as an option. That isn't to say this doesn't have the potential to be quite major (because, you don't have to be infected from a USB device, malware from the internet could use this to prevent itself from being removed), just that it hasn't been proven to be. [QUOTE=Goz3rr;46144312]I remember from some tour at the Dutch Cybercrime unit they'd show dumping RAM via FireWire. Besides that they also had special outlets that let them move computers without interrupting the power. Sort of unrelated but pretty cool stuff. I also wouldn't be surprised if antivirus programs update in the near future to scan flash drives, which shouldn't be a problem seeing as you can write the firmware from Windows, i don't see why reading it would be a problem[/QUOTE] My understanding from the Black Hat presentation on this is the firmware is needed to read/write it, so the firmware can just refuse to be read, or lie and pretend to some non-malicious firmware.

Guess it's time for USB 3.1 to fix that leaky hole.

I'll have to make sure never to put hacks on my usb stick and hack myself by accident then I guess

can someone explain what exactly this means please.

So what, the USB drives firmware itself can infect a computer? I wonder how many devices firmware can infect a computer.

[QUOTE=GunFox;46143425]Pretend to be a game controller. Once, every four minutes, push the right stick in the left direction once for half a second. Imagine how maddening that would be while trying to play basically anything, but FPS games in particular.[/QUOTE] I had something like that happen to me, back in the days playing cs 1,5. A gamepad was laying behind the PC case, plugged into the USB. Every time i joined a server, my view would rotate to the left. It took me months to figure out what was causing it, and boy I was mad to find out it was a gamepad laying with the analog stick on the table.

I think i remember seeing this at CeBIT 2014 - they reprogrammed a regular USB flash drive to send keyboard inputs as soon as they plugged it in

[QUOTE=k2.;46144702]can someone explain what exactly this means please.[/QUOTE] So I infect a computer at the public library, you come in after me to do some work and save it on your USB, the second you plug your USB into that infected computer your USB turns into a BADUSB. You then go to work and plug it into the computer you use, and once again any USB that touches that computer will be infected. The exploit that got loaded onto your work computer gives me almost unlimited options, you are screwed. The little flag topping off this pile of shit is the fact that this exploit bypasses security, is only fixable on brand new USB's so anything made in the last 10 years+ can only be fixed by burning with fire, and is undetectable so you'll never even know someone has access to your system. But the big question is, should you be worried about this and what can you do to stop it. For your personal computer; pretend USB's and your ports are making sweet, sweet love and not just sharing data. Don't let your USB have risky sex, make sure it only penetrates safe targets. For office computers; you're fucked unless you fill in all the ports with superglue. For the simple reason that even if you tell your employees not to use USB's at work, you know that one idiot is going to. All it takes is that one idiot to completely infect your entire office.

[QUOTE=Cakebatyr;46143218]I think we all know what this means. RS232 flash drives are back in style.[/QUOTE] Fuck that, Zip Drives ho.

[QUOTE=Tamschi;46144130]Not that low, actually. Once in a while there's a shipment of infected computers so it's not unreasonable to assume the same could happen with flash drives.[/QUOTE] That was a result of the NSA intercepting a shipment of HP computers, adding malware to them and then sending them on their way. There was an article on it a few months back because it was leaked by Snowden.

[QUOTE=J!NX;46144762]I wonder how many devices firmware can infect a computer.[/QUOTE] It's interesting actually, IIRC someone hacked a hard drive to store a simple virus that would open security exploits on the machine it was attached to, you could wipe the drive but the virus was actually on the firmware itself; sort of spooky in a dedi/shared hardware environment. Another instance was the NSA's very own DEITYBOUNCE: [url]http://resources.infosecinstitute.com/nsa-bios-backdoor-god-mode-malware-deitybounce/[/url]

So basically, this exploit allows any USB storage device to interact with the device it's plugged into as any device class and perform arbitrary functions the class is capable of? This doesn't really seem like THAT big of a deal. If something modifies the network adapters or starts inputting commands into the keyboard/mouse drivers it's gonna be easily noticed. I dunno anything about malicious USB devices interfacing with other devices plugged into the other USB hubs, but considering how most devices would necessitate third-party drivers or applications and how limited the functions of most classes are, it doesn't seem like this would be much more effective than planting a virus.

[QUOTE=Tamschi;46143549]Wait what? Since when do USB devices have access to host RAM? I know FireWire does that and it's a ridiculously bad idea, but USB? Apart from that this is pretty harmless, just lets you do movie-style hacks by plugging in the flash drive and having a bunch of code pouring into a console window on screen. [editline]3rd October 2014[/editline] This is cool though, essentially gives programmable chip devices to everyone for a few cents. (I think if you hook it up to a charger and splice the cable you should be able to control some stuff with it.)[/QUOTE] It's not harmless at all. This is what you can do with a Rubber Ducky: [url]http://channel9.msdn.com/Events/TechDays/Techdays-2014-the-Netherlands/Hackers-Not-Halted[/url] Watch from 29 minutes on and you'll see (slowed down) what you can do on a machine with that "movie-style hacking". Then imagine every usb flashdrive being able to be turned into a rubber ducky.

[QUOTE=Tamschi;46143549]This is cool though, essentially gives programmable chip devices to everyone for a few cents. (I think if you hook it up to a charger and splice the cable you should be able to control some stuff with it.)[/QUOTE] This is what I got out of it too. I kinda want to know more about how to do some of this firmware hackery and see if I can do something fun with all these crappy usb devices littering my bottom desk drawer.

There's a comment on the Wired article ([url]http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack[/url]) from a guy that designs USB controllers (apparently) which says it isn't that bad and widespread as people make it out to be: [quote]Nohl's research has some serious holes in it. This attack vector, while possible, is incredibly narrow, and any attempt to paint BadUSB as a serious threat is basically FUD. This is a repost of Clandestine Moniker's response to the last BadUSB article wired decided to scare the masses with: _____________________________________ I make a living designing and selling USB controllers and I can say this article is very sensationalist and it is only telling a half-truth. Yes, some USB devices rely on firmware for fundamental operation and yes, the device firmware of *SOME* USB devices can be field-upgraded or otherwise updated, but to claim that USB itself is fundamentally broken due to this limited attack vector is nonsense. There are three things that make this attack very specific and difficult to execute: 1) Most USB device controllers are ASIC's, or Application Specific Integrated Circuits. They are usually highly optimized to perform their intended function very well, and they usually do not have extensibility to become other devices. For example, one of my company's products is a USB 3.0 to SATA Bridge, which is used in USB 3.0 external drives. Our USB 3.0 to SATA bridge contains USB endpoints for USB Mass Storage Class and that's it. Even if you re-programmed our device firmware, all it could be is a USB Mass Storage Class device since the USB endpoint number and types are fixed in hardware. We did this to make the chip as lean as possible. It is impossible to program our chip to become a functional networking controller or a keyboard device since we don't support those features on the silicon. >>>> Not All USB Devices can be infected! Even if you managed to infect the device, chances are you'd brick it rather than make it into something malicious. Manufacturers are usually cost sensitive and they find ways to trim costs everywhere they can ~ releasing general-purpose controllers for commodity devices is, by definition, wasteful. 2) Device manufacturers are generally very protective of their device firmwares, since the device firmwares usually contain stuff device manufacturers don't want other people to know about such as work-arounds for bugs in the silicon, or proprietary algorithms which may enhance performance or reliability, etc. The source code for most device firmwares are never published, and even if they are, there is very little documentation or active support. Finally, device manufacturers often have at least rudimentary checks in place within their controllers to check if the firmware is "valid" though these checks can vary between cryptographic hashing to simple checksums to length checks. >>>>> Getting access to and mucking around with a device's firmware is hard. Many ASICs use customized MCU cores and without published register/programming guides, it is very difficult to reverse-engineer. 3) Assuming that you've found a USB device controller that for some reason can be programmed arbitrarily to support other USB classes and endpoints and assuming again you found the firmware source code or otherwise reverse-engineered the device's firmware, you still need to be able to program the device. The vast majority of USB 2.0 and 1.1 devices have fixed firmwares that cannot be updated. The firmware code is often stored on a metal layer in the silicon itself, and there is no way for it to be changed. If the firmware is stored on an external memory device, you still need to find a method to reprogram it, either using (undocumented) vendor commands or using a dedicated hardware. >>>>> Most USB device controllers don't support being reprogrammed at all, even if they run on firmware. Some ASIC's don't have an MCU and instead rely purely on a logical state machine so that entire subclass is immune. Many IC's have a MASK ROM such that the firmware program is stored in some type of unwritable read-only medium and they are totally immune to this attack as well.[/quote]