Welcome Turk Hack Team Members,
In this article, we will focus on a new family of malware: the BadUSB attacks.
The BadUSB attack is a recent discovery ( while the principle isnt new in itself ) and allows to turn any USB device into a cyber weapon that is able to immediately inject malware code into a computer without the possibility to be detected.
BadUSB uses the fact that a great variety of different devices connect into USB connectors. By changing the behavior of the USB micro-controller of a normal device, like a USB memory disk, for instance, the BadUSB can change it into something totally different, like a keyboard or a network card.
It is enough to plug the modified (BadUSB) device into a computer and the rogue device can execute commands or inject malicious software without prior acknowledgment or consent of the owner.
In some attacks, the BadUSB software transforms the firmware of the USB device so that it appears as a keyboard to the operating system. For example, the DIY Rubber Ducky USB is a commercial hacking package (45$) that injects about 1,000 words per minute into a computer once it is inserted.
BadUSB attacks are dangerous since most antivirus and malware scanners usually have no way to access the firmware on the USB devices and cannot protect the computer.
Any computer which can be reached by a USB port is potentially vulnerable. This is particularly true for industrial systems where malevolent code can be injected into critical devices just by plugging for a few seconds a USB device into them.
Table of Contents
How a BadUSB Attack Works
Introduction on how BadUSB attack works
Here is a list of attacks that the badUSB malicious devices are able to perform:
USB is a serial communication protocol (Universal Serial Bus). Any device which has a USB male connector can be connected to one of the USB ports in a modern computer. The way computers react to a USB device been plugged into them is dictated by USB protocol. The computer implements its side of the protocol (usually inside the motherboard as a USB controller) while the USB device implements on its side USB protocol as well inside a firmware. Nothing prevents someone to make some variants of USB controllers which can copy the data been transferred to some alternate backup storage for example. In fact, this is known as a USB spy protocol analyzer device, dedicated hardware that can be used to debug a USB implementation. All the same, it is possible to implement a USB pseudo-keyboard in a small electronic board and put it into something which looks like the enclosure of a USB stick. The pseudo-keyboard will identify itself as a keyboard HID device and will immediately be trusted by the operating system.
Possible BadUSB Devices
Virtually anything can be inserted which can be miniaturized into a USB stick form factor. For example:
One of the most striking badUSB devices is USB charging cables (or USB adapters), the ones that are used all over the world to recharge smartphones for instance.
Some security experts managed to build a badUSB version of a standard USB charging cable (codename USB harpoon) which is able to compromise a computer almost instantaneously. Once the fake charging cable is inserted, it is activated as a device able to send commands to the host computer. Some attacks even involve the physical destruction of the computer by charge overload!
Potential Preventions Against a BadUSB attack
Keyboard Authorization
Because of the nature of the attack, there are not a lot of possible preventions. Some AntiVirus companies have developed BadUSB Attack Prevention components. They prevent the BadUSB devices to emulate a keyboard with the following trick:
Once a USB device connects to the computer and is identified by the Operating System as a keyboard, the antivirus requires the user to input a numerical challenge code which is generated by the antivirus from the new USB keyboard. Such a procedure is known as keyboard authorization. The antivirus will therefore only allow the use of an authorized keyboard and will block any other keyboard which has not been authorized.
Still resident security software if they cannot block the badUSB device, can also detect the malware itself launched from the BadUSB.
Modification of the USB Norm
One possible remedy of the badUSB attacks would be to modify the USB norm so that fingerprints or handshakes would identify with certainty devices.
USB manufacturers are certainly looking seriously into the issue. Meanwhile, this is unlikely to happen soon since the USB norm involves a lot of blue-chip corporations which must all agree before changes are done.
WhiteListing USB devices
It is possible to allow only specific drivers to be installed by their GUID. It is also possible to restrict the authorization for the installation of USB devices such as keyboards, etc..
USB Firewalls Devices
Some companies are selling USB hardware firewalls, standing between a computer and other USB devices. The firewall filters the commands sent to the USB guest device.
User Vigilance
Finally, the following checklist should be performed by a user.
//Quoted. Thanks for reading.
In this article, we will focus on a new family of malware: the BadUSB attacks.
The BadUSB attack is a recent discovery ( while the principle isnt new in itself ) and allows to turn any USB device into a cyber weapon that is able to immediately inject malware code into a computer without the possibility to be detected.
BadUSB uses the fact that a great variety of different devices connect into USB connectors. By changing the behavior of the USB micro-controller of a normal device, like a USB memory disk, for instance, the BadUSB can change it into something totally different, like a keyboard or a network card.
It is enough to plug the modified (BadUSB) device into a computer and the rogue device can execute commands or inject malicious software without prior acknowledgment or consent of the owner.
In some attacks, the BadUSB software transforms the firmware of the USB device so that it appears as a keyboard to the operating system. For example, the DIY Rubber Ducky USB is a commercial hacking package (45$) that injects about 1,000 words per minute into a computer once it is inserted.
BadUSB attacks are dangerous since most antivirus and malware scanners usually have no way to access the firmware on the USB devices and cannot protect the computer.
Any computer which can be reached by a USB port is potentially vulnerable. This is particularly true for industrial systems where malevolent code can be injected into critical devices just by plugging for a few seconds a USB device into them.
Table of Contents
- How a BadUSB Attack Works
[*]Possible BadUSB Devices
[*]Potential Preventions Against a BadUSB attack - Keyboard Authorization
- Modification of the USB Norm
- WhiteListing USB devices
- USB Firewalls Devices
- User Vigilance
How a BadUSB Attack Works
Introduction on how BadUSB attack works
Here is a list of attacks that the badUSB malicious devices are able to perform:
- The badUSB can pretend to be Human Interface Devices (HID) such as keyboards or mice;
- They can spy the data sent from the host computer to a USB slave device from a given USB hub. For example, they can intercept data written to a USB disk or sent it to a printer, etc
- Take control over the system using low-level debugging on a certain type of BIOSes;
- They can exploit USB class drivers or file systems with malicious input. For example, files copied from a legit USB drive to a computer could be tampered with and injected with malicious code.
USB is a serial communication protocol (Universal Serial Bus). Any device which has a USB male connector can be connected to one of the USB ports in a modern computer. The way computers react to a USB device been plugged into them is dictated by USB protocol. The computer implements its side of the protocol (usually inside the motherboard as a USB controller) while the USB device implements on its side USB protocol as well inside a firmware. Nothing prevents someone to make some variants of USB controllers which can copy the data been transferred to some alternate backup storage for example. In fact, this is known as a USB spy protocol analyzer device, dedicated hardware that can be used to debug a USB implementation. All the same, it is possible to implement a USB pseudo-keyboard in a small electronic board and put it into something which looks like the enclosure of a USB stick. The pseudo-keyboard will identify itself as a keyboard HID device and will immediately be trusted by the operating system.
Possible BadUSB Devices
Virtually anything can be inserted which can be miniaturized into a USB stick form factor. For example:
- Keyboard;
- Network card;
- Mouse;
- Bluetooth connector.
One of the most striking badUSB devices is USB charging cables (or USB adapters), the ones that are used all over the world to recharge smartphones for instance.
Some security experts managed to build a badUSB version of a standard USB charging cable (codename USB harpoon) which is able to compromise a computer almost instantaneously. Once the fake charging cable is inserted, it is activated as a device able to send commands to the host computer. Some attacks even involve the physical destruction of the computer by charge overload!
Potential Preventions Against a BadUSB attack
Keyboard Authorization
Because of the nature of the attack, there are not a lot of possible preventions. Some AntiVirus companies have developed BadUSB Attack Prevention components. They prevent the BadUSB devices to emulate a keyboard with the following trick:
Once a USB device connects to the computer and is identified by the Operating System as a keyboard, the antivirus requires the user to input a numerical challenge code which is generated by the antivirus from the new USB keyboard. Such a procedure is known as keyboard authorization. The antivirus will therefore only allow the use of an authorized keyboard and will block any other keyboard which has not been authorized.
Still resident security software if they cannot block the badUSB device, can also detect the malware itself launched from the BadUSB.
Modification of the USB Norm
One possible remedy of the badUSB attacks would be to modify the USB norm so that fingerprints or handshakes would identify with certainty devices.
USB manufacturers are certainly looking seriously into the issue. Meanwhile, this is unlikely to happen soon since the USB norm involves a lot of blue-chip corporations which must all agree before changes are done.
WhiteListing USB devices
It is possible to allow only specific drivers to be installed by their GUID. It is also possible to restrict the authorization for the installation of USB devices such as keyboards, etc..
USB Firewalls Devices
Some companies are selling USB hardware firewalls, standing between a computer and other USB devices. The firewall filters the commands sent to the USB guest device.
User Vigilance
Finally, the following checklist should be performed by a user.
- Can anyone besides the user access the USB ports of the users computer?
- Does the user trust a given USB device and can assert that the company that developed its USB firmware can be trusted?
- Has there any certification of the device USB firmware? Has there any guarantee that the firmware running on the USB device hasnt been altered during or after the manufacturing?
//Quoted. Thanks for reading.
