How Bad is BadUSB?
A friend has asked me, as his technical "guru", how bad BadUSB is. Now, I'm not an expert on these things, so I had to do a little research.
USB devices (like thumb-drives, webcams, cellphones, and printers) have a micro-controller that runs the conversation across the USB cable. This micro-controller is a very small, very simple computer, running a program. Some USB devices expose an interface that allows an outside device, connected to the USB cable, to reprogram this very simple computer. "BadUSB" refers to this ability, when used to reprogram the USB device to behave in a way that could damage the systems connected to it.
SRI (the originators of the "BadUSB" study) go on to say
Once reprogrammed, benign devices can turn malicious in many ways, including:
- A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
- The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
- A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
These, of course, are very serious problems, introduced by the ability to install firmware updates through the USB "DFU" ("Device Firmware Upgrade") interface available on some USB devices.
Others (like USB hardware vendor Yubico) think that, at this time, BadUSB doesn't present a serious threat. On their blog, Yubico says
However, although conceptually feasible, such attacks are not that easy to execute practically and to make them widespread. There are quite a few reasons for that.
- Many low-end USB devices do not support DFU, either because the firmware is factory-programmed in a non-alterable mask ROM, one-time-programmable ROM or simply because there is no DFU mechanism implemented. Supporting DFU adds cost and complexity and therefore makes little sense for low-cost mass-market devices, such as thumb drives, card readers, keyboards and mice.
- To perform DFU, often some active (and usually quite awkward) sequence has to be performed by the user, such as holding a button while the device is power cycled. Then, a specific executable has to be run in the computer where the device is connected to perform the actual firmware upgrade. This is not something that is likely to happen without the user actively initiating it.
- An attack of this kind has to be targeted on a per device model basis, and then requires extensive knowledge of the particular implementation, including reverse-engineering. An attack that works for a specific device will only work for that particular version of the device. Making a blast to a large number of users and try to fool them to upgrade with a malign image seems somewhat unlikely to get more than a marginal impact.
- Many low-end USB devices have limited memory capabilities which cannot be upgraded with a firmware that can do anything really evil while maintaining their intended function. So, if the device is infected, it won’t be able to perform what it was designed to do. High-end devices, such as MP3-players, cameras and phones are a different story, but there the problem can be mitigated by code signing.
So, what do I answer to my friend's question?
I guess that I tell him that, apparently, a "BadUSB' device can attack his system, whether it is Linux or Windows, or Mac OS. I tell him that, like floppy disks before them, USB devices can (with some difficulty) carry the equivalent of "boot sector viruses". Because of this, he should be cautious in accepting USB devices from acquaintances, but he should have no problem with devices that he has purchased himself.
And, I also tell him that, even with all that caution, he probably need not worry about BadUSB quite yet; it seems more of an expensive concept, more useful to governments and big bad business than to basement hackers, and probably won't affect him. Yet.