We plan to distribute our new software using USB flash drives. The plan is for the field service specialists to visit our customers and upgrade the software using one of our flash drives. However, we want to be able to reuse the flash drives. Can these flash drives become infected by malware like BadUSB? Do you recommend any tool to detect USB flash drive with malware in the firmware?
-
1Just a thought, I would recommend ditching the USB & using a web download whereby the hash can be verified. If web download is not realistic, this situation would definitely make me nervous & I would consider a USB per customer, charge for the upgrade, and therefore you don't have liability of carrying over undetectable trash from one customer's machine to another. – Josh Salganik Mar 28 '18 at 04:11
4 Answers
Here you will find a guide on how to prevent BadUSB infected sticks from becoming harmful. This will however not prevent the stick from getting infected.
The problem with what you're trying to do is reading out the firmware to analyze it. You simply can't for most USB's. The way the attack reflashes the firmware is with a "secret" (undocumented, vendor-specific) SCSI command that updates it. There are ususally no read commands even implemented.
A simpler solution is to use a write-protected USB (there are plenty of models that have a read only switch).
You'll need a write protect to prevent reflashing of the USB firmware, not the normal read-only switch of the storage. If I recall correctly most USB controllers don't have that. There are usb controllers that are write-protected with a 'fuse' after leaving the factory but you'll have to dig really deep to find those specs.
- 4,793
- 13
- 30
Undetectable infection is a potential risk
While careful analysis of a particular suspected device is likely to yield results, and you can detect signatures of particular popular attacks, you can't simply avoid the whole class of "BadUSB-like" vulnerabilities.
To borrow a quote from the original detection of BadUSB, "There's no way to get the firmware without the help of the firmware, and if you ask the infected firmware, it will just lie to you."
It's conceptually not possible to remotely analyze a potentially hostile computer (the USB drive) connected to you via a network (the USB protocol) and ensure anything about it's contents. A compromised device can easily imitate any and all responses of a "good" device until and unless certain conditions are met, when it will deploy a payload.
If a new attack appears, your drives may become infected by it in an undetectable way.
- 8,369
- 1
- 26
- 35
If you watch the documentary 'Citizenfour' you might notice that Edward Snowden hands the documents to the journalists using an SD card.
Many SD cards do have a write protection switch at the side, as other answerers have mentioned of USB flash sticks. Though I'm afraid I don't know if it is a hardware or software switch - you will need to check that out.
The original researcher of badUSB states that many SD card readers are also vulnerable.
- 760
- 1
- 5
- 10
-
3The SD write protection only prevents accidental overwriting of your files, it won't deter a determined malicious attacker. http://security.stackexchange.com/questions/53365/is-the-sd-card-write-protection-hard-wired-or-optional for an earlier discussion. For current storage, all these switches are software toggles "please don't write" and don't actually prevent writing if appropriate data is sent to the device. – Peteris Dec 14 '16 at 14:49
Your proposal is over-complex to practically implement. A way to detect is to have an analysis station where you store the firmwares of the USB drives and compare them when the USBs come back.
A simpler solution is to use a write-protected USB (there are plenty of models that have a read only switch).
- 8,779
- 3
- 19
- 28
-
4A USB flash drive with a read only switch can also have vulnerable firmware, and that firmware can decide to ignore that read only switch. Furthermore, even if the actual flash memory would be physically read-only, the stick could still be vulnerable as the firmware has separate memory that can be compromised. – Peteris Dec 14 '16 at 14:54