56

I read a BBC article about empty USB sticks containing malware:

Berlin-based researchers Karsten Nohl and Jakob Lell said a device that appeared to be completely empty could still contain a virus.

  • How can "empty" USB sticks contain malware?
  • Is this only a problem for (legacy) Windows systems?
  • Is there some way to use these sticks while protecting yourself?

This question may seem similar to other questions but those have not concerned empty sticks.
Community
  • 1
Gruber
  • 1,084
  • 1
  • 8
  • 19
  • 9
    What do you mean by empty? – grc Sep 22 '16 at 05:47
  • 6
    @grc: I suppose it means that if you insert the device and look at its filesystem, you'd see no files. – Gruber Sep 22 '16 at 05:48
  • 68
    If you insert an untrusted USB, you've already lost, regardless of what you see. – grc Sep 22 '16 at 05:49
  • 3
    @grc: That may be true. The question is how empty devices can contain malware, if all platforms are affected, and how you can defeat the malware. – Gruber Sep 22 '16 at 05:51
  • 3
    Simple. Plug and Play driver = infected. Unsigned drivers, etc. You plug it in, and suddenly your stuff's silently being exfiltrated to a server in Zhejiang province. – Mark Buffalo Sep 22 '16 at 05:59
  • 5
    @Mark Buffalo: So this is a Windows only problem? Plug and play is disabled in recent Windows versions, right? Where does virus hide? – Gruber Sep 22 '16 at 06:00
  • 7
    When I read the article I thought of the rubber ducky (see http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe ) A USB device that looks like a storage device but acts as a usb keyboard. With that you can do whatever the logged in user can. It's not an "Empty" storage device as such but it may well look like that to a user. –  Sep 22 '16 at 16:18
  • 1
    Viruses hide themselves. They are very good at it. That is their MO. – paparazzo Sep 23 '16 at 02:11
  • 1
    [Here's a talk they gave at BlackHat 2014 on USB malware](https://www.youtube.com/watch?v=nuruzFqMgIw) which should provide more detail. – Schwern Sep 23 '16 at 04:14
  • 5
    "*a device that **appeared to be** completely empty*" **...** – Lilienthal Sep 23 '16 at 07:52

9 Answers9

69

I'm afraid this stems from a misunderstanding from the reporter:

... said a device that appeared to be empty could still contain a virus.

In the video the reporter's referring to it is clear, in fact, in the first two minutes Karsen says he's NOT talking about viruses. He then goes on to demonstrate, on screen, that the seemingly empty USB device is changing itself into a different device (e.g. emulating storage as well as a keyboard and playing keystrokes), as was alluded to in my previous answer (below), but I had not at the time reviewed the full resource to establish it as conclusive evidence.

So there you have it, the author somehow misunderstood the video presentation, and BBC published it...

How can "empty" USB sticks contain malware?

This question doesn't form a clear picture.

Firstly we must define "empty".

  • Do you mean unformatted? If this is the case, can we just erase the first sector to unformat a storage device, leaving the rest of the bytes intact? Could there be viral code in those unerased, yet technically unformatted bytes?
  • Do you mean looks empty when inserted? There have been numerous tricks for hiding files in the past, such as storing them in the recycling bin, using the 'hidden' or 'system file' attribute, using NTFS streams or even unsupported partitions. Delving further down the rabbit hole, is the drive empty but encrypted? A flaw in a major cryptographic library (we've seen those quite a lot recently) could expose the system to covert side-channel attacks, even from a seemingly empty device... Additionally, some USB sticks are bootable (on some systems; we'll get to that later), implying that you might be able to write a boot sector virus to infect them. Boot sector viruses don't really care what OS is installed, since they execute before the OS boots anyway... This leads me to your next question:

Is this only a problem for (legacy) Windows systems?

No. We should consider what constitutes "malware". It's possible for an arbitrary sequence of bytes to be considered malware because it causes damage to one system (e.g. x86/x64 machine code on an x86/x64 prcessor) but not another (e.g. the same bytecode on an ARM/SPARC). To answer this question, we only have to find (or design) a system that decodes the arbitrary sequence as malware, even though it previously wasn't.

Is there some way to use these sticks while protecting yourself?

No. Finally, consider the definition of USB stick. Is it possible that, instead of plugging in a storage device, you might be plugging in some kind of electronic bug, such as a wireless keyboard adapter or a USB thumb killer. Such devices themselves don't really constitute malware, either because they're not software or they weren't designed to be malicious... though they could nonetheless be security risks. It might also be possible for a device to access memory (e.g. by appearing as a charger for your mobile phone and then stealing all of your photos, videos, etc using the data line or a covert wifi network).

Don't insert untrusted USB devices. Period. They might not contain malware, but that isn't the only danger... especially in this day and age where competition, electronic sabotage & surveillance are all the rage.

autistic
  • 734
  • 6
  • 17
  • 35
    There aren't just USB devices that secretly emulate other devices. There are bugs in some (or maybe many – it's not widely researched) host USB host controller stacks (firmware and OS driver) that enable a carefully crafted USB client controller to execute arbitrary code with system management (BIOS) or OS kernel privileges. – David Foerster Sep 22 '16 at 11:07
  • 3
    It's probably not researched much because there are OH SO MANY other ways to hack people than to plug in a physical USB device. I guess once all the other holes are plugged (HA!), then USB hacking will get a lot more attention. – Nelson Sep 23 '16 at 16:54
  • 1
    Oh, I'm sure there's been some significant research done; just not a lot of *public* research. :) I'd expect that our friends in Fort Meade, at the SVR & GRU, at some of the better APT units in China, at some of higher-end malware/exploit-creating firms that sell their toys to nation-states, etc. have looked into the matter. Extensively. – mostlyinformed Sep 23 '16 at 20:37
  • 7
    Or a USB device can just attack the hardware of a computer. A USB device could pretend to be a flash drive for a while before charging up a capacitor bank and dumping 100 V into your computer http://kukuruku.co/hub/diy/usb-killer – Jezzamon Sep 24 '16 at 01:02
  • 3
    Thanks @Jezzamon. I mentioned that device in the answer, but as I said it's not really malware. By dictionary definition malware must be *software*, and this is *hardware*. These kinds of devices would probably be considered weapons as opposed to malware, because when you start going down the "fiddling with electronics" department the dangers could be life threatening. I strongly discourage products like that (hence the reason I didn't link to or explain it in detail). If you're going to take something out, do it with a sledge hammer. You know you're not going to hurt anyone else that way. – autistic Sep 24 '16 at 02:58
  • @Seb Yep, just thought it was worth mentioning in case someone was thinking "I'll try it on my computer, I don't have any valuable data & I just can wipe and reinstall if something goes wrong". Of course, I don't know whether they are actually being used by people anywhere. – Jezzamon Sep 24 '16 at 11:01
  • 1
    @Jezzamon you don't even need to pretend to be a flash drive. The computer won't last nearly long enough to tell the difference. – John Dvorak Sep 25 '16 at 04:11
  • Well, the issue I have with causing component failure is physical safety. I've seen people hospitalised by shocks from PSUs that have been tampered with, and am concerned that this kind of device could cause that kind of fault. I don't agree with the existence of this device... and I don't want it promoted here. I'm flagging that link as spam for a harmful/potentially illegal device. Let's see if the mods agree. – autistic Sep 25 '16 at 09:04
  • 1
    @Seb I think it's really bad/dangerous too! But that's why it's worth warning people about it – Jezzamon Sep 25 '16 at 11:25
  • Consider how you're actually supporting this device by providing it a boost in search engine rank... Whatever, if you want to support something that could pose serious risk to people, particularly those with weak hearts... well, I've done what I can. I'm moving on to other matters, now. I hope you're happy to move on, too... – autistic Sep 25 '16 at 11:29
47

You can hack the firmware of a USB device. With that you can tell the OS whatever you want, eg. the device is empty even it is not. Or attack the USB software stack of the OS by sending data that a normal USB device would not send (so the device could even really be empty, the attack comes from the firmware).

You can also do other funny stuff, like tell the OS that the USB device is also a keyboard, then automatically type commands that do something if it is plugged in. Or tell the OS the USB device is a network card, and redirect all traffic to a server you control.

Endless fun with hacked USB firmwares...

stackunderflow
  • 586
  • 4
  • 3
  • 5
    "like tell the OS that the USB device is also a keyboard..." [or toaster](http://superuser.com/q/792607/210293) – David Starkey Sep 23 '16 at 19:32
  • Anyone remember the Apple keyboard ROM being hacked and keylogged remotely? Hardware that has firmware and some memory can be deadly, even from major product vendors. Time to go back to PS2 inputs! – Chris Cirefice Sep 24 '16 at 16:15
24

USB works like this, AFAIK, note where lies could lead the system astray.

  1. Computer supplies +5V and GND to USB device.
  2. Microcontroller in the USB device runs and transmits USB-speak for "This is a type X device" (X is disk, camera, keyboard, mouse, or any device registered with the USB Consortium).
  3. Computer takes "appropriate" action.

Consider USB devices with subverted (reprogrammed) microcontroller...

Computer: +5V, GND
Microcontroller: I am a keyboard.
Computer: OK
Microcontroller: "FORMAT C:" ENTER "Y" ENTER

(Dilbert reference)

Search for the "BadUSB" vulnerability for details.

There is now a GoodUSB gadget: http://hackaday.com/2017/03/02/good-usb-protecting-your-ports-with-two-microcontrollers/

waltinator
  • 341
  • 1
  • 6
8

There are several ways to make it appear empty:

  • Using unsupported characters in file name

  • Using hiding options for the files

  • Using the special Windows folders (Like System Information)

In all cases, with a decent file manager you will be able to detect them, but from inside a Windows OS you will only be able to detect them in case 2 and that's if you have enabled it to show hidden files.

Yes, mostly it is a windows OS problem.

Yes, there are ways to protect:

  • Use a good file manager to see the real content of the stick
  • Make sure you have no type of autorun enabled
  • Make sure you do not execute, read or transfer files from the stick unless you know they are safe
Overmind
  • 8,779
  • 3
  • 19
  • 28
  • 25
    This answer is misleading, as it leads you to believe, completely incorrectly, that you can protect yourself. You cannot. A malicious USB stick will be malicious _in the firmware_, and you will be compromised long before your file manager is involved. – bmargulies Sep 22 '16 at 17:10
  • 1
    You can embed some payload in the Firmware of the USB and make it look like another device (like HID) but this does not appear to be the case, since the stick is being seen as empty and not faked as another device. – Overmind Sep 23 '16 at 05:17
  • 3
    @Overmind The stick can say "hello I'm a hub and I have both a keyboard and an empty flash drive plugged into me". Are you going to go in the device manager and look for a new keyboard every time you plug in a USB stick? – N.I. Sep 23 '16 at 08:06
  • 2
    @bmargulies I'm going to say that's mildly unfair. It's definitely true that a USB stick *can* be malicious in the firmware. But, at least as things stand today, in Sept. 2016, such attacks seem to be pretty rare in the wild--as far as we know, anyway--and limited to the province of pretty sophisticated actors. On the other hand, USB vectors that take advantage of the the way Windows handles files on a USB stick and exploits against Windows vulns in Explorer have a much broader record of being used for malware transmission. – mostlyinformed Sep 23 '16 at 20:53
  • 1
    I thought it was a bad thing for the accepted answer to completely ignore the firmware option. I still think so. – bmargulies Sep 23 '16 at 21:05
  • 1
    `...with a decent file manager you will be able to detect them...` Even if the USB firmware refuses to list them? (But it would then somehow need a method of making them active.) – user2338816 Sep 26 '16 at 02:25
  • Yes, user2338816, even so, because that's why I use my own modified/recompiled file managers instead of what most use. I have complete 16, 32 nd 64-bit FMs that can practically do anything ever needed inside an operating system. Direct disk access is only one way to bypass everything. If there's something there, I will see it. – Overmind Sep 26 '16 at 04:54
  • @Overmind this is strictly not true, since you don't have and can't have direct disk access, you can only go through a (potentially hostile) firmware that's emulating a disk. It can easily provide an interface to a completely empty filesystem on a completely empty storage device when plugged in, and 5 minutes later start behaving as if a completely different storage device was connected. Heck, it could physically *be* an USB hub with two separate storage devices (and a rule in the hub to switch them if some conditions are met), not that it would be visible by looking at the stick. – Peteris Sep 27 '16 at 23:00
  • @Peteris - I'm talking about ignoring anything related to the OS. You haven't been around in the MS-DOS era ? Remember the lock command and DDA ? Well, I still use something like that. No virtual windows emulation of anything. – Overmind Sep 28 '16 at 05:06
  • @Overmind ignoring anything related to the OS, you still can't access the USB storage "directly" - it is foreign hardware outside the control of your computer that is emulating a disk, and can cheat at that emulation no matter what your code or OS or hardware does. You should treat an USB stick as an another computer connected to yours over a weird network-like connection; that computer may simply expose a "shared storage" but also may lie to you, modify the files you write to that storage, or do a lot of other interesting things. – Peteris Sep 28 '16 at 07:53
  • @Overmind The same applies to HDD hardware / firmware - a modern HDD has a reasonably powerful CPU in it, and its firmware can be modified to lie to your compter, OS or no OS. "Direct access" both in USB and HDD case doesn't mean reading/writing data on storage, it means directly sending messages to the device and getting replies from it, and the device might reply in a hostile way - e.g. reading data from a file in certain conditions may return modified information; a proof of concept attack on HDD firmware added an extra user account when OS was reading user information at startup. – Peteris Sep 28 '16 at 08:01
  • @Peteris Yes, I know, I found such a bug in an older Seagate series. Something similar is being used to re-label small USB stick (like 2GB, 1GB models) to 32+GB ones. They will actually show a lot of space, but only the 1st part of it (the real space) will be usable. – Overmind Oct 03 '16 at 10:54
8

A computer is not just a processor, some RAM, and a hard drive. There are many processors inside a computer, including USB host processors, keyboard processors, clock processors, address bus processors, IDE/SATA processors, and more.

A "completely empty" USB stick could be reporting 0 files and folders in a single partition, even if it were, say, a keyboard programmed to advertise itself as a mass storage device.

There's a lot of trust that goes on at the hardware level for most processors. The firmware on many USB sticks are designed with the idea that they won't be programmed by end users. The firmware on many USB hosts also assume they won't be programmed by end users.

In other words, a user with sufficient technical skill could write their own code on to a USB stick, which in turn could write a payload to the USB host processor, which in turn could be used to subvert other systems through common buses.

This environment only exists in the first place because most processors include non-volatile RAM that they use as a ROM for storing their code. This allows vendors to build the hardware first, then drop the software in later. It's far more money efficient then building the software directly into the hardware.

So, with all that in mind, here's the answers you probably don't want to hear:

How can "empty" USB sticks contain malware?

Just because the OS sees something as empty doesn't mean it is. At minimum, it has firmware code running in a processor that starts up the millisecond the device has power. All USB devices have memory, even keyboards, mice, and sound cards. If it were really empty, the device wouldn't work.

However, if the device reports itself as a storage device, and the OS queries the partition table, the device can then simply send whatever data it wants, including appearing to be empty, or having an arbitrary storage capacity etc. Even today, you can find scammers that sell under-capacity storage devices that are re-programmed to report more capacity than they have. For example, you might buy a 32 GB stick that actually only has 2 GB of physical storage. The firmware lies to the OS, which eventually results in corrupt data when the user tries to use more than (for example) 2 GB of storage.

Is this only a problem for (legacy) Windows systems?

No. This is a problem for virtually every hardware device on the market. Some people estimate that this may be as high as 90% or more of devices, including laptops, tablets, phones, desktops, mp3 players, and anything else that has USB firmware in it. There's at least one manufacturer I've heard of that has "hardened" their firmware against reprogramming. A simple Google search will find storage devices that are resistant to reprogramming.

Is there some way to use these sticks while protecting yourself?

No. In fact, unless you examine every firmware's code before you plug it in to your computer, and, in fact, read your computer's firmware code before you plug anything into it, you can't be certain. It's entirely possible that your device was infected by the NSA before it was shipped to your store and sold to you. It might even be infected even if you bought all the hardware piecemeal and built it yourself. Unless you've physically created and programmed every aspect of your computer yourself, there's absolutely no way to be perfectly safe.

The best you can do is establish some level of trust, and avoid risky behavior. Avoid buying open hardware on e-bay, unless you reasonably trust the seller. Prefer buying brand-name computer parts instead of knockoff imitations, unless you can be reasonably sure they're safe (i.e. do research). Use as few devices as possible, and avoid sharing your devices with people you don't know. In other words, take the same precautions you'd take when trying to buy food, a car, or anything else. Most hardware is not currently infected, only because there's easier ways to get someone's data, but you should avoid casual exposure to risks.

phyrfox
  • 5,724
  • 20
  • 24
7

The USB stick itself could be the virus, not the data on its flash memory.

Let me show you how:

  • A USB device can have multiple endpoints
  • An endpoint can either receive or send data
  • You need 2 endpoints for a normal USB flash drive: Send and Receive
  • USB 1.1 allows up to 4 endpoints
  • USB 2.0 allows up to 15 endpoints, I think

You could use the remaining endpoints to emulate a keyboard or mouse.

If done right, the user only notices a seemingly empty flash drive. So no way to delete the virus without modifying the USB firmware

KeksArmee
  • 193
  • 5
2

Several good answers above - another related to waltinator's answer would be something like a USB ruberducky this could have malware in a hidden partition that it would deploy while displaying an empty partition.

Nate
  • 161
  • 4
0

Because of corrupt data. Anything that can write itself to memory can in theory save itself without any user interaction. By this definition you could say Windows itself is malware because anytime you plug in a drive or usb, it writes a few invisible bytes that could contain anything. Anywhere from backup info needed by the os or even rogue software that copies itself to anything writable. In the 90's floppy disks had a physical thumb insert which you could flip like a switch, flipping it to a locked position would cause data not to be writable to the disk. Nothing like this exists for usb drives, though I'm sure there's probably software than can allow you to lock drives. In Linux nothing is auto mounted unless it's setup that way, if you catch malware on removable hardware it's a Windows problem.

NERF
  • 1
  • How would a "physical thumb insert" protect data from being written to the floppy? Why would a rogue floppy drive honour its usage? – grochmal Sep 23 '16 at 03:33
  • @grochmal: the theory is that you own the drive, so know it is proper, but do not know the contents of the floppy disk. The analogy is flawed because the insert would protect the disk, not protect the computer that you put the disk into. Many viruses were spread in those days by sneakerware. One prevented the computer from printing. At the time work computers were shared. You would put an infected floppy into a computer hoping to print a file. When it infected the computer, the file would not print, so you would take the floppy to another computer and try again... – Ross Millikan Sep 23 '16 at 04:27
  • Most USB memory sticks *do* have a write-protect switch. – Chenmunka Sep 23 '16 at 08:02
  • The write protect switch on a USB "memory stick" is not unlikely to be under control of firmware that could, as discussed above, be subverted. Floppy drives, especially the type that was used in PCs up to ca. 2005, tend to be based on an older style of hardware design that will either not use firmware at all and hardwire the effects of the physical switch, or use firmware that is only accessible at all to the manufacturer of the chips used in the design. – rackandboneman Sep 23 '16 at 14:55
  • Addon: The 34-pin interface used for classic PC floppy drives CANNOT ever be used to reprogram the drive in any way, and CANNOT override the write protect switch. – rackandboneman Sep 23 '16 at 15:01
  • 3
    This is incorrect. Most memory sticks do not have a write protect switch –  Sep 23 '16 at 14:00
  • There are only a few vendors I'm aware of who make mass-market USB sticks with non-bypassable physical write-protect switches. (Meaning it doesn't matter whether the OS "respects" the position of the switch or not; when the switch is in the appropriate position writes physically cannot occur.) Some of these products are also claimed to allow only firmware alterations that are signed by the manufacturer. You can find these devices fairly easily on Amazon or Newegg. As you might guess, they are considerably more expensive than typical USB sticks for the same amount of storage. – mostlyinformed Sep 23 '16 at 21:12
0

My short answer: It is easy to fudge data to make something appear to be something it is not.

This can be done maliciously or just as a byproduct of a different application.

Case in point of accidental byproduct. I have a 16gb USB3 stick which I made into a bootable USB of Kali linux. The program I used ended up making the unused space into an unallocated partition so now the system only saw the stick as being the total space that the ISO data took up. I ended up having to use a 3rd party partitioning program to repartition the entire stick and get the 16gb total.

NZKshatriya
  • 121
  • 5
  • 2
    The analogy is not valid. A bootable USB uses a filesystem inside a ISO9660 drive, and that filesystem argues that it is read-only. Your OS shows that the drive is smaller only when mounted because no ISO9660 implementation can go beyond the end of the filesystem ('cause it is an optical media filesystem). Yet, when umounted your OS can still read the full block device (e.g. `dd if=/dev/null of=/dev/sdb` would erase the full device not only the part covered by ISO9660). – grochmal Sep 24 '16 at 13:16
  • Point taken. Apologies for bad analogy, likely due to lack of sleep, too little coffee. I must point out that the OS I am running on my main drive is Win10...not to worry though, I have Debian 8 and Kali on externals, working on my first LFS build. – NZKshatriya Sep 24 '16 at 15:57