0

Besides BadUSB, are there any known or possible attacks involving Arduino devices?

Is it possible for Arduinos not using the ATMega 32u4 chip be used to infect PCs? Is it possible for an attacker who has been in possesion of an Arduino board to compromise it to infect a computer it is plugged into?

Basically, if a knowledgeable enough attacker somehow gets his hands on an Arduino which I at some point plug into my computer, BadUSB aside, should I have anything to worry about?

freginold
  • 165
  • 6
user942937
  • 983
  • 8
  • 14
  • 1
    I've tried searching around and couldn't find anything besides ones involving BadUSB and Leonardos. I'm wondering if UNOs can be used as a platform as well. Basically, if a knowledgeable enough attacker somehow gets his hands on an Arduino which I at some point plug into my computer, BadUSB aside, should I have anything to worry about? – user942937 Aug 09 '18 at 17:31
  • I've added that into the question. – freginold Aug 09 '18 at 17:41
  • 2
    Unfortunately I don't think this question is answerable -- you're essentially asking for a review of all vulnerabilities against the Arduino platform (known in public, on the vulnerability black markets, and in classified / military circles). When the question is _"Is it possible for ____ to be infected?"_ the answer is always _"Yes, anything is possible"_. – Mike Ounsworth Aug 09 '18 at 17:44
  • yes, they can desolder chips and replace with whatever they want, even down to fake chip labeling. – dandavis Aug 10 '18 at 19:55

1 Answers1

2

The problem you've identified is not specific to Arduino hardware.

It's a more fundamental issue: many reprogrammable USB devices can be programmed to identify as a USB HID keyboard/mouse, allowing them to control your computer when plugged in. Almost all Arduino boards fall into this category -- but many other devices do as well, including many that you wouldn't think of as reprogrammable.

(One exception is the Arduino Nano, which uses a FT232RL USB/serial chip which can only function as a serial interface. All other Arduino boards currently in production either use an ATmega32U4 directly, or use an ATmega8U2/16U2 as a serial interface.)

Don't plug USB devices into your computer which you don't trust.

  • Hi. Thanks for answering. You mentioned that the Arduinos that are programmable as USB HID devices may be allowed to control my computer when plugged in except for the Nano with the FT232RL. Would an Arduino that uses this (I have a clone that uses this chip) be safe from this sort of compromise? – user942937 Aug 09 '18 at 18:14
  • it's not really the MCU itself (ex ATMEGA328) (32u4 is an exception), it's the USB chip, which could be replaced by a skilled attacker. you can also bypass the on-board USB adapter and use you own "ftdi usb to serial adapter" to talk/program via UART, which avoids a possibly-compromised chip – dandavis Aug 10 '18 at 19:53
  • Assuming I were working with a compromised board. If I were to reprogram it [like so](https://www.arduino.cc/en/Main/Standalone), and upload a simple program to it, would that be enough to clean out whatever malware is on the board? – user942937 Aug 11 '18 at 03:49
  • @user942937 the Arduino uses a bootloader which "loads" up the new programs into flash. However, if the bootloader itself is malicious, you would have to program a new bootloader using an SPI programmer. (Though you would then also have to trust that new bootloader, the SPI programmer and the software you're using to program the bootloader. – Paul Dec 20 '18 at 22:03