15

Recently I read a few things about the BadUSB exploit, for example:

http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/

My understanding is that a device connected to USB can change its appearance (drive, keyboard, network card, ...), which opens the opportunity for an infected USB drive (or other device for that matter) to simulate things like a keyboard and submit malicious commands or a network card and connect to web adresses to download programs. The problem appears to be that the computer automatically trusts USB devices. However, the power of the infected chip is probably very limited, which makes it difficult to simulate more complex hardware like network cards:

How to prevent BadUSB attacks on Linux desktop?

Anyhow, I am interested if it is principally possible to prevent such behavior:

  • Is my understanding of the exploit correct?
  • If so: Wouldn't it be possible to implement a software "firewall" that asks the user for permission if new USB devices are connected and especially throws a warning if the "type" of the device changes? By that I mean not simply clicking ok (which a malicious USB device may do on its own), but use something like a CAPTCHA.
  • If that is not possible, because the software may not be able prevent the usage of a USB device (or for some reason): Would a hardware solution be possible, that forwards USB data, but for example only allows USB drives and not keyboards? How does a USB device tell the computer its "type"?
Community
  • 1
molotovsoda
  • 151
  • 1
  • 3
  • I like it :), especially since form a UI point-of-view most people are already used to get a popup asking how to handle a new peripheral (copy the camera images, view the movie, open the folder in a file browser, etc.). How to implement it however would be another kind of challenge (ref. to Mark answer highlighting that one cannot use the mouse to enable the very same mouse connection...) – WhiteWinterWolf Aug 18 '15 at 21:13
  • 1
    See USBGuard https://github.com/dkopecek/usbguard – multithr3at3d Apr 02 '17 at 22:07

6 Answers6

6

There's a chicken-and-egg problem with the "firewall" solution: your keyboard and mouse are USB devices*. How do you as the user tell the OS that you want to give permission to the keyboard and mouse, without using either of them? What about if the keyboard and mouse are connected through USB ports on a monitor -- they'll be disconnected and reconnected every time the monitor is turned off and on. I'm sure there are other situations where the "firewall" will either leave the user with no input devices and no way to approve new ones, or in attempting to avoid that situation, will automatically approve a device that it shouldn't.

*Yes, even on a laptop. They're simply USB devices that are permanently wired in place.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • 2
    Interesting point - however you could handle the first input devices that are connected to the computer differently: Give them a certain time frame in which they are in a sandbox and have to be activated by the user by a CAPTCHA-like technique. – molotovsoda Aug 16 '14 at 21:40
  • 1
    How do you propose to deal with devices that identify as keyboards but don't allow arbitrary input, such as barcode scanners and magstripe readers? – Mark Aug 16 '14 at 21:58
  • Again: Nice point! If it is the only device connected to the computer that may be difficult. You could generate a barcode on the screen, with the magstripe this is obviously more difficult. Other input device that is temporary used to enable it may be an option. But from a practical point of view you could allow a certain type of device only for these kind of computers. That would at least limit the number of possible exploits. – molotovsoda Aug 17 '14 at 00:15
  • Maybe a physical "security button" on the computer itself which allows you to accept or reject the first user input device you attach to your computer. After that device is connected, you could then use it to authorize any additional devices you might plug in in the future. – Ajedi32 Apr 20 '15 at 20:33
  • Don't some hardwired keyboards/mice still use PS/2? – SamB Aug 16 '15 at 04:22
  • 2
    Sorry to contradict a bit your foot note, but it seems that "[most PC laptops have PS2 keyboards](https://www.qubes-os.org/doc/InstallationGuide/)", Mac Book being a significant exception to this uses a USB keyboard. I did not quickly find any better link to this, but this USB security issue is widely studied in Qubes OS documentation, and I can confirm for sure that on my laptop none of the keyboard, trackpad and trackpoint are linked in either to the USB bus (playing with it will only affect my external USB mouse). Otherwise I agree on the chicken-&-egg issue :). – WhiteWinterWolf Aug 18 '15 at 21:05
  • The chicken and egg problem is solved by asking for your password. [link](https://penteract.net/Blogs/PenteractBlog/Blog02/Security/covert-keyboard/01/Block-Covert-Keyboard.aspx). – User42 Feb 19 '18 at 13:31
  • @User42, and you propose the user input their password *how*? – Mark Feb 19 '18 at 18:40
  • Type it in. The keyboard doesn't get disabled. – User42 Feb 19 '18 at 19:19
2

Short answer: Yes it can be prevented but the solution is not an easy one.

As discussed by Steve Gibson in a recent Security Now podcast (here) and in the original Black Hat presentation (here), if I recall correctly, the sollution involves locking down the firmware in these USB device controllers. This basically means that the firmware will be written to a ROM chip that would not allow modification of the firmware on that chip which forms the basis of this exploit.

Your understanding of the exploit seems to be fairly accurate but I would suggest you watch the original presentation mentioned above.

Although your suggestion of a software type of solution would potentially be able to detect already exploited devices, it does not solve the root cause of the issue. Also, it unfortunately is the case that in some instances UBS devices should be able to change their type or even be multiple device types all at once. In fact, in the Black Hat presentation the authors even make a good case for how this ability in USB could be quite use full. The warning is unfortunately just that - a warning - and can be easily ignored or silenced. If you had to report on each type change in for USB devices you would get a lot of false positives.

Another thing mentioned in the talk was that there is very little standardization and control over USB devices, thus there is no real way to determine what a USB device should be. So you have nothing to really compare it to.

BTW. If you just developed an interest in Infosec, I'd definitely suggest you subscribe to the Security Now podcast - It's pretty awesome!

ilikebeets
  • 2,646
  • 15
  • 21
  • Thanks for your answer - and the reference to the podcast, I will check it out! What I take from your answer is that it is possible to construct a firewall, however may be unfeasable for daily use. Anyhow, if you are not expecting regular hardware changes but only deal with new USB drives on a regular basis, protection seems possible - correct? – molotovsoda Aug 17 '14 at 12:20
  • If they lock down the firmware I'll just have to take out the whole circuit board from the drive and put my own circuit board in. Then it's *my* "drive" with no such silly restrictions. – user253751 Jan 09 '18 at 23:13
  • -1 for suggesting users sign up to a snake oil preacher. – forest Mar 16 '18 at 06:56
1

There's hardware for that.

The USG is a firewall for your USB ports. It connects between your computer and an untrusted USB device, isolating the badness with an internal hardware firewall:

https://github.com/robertfisk/USG/wiki

MarcG
  • 805
  • 1
  • 7
  • 11
1

So far there is no confirmed sure fire way to prevent it. The best solution thus far is to disable the “boot mode” state of the device and perhaps physically disabling access with glue for instance.

Here is an article about it http://news.softpedia.com/news/There-Is-Anti-BadUSB-Protection-but-It-s-a-Bit-Sticky-461485.shtml

enter image description here

p.s. you could get fun with the glue thing :)

Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
0

If a device identifies itself as a network adapter, why would that allow it to download stuff from the web? either it already has an internet connection and can already do stuff, or windows would want to use IT to connect to the web, not grant web access to a network device (unless someone explicitly does "bridge connections" or similar)

as for "detect device type changes" - what would prevent a malicious usb device from presenting itself as a hub that contains everything it needs? or perhaps just pretending to disconnect and reconnect itself as a different device?

CAPTCHA does not work - the system that decides if the input is good/bad is the same system that requests the input - the same way a rogue device could "click OK on its own", it could also bypass the captcha - not to mention how painful that would be for USB - it's popularity is due to ease of use, not security

as for what could actually fit inside a USB stick, I would look at the components contained within a wifi sd card (like this ) - and assume similar components can fit inside a USB stick as well - which means a small OS, complete with a CPU, RAM, wifi and flash storage

user2813274
  • 2,051
  • 2
  • 13
  • 18
  • Thanks for your answer. So lets put aside, how the malicious device does evil (the network card issue). The device connects as a hub full of devices. The "firewall" I am thinking of would then tell you what just connected so you have the option to decline - why does the CAPTCHA not work? The USB device should not have control over the "firewall" - or am I getting something wrong here? How about the idea of a hardware firewall that only allows drives? Any info about how the devices send their type to the computer? Thanks! – molotovsoda Aug 16 '14 at 21:10
  • How would a computer know what the valid answer to a captcha is? - that is the same as how would a computer know what the "yes" option is " By that I mean not simply clicking ok (which a malicious USB device may do on its own)" - it's on the same computer, and the "has been entered correctly to proceed" flag is the same in both cases – user2813274 Aug 16 '14 at 22:13
  • 2
    Lets suppose the computer generates a random code, creates a picture from it and asks you to type what you see (suppose you want to identify a key) - how would a malicious device know about it or get around it? It was not yet granted any rights and would run in a sandbox, where it is only allowed to type input into this box. The computer however knows, with which data he created the image. – molotovsoda Aug 17 '14 at 00:10
0

First - not all USB devices will be susceptible to BadUSB. Many are designed with minimal controller circuitry and cannot take on other functions and/or do not have firmware that can be reprogrammed. This is particularly the case for mass market, low cost items such as USB drives where every cent counts.

The other angle on this is that if software can reprogram the USB device then software can also detect if the USB device is reprogrammable and thus shut it out. I would not be surprised if most AV vendors were not already working on a way to detect which devices are reprogrammable and then deny the access to the system.

BadUSB is not the end of the USB device, its yet just another vulnerability that needs to be taken care of.

Alexandre Neukirchen
  • 193
  • 2
  • 4
  • 16
Chris
  • 1
  • 6
    Its hard to check whether a device is reprogrammable when the only source of information comes from asking the device. – user10008 Aug 22 '14 at 23:44