8

There are news that an unpatchable and unfixable USB firmware exploit is "out there".

This could seem unrelated to servers but since the affected hardware from Phison is not disclosed there is a possibility of devices that are connected to an internal network could be infected or potentially vulnerable. This could be the worst nightmare for a network & system administrator, an ICT consultant, etc.

Is there a way to check if a USB devices has the potential BadUSB vulnerability, so that USB devices can be "vetted by the IT departments"?

Eduard Florinescu
  • 831
  • 5
  • 24
  • 39
  • No idea how you could test (other than completely ridiculous schemes like, get another of the same device and USB programming tools to check that the firmware is the same on both). Most of the potential vulnerability should be easily neutralized with basic security practices: 1. don't go plugging untrusted devices into your servers 2. If the device is acting "weird", quarantine it and evaluate your environment. BasUSB allows a device to misbehave, but doesn't magically override the host system. – Chris S Oct 06 '14 at 04:58
  • 3
    **BadUSB Summary**: Phision is the leading manufacturer of USB device controllers (eg the chip between the flash chips of a memory stick and the USB bus). Their chips do very rudimentary security, easily overcome, allowing someone to flash arbitrary firmware to the controller. Thus the firmware could contain malware, or could hide portions of a flash drive, or override the password on self-encrypting devices, or act as something other than what is actually is (eg, memory stick becomes a memory stick + keyboard, or NIC, audio device, or any of the other USB classes). And the list goes on. – Chris S Oct 06 '14 at 05:02

1 Answers1

5

I've been researching the internet and since is hard to know if a device is vulnerable is better to be prepared at the other end of the USB socket and I found that actually there are some solutions:

For Windows:

There is a free program called G DATA USB Keyboard Guard which basically ask you to grant access when a new device is found:

G DATA has responded by developing USB KEYBOARD GUARD, an add-on that protects you from the most likely form of USB attack - USB devices pretending to be keyboards. If a new keyboard is detected by the system, access is initially denied and a pop-up is displayed. You can then check in your own time whether this really is a keyboard, and either grant or deny access permanently.

There is also a solution for Linux:

I completely agree that, as shipped, most computer systems will be susceptible to this attack, and assume that all of their attacks will work as advertised. What I don't agree with at all is their conclusion, which boils down that no effective defenses exist.

[...]

... you can easily turn off this automatic binding, at least on Linux, with one single command:

[root@optiplex ~]# echo 0 >/sys/bus/usb/drivers_autoprobe

Now, whenever you connect a USB device to your computer, it will not automatically connect...

... to manually bind this device, you first have to choose the appropriate USB configuration...

# echo 1 >/sys/bus/usb/devices/5-1/bConfigurationValue  ...

(All dots[...] represent paragraphs edited out. Check the full article for more details)

Other solutions for Linux can be found here:

How to prevent BadUSB attacks on linux desktop

If you want to find more about BadUSB there is this article full of resources and links:

BadUSB News and Linkage

Community
  • 1
Eduard Florinescu
  • 831
  • 5
  • 24
  • 39