BadUSB – Hacked USB Drive to Black Hat 2014

USB_flash_drive

 

 

You probably have a handful of USB drives around your computer, they are useful and ubiquitous. After reading this article and watching the video below you might think twice before plugging in a found USB drive or one from a casual acquaintance. USB was dreamt up way back in 1994 and has gone through many versions since then. USB has a simple 4 pin contact, two for power and 2 for bi-directional data transmission. Even though it has a very simple electrical interface there are many types of devices that can be plugged in and run over USB, you can see the 2 hex digits in the table below which represent all of the USB class devices (via). The device passes this class number to the computer when powered to allow the computer to understand what has been plugged in.  

Karsten Nohl and Jakob Lell from SR Labs did some reverse engineering to a simple USB thumb drive. They have created a thumb drive that can power up as a class 08h mass storage and display the files. It can then change to a class 03h device which is a HID such as a keyboard. Now the thumb drive can easily perform some keystrokes which can do things such as open a shell window and perform any commands you like.

If you think plugging in a phone into your computer to charge it is harmless guess again. At 24:46 in the video a properly setup phone is plugged into the USB port and with no obvious changes all of your Paypal passwords are now being sent to the hackers. This demonstration software has been released for security professionals to ensure they are protected against this attack.

 Of course it was just a matter of time for this exploit to be performed, much of the controller chips are fully documented and easily available.  There are also lots of fake drive manufactures who have hacked their own firmware to allow them to have incorrect size information to be displayed to allow drives with small amounts of NAND memory to show up and act as a huge drive.

I can see all of the large manufactures with solid supply chains start to sell devices that have their driver firmware stored in ROM or in EEPROM memory that has a write fuse blown to prevent future writing of the firmware. We see this in microcontrollers and don`t think twice about it.

It is now up to us, the consumer, to demand with our purchasing dollars that devices that are sold to be free of this type of attack.

 

 

 

USB Device classes include:

Class Usage Description Examples, or exception
00h Device Unspecified Device class is unspecified, interface descriptors are used to determine needed drivers
01h Interface Audio Speaker, microphone, sound card, MIDI
02h Both Communications and CDC Control Modem, Ethernet adapter, Wi-Fi adapter
03h Interface Human interface device (HID) Keyboard, mouse, joystick
05h Interface Physical Interface Device (PID) Force feedback joystick
06h Interface Image Webcam, scanner
07h Interface Printer Laser printer, inkjet printer, CNC machine
08h Interface Mass storage (MSC or UMS) USB flash drive, memory card reader, digital audio player, digital camera, external drive
09h Device USB hub Full bandwidth hub
0Ah Interface CDC-Data Used together with class 02h: communications and CDC control
0Bh Interface Smart Card USB smart card reader
0Dh Interface Content security Fingerprint reader
0Eh Interface Video Webcam
0Fh Interface Personal Healthcare Pulse monitor (watch)
10h Interface Audio/Video (AV) Webcam, TV
DCh Both Diagnostic Device USB compliance testing device
E0h Interface Wireless Controller Bluetooth adapter, Microsoft RNDIS
EFh Both Miscellaneous ActiveSync device
FEh Interface Application-specific IrDA Bridge, Test & Measurement Class (USBTMC), USB DFU (Direct Firmware Update)
FFh Both Vendor-specific Indicates that a device needs vendor-specific drivers