http://arstechnica.com/security/2014/07 ... turn-evil/When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses.
Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.
...
BadUSB thumbdrive hacks computers.
-
Sky Aisling
- Posts: 1368
- Joined: Sat 27 Jun 2009, 23:02
- Location: Port Townsend, WA. USA
BadUSB thumbdrive hacks computers.
Yea, Wired posted an article about this too, here: http://www.wired.com/2014/07/usb-security/ ... it caught my attention because I do like to use a usb Puppy, it's so much smaller than a cd. The comments section seems to have some interesting points - don't know enough about it to know what's what, though. I guess we'll have to see how it all works out & what can be demonstrated.
How does one reprogram firmware? I know I can get 'firmware updates' for devices like my DSLR camera and wireless modem, but I would think that they would be specially designed that way ie some circuitry and a small EPROM to control the circuitry. I imagine that a simple USB stick would have the 'software' hard coded ie in ROM. Please explain.
ROM != hard wired. (I think that's what you meant by "hard coded".) Hard wired = circuitry fixed in such a way that it doesn't /need/ ROM.
ROM has firmware in it. Firmware = software-on-a-chip. Most ROMs can be written to. You erase the ROM, and then you rewrite it all. (When you erase a ROM chip, you erase the whole chip.)
Flash "ROM" != ROM. Flash memory is actually NVRAM (Non-Volatile RAM, i.e. RAM that doesn't get amnesia at power loss). Flash is an altogether different creature that can be erased and rewritten in parts -- you erase a "block" and rewrite it, sorta like on a hard drive BUT it's not got little spinny bits in it
There is a thing called a Mask ROM or Masked ROM. This is one member of a family of ROMs called "OTP" ROMs (OTP = One Time Programmable) -- it is programmed as it is made in the factory, and it is internally hard-wired so that it cannot be reprogrammed. OTP ROMs are all non-reprogrammable, hence the name.
When you get a firmware update, it comes as a program that loads into RAM, wipes the ROM chip, and then rewrites the ROM chip -- the WHOLE chip for both write and erase.
EPROMs are old as dust, BTW, everyone uses EEPROMs now. No need for the higher voltage requirements of old.
A USB flash drive has a microcontroller in it, that handles communication and storage/allocation type stuff. Look up the 8051 (aka MCS-51) if you want to read about one of the most well-known and well-used microcontrollers -- it's *still* in use, twenty-odd years later, and it's about as rare as sand on a beach. More modern microcontrollers (such as the PIC series by Microchip Tech, and the Atmel ATMega of Arduino fame) have RAM and ROM built in. The ROM is by design reprogrammable in most microcontrollers (to be fair, I have a digitally controlled ceramic heater --or the remains thereof-- with an OTP microcontroller in it). The USB drive almost certainly uses DFU (Device Firmware Update), a mode built into USB for this specific purpose. (Don't bother Wiki-ing that one, the page has two sentences and two links.)
Hope I've been helpful
ROM has firmware in it. Firmware = software-on-a-chip. Most ROMs can be written to. You erase the ROM, and then you rewrite it all. (When you erase a ROM chip, you erase the whole chip.)
Flash "ROM" != ROM. Flash memory is actually NVRAM (Non-Volatile RAM, i.e. RAM that doesn't get amnesia at power loss). Flash is an altogether different creature that can be erased and rewritten in parts -- you erase a "block" and rewrite it, sorta like on a hard drive BUT it's not got little spinny bits in it
There is a thing called a Mask ROM or Masked ROM. This is one member of a family of ROMs called "OTP" ROMs (OTP = One Time Programmable) -- it is programmed as it is made in the factory, and it is internally hard-wired so that it cannot be reprogrammed. OTP ROMs are all non-reprogrammable, hence the name.
When you get a firmware update, it comes as a program that loads into RAM, wipes the ROM chip, and then rewrites the ROM chip -- the WHOLE chip for both write and erase.
EPROMs are old as dust, BTW, everyone uses EEPROMs now. No need for the higher voltage requirements of old.
A USB flash drive has a microcontroller in it, that handles communication and storage/allocation type stuff. Look up the 8051 (aka MCS-51) if you want to read about one of the most well-known and well-used microcontrollers -- it's *still* in use, twenty-odd years later, and it's about as rare as sand on a beach. More modern microcontrollers (such as the PIC series by Microchip Tech, and the Atmel ATMega of Arduino fame) have RAM and ROM built in. The ROM is by design reprogrammable in most microcontrollers (to be fair, I have a digitally controlled ceramic heater --or the remains thereof-- with an OTP microcontroller in it). The USB drive almost certainly uses DFU (Device Firmware Update), a mode built into USB for this specific purpose. (Don't bother Wiki-ing that one, the page has two sentences and two links.)
Hope I've been helpful
Most USB thumb drives can be reprogrammed to silently infect computers
So USB flash memory controller manufacturers got together and added some secret commands to the SCSI command set. Nice.
I found this by googling USB flash controller firmware. I didn't see anything about secret commands that get into the controller or change the firmware though.
Hmm, it's news to me that SD cards actually have some kind of security baked in. I always assumed the "write protect" switch was the security....a malware program can replace the firmware on a USB device like a thumb drive by using secret SCSI (Small Computer System Interface) commands and make it act like some other type of device, for example, a keyboard...
...One of the attacks involves a USB stick that acts as three separate devices—two thumb drives and a keyboard. When the device is first plugged into a computer and is detected by the OS, it acts as a regular storage device. However, when the computer is restarted and the device detects that it’s talking to the BIOS, it switches on the hidden storage device and also emulates the keyboard...
...For the purpose of exchanging files with other people an SD (Secure Digital) memory card would be a safer choice than a USB thumb drive
So USB flash memory controller manufacturers got together and added some secret commands to the SCSI command set. Nice.
I found this by googling USB flash controller firmware. I didn't see anything about secret commands that get into the controller or change the firmware though.
-
Teh Agnostic Anarco
- Posts: 34
- Joined: Wed 17 Sep 2014, 21:27
This is nothing new, and stuxnet was just the predecesor of all the crap out there now, even worst are motherboard firmware rootkitsgrump wrote:How does one reprogram firmware? I know I can get 'firmware updates' for devices like my DSLR camera and wireless modem, but I would think that they would be specially designed that way ie some circuitry and a small EPROM to control the circuitry. I imagine that a simple USB stick would have the 'software' hard coded ie in ROM. Please explain.
Any piece of hardware that has an EPPROM can be writtten too thats the whole significance of the acroynm Electronically Programable Read Only Memory.....
What the original poster does not seem to see how far the rabbit hole goes....
Its beyond USB, CPU flash memory can also be infected, NIC firmware, GPU firmware and that will really cause mayhem since its uses its own VM inside GPU especially if its high end. I dont want to get into details but look up Dragos Riu and BADbios. All this shit created by western intel agencies. Thats all I can say.
The Unpatchable Malware That Infects USBs Is Now on the Loose - Wired
If that's all it is, couldn't the firmware in any USB flash memory controller be just as easily replaced with trusted code provided by the open source community? This may require a special piece of hardware the USB memory would be plugged into, so making sure your USB devices are safe might not be free. You'd just send them in to the NSA and for a small fee, they install their firmware.... Caudill and Wilson reverse engineered the firmware of USB microcontrollers sold by the Taiwanese firm Phison, one of the world’s top USB makers. Then they reprogrammed that firmware to perform disturbing attacks: In one case, they showed that the infected USB can impersonate a keyboard to type any keystrokes the attacker chooses on the victim’s machine. Because it affects the firmware of the USB’s microcontroller, that attack program would be stored in the rewritable code that controls the USB’s basic functions, not in its flash memory—even deleting the entire contents of its storage wouldn’t catch the malware. Other firmware tricks demonstrated by Caudill and Wilson would hide files in that invisible portion of the code, or silently disable a USB’s security feature that password-protects a certain portion of its memory...
-
Teh Agnostic Anarco
- Posts: 34
- Joined: Wed 17 Sep 2014, 21:27
That is IF your USB manufacturer even provides new firmwares. 2nd of all most of these viruses/rootkits are "smart" enough to survive a flash. They know when they are being flashed and copy themselves to another piece of memory most of time RAM and then just go right back in making it an endless loop cycle. Unless the one remote posibility is flashing to a previous or newer firmware with different code which the virus is not intended for and is not able to replicate itself again but yet again this is military grade sh1t were talking about here so that might be a false sense of security.Flash wrote:The Unpatchable Malware That Infects USBs Is Now on the Loose - WiredIf that's all it is, couldn't the firmware in any USB flash memory controller be just as easily replaced with trusted code provided by the open source community? This may require a special piece of hardware the USB memory would be plugged into, so making sure your USB devices are safe might not be free. You'd just send them in to the NSA and for a small fee, they install their firmware.... Caudill and Wilson reverse engineered the firmware of USB microcontrollers sold by the Taiwanese firm Phison, one of the world’s top USB makers. Then they reprogrammed that firmware to perform disturbing attacks: In one case, they showed that the infected USB can impersonate a keyboard to type any keystrokes the attacker chooses on the victim’s machine. Because it affects the firmware of the USB’s microcontroller, that attack program would be stored in the rewritable code that controls the USB’s basic functions, not in its flash memory—even deleting the entire contents of its storage wouldn’t catch the malware. Other firmware tricks demonstrated by Caudill and Wilson would hide files in that invisible portion of the code, or silently disable a USB’s security feature that password-protects a certain portion of its memory...