This post was originally published on October 13, 2014.
When you were younger your mother probably let you play outside all the time but with the understanding that you wouldn’t talk to strangers.
Times have changed since then though and now no parent would risk letting their child out of their sight for too long – the risks are just far too great these days and the consequences of a bad decision can be both tragic and permanent.
But you’re lucky – you learned a lesson that will stay with you forever and not only make you a better parent but a safer computer user too. After all, if you wouldn’t trust a strange person, why would you trust an email attachment or a USB stick of unknown origin?
Alas, not everyone is quite so savvy though.
Socially engineered inducements aside, even the more obvious lures are often overlooked by the click-happy user who has become used to opening everything and anything from sources they believe they can trust as well as those they really should be dubious of.
The good news is that such a lapse in secure methods of working can be combated to varying degrees by security awareness training which, thankfully, is increasingly available via government initiatives and through employee schemes which are designed primarily to protect business data but which can be useful for the user at home too.
The not-so-good news is that even an awareness of potential security headaches can prove insufficient at times, as evidenced by a sneaky new malware delivery option discovered by two researchers from German security company SR Labs.
At the end of July, Jakob Lell and Karsten Nohl used the Black Hat conference in LA as an opportunity to demonstrate how it may be possible to take the firmware within a USB stick and reprogram it with something far more malicious in nature.
Given the seriousness of the attacks that could ensue, Lell and Nohl decided to keep the coding to themselves in a move which could arguably be worthy of criticism because publication could have led to countermeasures being developed.
USB Malware
Nevertheless BadUSB, which the pair described as an attack vector which could be “installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic,” has now been built upon by researchers Adam Caudill and Brandon Wilson who have uploaded the code to software repository GitHub where any interested party can download it from.
Their decision, which of course puts the code within easy reach of the bad guys, is a strategy with some level of risk attached but, as the pair told the Derbycon hacker conference in Louisville Kentucky a fortnight ago, such information “shouldn’t be held back,” with Caudill saying “If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
Now that the information is out there, and easy to find, the emphasis on fixing the flaw has been shifted very firmly onto the shoulders of those who provide the hardware – those companies that manufacture and market USB sticks – and neither are likely to react quickly.
In the meantime, companies and individuals who rely upon USB sticks have two distinct options apart from waiting – they can either be extremely careful about what they slide into their USB slots or they can take their chances with a semi-patch put forward by Caudill and Wilson.
The duo’s ‘Add no-boot-mode’ patch has limited usefulness as it requires a manual modification and does not work with every device. It also doesn’t prevent firmware reprogramming if an attacker has physical access to a drive – another fiddly fix is required for that which involves using epoxy to block ‘pin shorting’ of the device.
Caudill, talking to Wired, explained how physically preventing a ‘hard reset’ on a USB device could help:
“With boot mode disabled an attacker can still alter a USB stick’s firmware if he or she has physical access to a thumb drive, using a technique called “pin shorting.” That method involves plugging the drive into a computer while placing a piece of conductive metal across two or three of the pins that connect the controller chip to the USB stick’s circuit board.”
While such an attack is not overly likely to affect you, it would be extremely damaging if it did. Therefore we recommend thinking very carefully before using a USB stick unless you know where it has come from and what it has been used for. As for ‘pin shorting’ that’s something that is very much ‘at your own risk’ should you decide to attempt it.