In this article, we will focus on a new family of malware: the BadUSB attacks.
The BadUSB attack is a recent discovery ( while the principle isn’t new in itself ) and allows to turn any USB device into a cyber weapon that is able to immediately inject malware code into a computer without the possibility to be detected.
BadUSB uses the fact that a great variety of different devices connect into USB connectors. By changing the behavior of the USB micro-controller of a “normal” device, like a USB memory disk, for instance, the BadUSB can change it into something totally different, like a keyboard or a network card.
It is enough to plug the modified (BadUSB) device into a computer and the rogue device can execute commands or inject malicious software without prior acknowledgment or consent of the owner.
In some attacks, the BadUSB software transforms the firmware of the USB device so that it appears as a keyboard to the operating system. For example, the ‘DIY” Rubber Ducky USB is a commercial hacking package (45$) that injects about 1,000 words per minute into a computer once it is inserted.
BadUSB attacks are dangerous since most antivirus and malware scanners usually have no way to access the firmware on the USB devices and cannot protect the computer.
Any computer which can be reached by a USB port is potentially vulnerable. This is particularly true for industrial systems where malevolent code can be injected into critical devices just by plugging for a few seconds a USB device into them.
Table of Contents
Here is a list of attacks that the badUSB malicious devices are able to perform:
USB is a serial communication protocol (“Universal Serial Bus”). Any device which has a USB male connector can be connected to one of the USB ports in a ‘modern’ computer. The way computers react to a USB device been plugged into them is dictated by USB protocol. The computer implements its side of the protocol (usually inside the motherboard as a USB controller) while the USB device implements on its side USB protocol as well inside a firmware. Nothing prevents someone to make some variants of USB controllers which can copy the data been transferred to some alternate backup storage for example. In fact, this is known as a USB spy protocol analyzer device, dedicated hardware that can be used to debug a USB implementation. All the same, it is possible to implement a USB pseudo-keyboard in a small electronic board and put it into something which looks like the enclosure of a USB stick. The pseudo-keyboard will identify itself as a keyboard HID device and will immediately be trusted by the operating system.
Virtually anything can be inserted which can be miniaturized into a USB stick form factor. For example:
One of the most striking badUSB devices is USB charging cables (or USB adapters), the ones that are used all over the world to recharge smartphones for instance.
Some security experts managed to build a badUSB version of a ‘standard’ USB charging cable (codename ‘USB harpoon’) which is able to compromise a computer almost instantaneously. Once the fake charging cable is inserted, it is activated as a device able to send commands to the host computer. Some attacks even involve the physical destruction of the computer by charge overload!
Because of the nature of the attack, there are not a lot of possible preventions. Some AntiVirus companies have developed BadUSB Attack Prevention components. They prevent the BadUSB devices to emulate a keyboard with the following trick:
Once a USB device connects to the computer and is identified by the Operating System as a keyboard, the antivirus requires the user to input a numerical challenge code which is generated by the antivirus from the ‘new’ USB keyboard. Such a procedure is known as keyboard authorization. The antivirus will therefore only allow the use of an authorized keyboard and will block any other keyboard which has not been authorized.
Still resident security software – if they cannot block the badUSB device, can also detect the malware itself launched from the BadUSB.
One possible remedy of the badUSB attacks would be to modify the USB norm so that fingerprints or handshakes would identify with certainty devices.
USB manufacturers are certainly looking seriously into the issue. Meanwhile, this is unlikely to happen soon since the USB norm involves a lot of blue-chip corporations which must all agree before changes are done.
It is possible to allow only specific drivers to be installed by their GUID. It is also possible to restrict the authorization for the installation of USB devices such as keyboards, etc..
Some companies are selling USB hardware firewalls, standing between a computer and other USB devices. The firewall filters the commands sent to the USB guest device.
Finally, the following checklist should be performed by a user.
If the answer is not ‘yes’ to all the checks, then the USB device should not be trusted, at least in the context of a sensitive environment which could be targeted by spies or by other malevolent actions.
Acodez is a renowned web design and web development company in India. We offer all kinds of web design and web development services to our clients using the latest technologies. We are also a leading digital marketing company providing SEO, SMM, SEM, Inbound marketing services, etc at affordable prices. For further information, please contact us.
Contact us and we'll give you a preliminary free consultation
on the web & mobile strategy that'd suit your needs best.
What is an Encrypted Virus – Its Threats and Countermeasures?Posted on Dec 29, 2020 | Cyber Security