Only half the USB devices world over have BadUSB flaw but no one knows which half
IF you have read our article about the BadUSB, you know that a USB device can be affected by this unpatchable flaw, but exactly which USB devices are affected, we didnt know. At the PacSec security conference in Tokyo on Wednesday, hacker Karsten Nohl presented an update to his research on the fundamental insecurity of USB devices he’s dubbed BadUSB.
Nohl and his fellow researchers Jakob Lell and Sascha Krissler have analyzed every USB controller chip sold by the industry’s eight biggest vendors to see if they are affected by the BadUSB flaw.
The results: Roughly half of the chips were immune to the attack. But predicting which chip a device uses is practically impossible for the average consumer. So now it is clear that of all the USB devices available in the market approximately 50 % of those are affected by this unpatchable flaw.
What is BadUSB
If you have read the BadUSB article you did already know it. But if you havent read it, the malware which is dubbed BadUSB, reprograms embedded firmware to give USB devices new, covert and most powerful capabilities. In a demo at Black Hat security conference in Las Vegas, a USB drive was infected and showed its ability to act as a keyboard that surreptitiously types malicious commands into attached computers.
Another USB was similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The demo showed that similar hacks could work against Android phones when attached to targeted computers. The malware is so huge that it can work on almost any USB linked devices like Webcams, keyboards, smart phones etc.
Another couple of researchers who managed to reverse engineer the flaw, put up the PoC on Github so that other security researchers and white hat hackers can find a way to patch the flaw.
Why cant it be detected
Given the scale in which the USB devices are manufactured around the world makes it impractical to detect each and every USB device affected by BadUSB.
“It’s not like you plug [a thumbdrive] into your computer and it tells you this is a Cypress chip, and this one is a Phison chip,” says Nohl, naming two of the top USB chip manufacturers. “You really can’t check other than by opening the device and doing the analysis yourself…The scarier story is that we can’t give you a list of safe devices.”
Testing
Nohl said that his research team had made a mass test of USB controller chips sold by the industry’s biggest vendors: Phison, Alcor, Renesas, ASmedia, Genesys Logic, FTDI, Cypress and Microchip. They checked versions of each chip both by looking up its published specs and by plugging a device using it into a computer and attempting to rewrite the chip’s firmware.
The result were very unpredictable for Nohl and his associates to make a conclusive report. During testing, Nohl and his research team found that all of the USB storage controllers from Taiwanese firm Phison were vulnerable to reprogramming, while chips manufactured by ASmedia were not affected by BadUSB.
Similarly the controller chips from another major Taiwanese manufacturer Genesys were much more complex. The Genesys manufactured chips with USB 2.0 standard were immune to the attack, but new ones using the USB 3.0 standard were vulnerable.
In other categories of device like USB hubs, keyboards, webcams and mice, the results produced an even messier Excel spreadsheet of “vulnerable,” “secure,” and “inconclusive.”
Nohl said that these finding made his research go beyond the purview because Nohl had focussed on Phison manufactured USB devices as Phison had largest market share.
You can read the entire Wiki Stub made by Nohl and his associates for the vulnerable devices here.
The problem
Unlike computers where branding is considered necessary and PC manufacturers label the makers name on the configuration, USB manufactures dont. They generally use the chipset from the lowest market price supplier. This causes a brand mixing even in the same category. For instance different Kingston USB devices may use different chips from different makers at any point of time.
The cure
Nohl result also made one thing clear. The BadUSB is not effecting only the Phison make devices but almost all devices brands available in the market.
In the meantime another major USB manufacturer Imation is taking some precautions against the BadUSB. From now on, Imation-owned USB maker Ironkey requires that any new updates to its thumbdrives’ firmware be signed with an unforgeable cryptographic signature that prevents malicious reprogramming. Nohl said that if other USB makers could follow that model the vulnerability could disappear over time.
