Imagine if you had to throw away your USB devices after letting someone else use them.
That USB key with the PowerPoint file on it that you loaded onto the projector at a conference?
Your mouse, selflessly lent to a fellow traveller while you both were waiting at the airport?
Might as well leave it behind with the complimentary newspaper.
The cool new outdoor action camera you plugged into your friend’s laptop after a day of bike riding in the mountains?
Oh no! Not the cool new camera!
Well, according to a paper coming up at the BlackHat 2014 conference, that’s where we might be heading if we’re not careful.
Influential security researcher Karsten Nohl and his colleague Jakob Lell will be talking on the topic BadUSB – On Accessories that Turn Evil, dealing with the problem of whether to trust a USB device or not.
The problem with USB
Here’s a very coarse guide to the problem that Kohl and Lell will be digging into:
1. USB devices (e.g. data sticks, keyboards) contain a tiny computer and some firmware.
The firmware is essentially a special software program – a miniature operating system, if you like – that makes the device work.
The firmware operates at a low level; it is usually programmed into the device in the factory and often forgotten about thereafter.
2. You have to take it as an act of faith that a USB device has firmware that does what it’s supposed to.
For example, you assume that a USB data storage device doesn’t fiddle with your data when you read it back; you assume your keyboard doesn’t sneakily type in extra characters when you aren’t looking; and so on.
There isn’t a straightforward way to deal with issue (2).
But a bit of care will go a long way, for example by buying reputable brands, and sticking with products you trust.
Except for the fact that:
3. The firmware on many USB devices can be sneakily reprogrammed whenever the device is plugged into an untrusted computer.
The designers of budget USB devices generally don’t build in any safeguards to stop you changing the firmware without warning.
So, in theory, even if you solve problem (2) by taking great care with your supply chain, you’re scuppered as soon as you plug your USB device into anyone else’s computer.
Malicious software on that computer could modify your USB firmware, and you’d be none the wiser.
And that would be a huge security risk.
Imagine a USB flash drive that deliberately alters the contents of previously-stored data sectors when you read them back in, but only the second time they are accessed.
So you’d write your backup files, read them back once for verification and they’d be fine.
But try to read them next month when you urgently need to restore your backup for real, and the files will be corrupted.
Or imagine a USB keyboard that turns, without warning, into a covert keylogger.
Or imagine a virus like Stuxnet that spreads via your mouse, not via a flash drive.
What to do?
Nohl and Lell will be giving us some ideas on how to mitigate the risks in their forthcoming talk.
And, as we’ve mentioned before, Naked Security writer Chester Wisniewski will be at BlackHat 2014, and I’m going to be linking up with him during the event to record a special episode of the Sophos Security Chet Chat podcast.
So I’ll be sure to ask him what he thinks we can do to mitigate this problem!
What I’d like to see, not just on USB devices but on all sorts of reflashable hardware components, is some sort of physical interlock for updates.
A simple switch or button that would electronically block firmware writes unless it were toggled or pressed would, in my opinion, help a great deal.
It wouldn’t stop an attacker from Trojanising one of your devices while your back was turned, but it would let you plug that cool new outdoor action camera into your friend’s laptop without fear.
Many other sorts of device use interlocks to improve safety and security: some motorycles, for instance, have sensors that cut the engine if you try to ride off with the sidestand down.
Why not a similar sort of accident-prevention interlock switch for reflashable computer devices?