I hadn’t realized they’re more than just memory:
“People look at these things and see them as nothing more than storage devices,” says Caudill. “They don’t realize there’s a reprogrammable computer in their hands.”
In an earlier interview with WIRED ahead of his Black Hat talk, Berlin-based Nohl had said that he wouldn’t release the exploit code he’d developed because he considered the BadUSB vulnerability practically unpatchable. (He did, however, offer a proof-of-concept for Android devices.) To prevent USB devices’ firmware from being rewritten, their security architecture would need to be fundamentally redesigned, he argued, so that no code could be changed on the device without the unforgeable signature of the manufacturer. But he warned that even if that code-signing measure were put in place today, it could take 10 years or more to iron out the USB standard’s bugs and pull existing vulnerable devices out of circulation. “It’s unfixable for the most part,” Nohl said at the time. “But before even starting this arms race, USB sticks have to attempt security.”
Caudill says that by publishing their code, he and Wilson are hoping to start that security process. But even they hesitate to release every possible attack against USB devices. They’re working on another exploit that would invisibly inject malware into files as they are copied from a USB device to a computer. By hiding another USB-infecting function in that malware, Caudill says it would be possible to quickly spread the malicious code from any USB stick that’s connected to a PC and back to any new USB plugged into the infected computer. That two-way infection trick could potentially enable a USB-carried malware epidemic. Caudill considers that attack so dangerous that even he and Wilson are still debating whether to release it.
Great.
I stopped using USB sticks because as they got denser they also got slower. A 256 MB stick could be used to load a portable version of a web browser as if it were on a slightly seasoned internal hard drive; an 8 GB stick I tried might as well have been storing its contents on a remote cloud server on a goat farm in Tajikistan, and having to upload and download every time because it had no oboard cache.
“I stopped using USB sticks because as they got denser they also got slower.”
That’s because you’ve been buying the cheap ones, which are slow. Admittedly, it’s hard to find the fast ones, but I have a 32GB USB3 one that can be written to at 40+MB/s (megabytes, not megabits) and the read speed is somewhere in excess of 200MB/s, maybe even twice that.
*cough* stuxnet *cough*
You can’t trust external devices, but USB does.
You don’t have to get that fancy, either; it’s easy enough to put a virtual keyboard and/or network interface in what looks like an ordinary thumb-drive: http://www.thinkgeek.com/product/ae83/?srp=7
Why in the world would these devices allow their firmware to be rewritten by a connected device in the first place? What’s the legitimate use case?
It might have something to do with loading device drivers.
Generally you would be *offloading* a device driver, though: from the USB stick to a computer, not the other way around.
To claim it’s unpatchable is ludicrous. It’s hard to believe anyone at a black hat conference would not release their code since that’s the only way to deal with malicious code. The USB can do nothing if the connected device takes precautions (like including a secure checksum with every file it saved.) Linux could be protected in less than a day.
Firmware update on USB devices isn’t standardized. The attack would have to recognize the device, apply the correct code sequence to USB endpoints not specified by standards, and upload firmware fitting the device.
Following the comments after the article, I got the impression that -while there is an issue- it’s not as bad as the authors claim.
There’s an MCU in there?! Oh, hell yes, this just begs to be hacked into something really useful.