It’s Official: Half of USB Devices Have Unpatchable Security Flaws
Following up our article on BadUSB malware, the security researchers that discovered the vulnerability have since tested the USB controller chips from eight of the major suppliers. Hacker Karsten Nohl presented at the recent PacSec security conference in Tokyo that he and his fellow researchers Jakob Lell and Sascha Krissler have analyzed every USB controller chip sold by the industry’s most prominent vendors to see if they are vulnerable. The good news is that they found that the exploit can only affect about half of USB devices. The bad news is that it is nearly impossible to identify which devices are secure without physically disassembling every last device and identifying its USB chips:
“It’s not like you plug [a thumbdrive] into your computer and it tells you this is a Cypress chip, and this one is a Phison chip,” says Nohl, citing two of the top USB chip manufacturers. “You really can’t check other than by opening the device and doing the analysis yourself…The scarier story is that we can’t give you a list of safe devices.”
Nohl’s continuing research is in response to critics who argued that his original BadUSB presentation was too narrowly focused on chipmaker Phison. Subsequently, Nohl’s team tested the vulnerability of USB controller chips sold by the industry’s biggest vendors: Phison, Alcor, Renesas, ASmedia, Genesys Logic, FTDI, Cypress, and Microchip. Their methodology included checking the versions of each chip by analyzing their published specifications and plugging it into a PC and attempting to rewrite the chip’s firmware. The test results were largely unpredictable, and each USB controller chip/device was rated as “vulnerable,” “secure,” or “inconclusive”:
- All of the USB storage controllers from Taiwanese firm Phison were vulnerable to reprogramming.
- USB storage controllers from ASmedia were not.
- USB controller chips from Taiwanese company Genesys that used the USB 2 standard were not vulnerable, but those that used USB 3 standard were.
- Other USB devices, such as USB hubs, keyboards, webcams, and mice were even more unpredictable.
Nohl’s team also discovered that at least one company already protects against BadUSB attacks: USB device maker Imation employs its Ironkey technology that requires any new firmware updates to its USB flash-memory “thumbdrives” are signed with an “un-forgeable” cryptographic signature that prevents malicious reprogramming. On the other hand, security researcher Richard Harman subsequently found that the popular flash-memory vendor Kingston uses USB chips from up to a half-dozen different companies. Nevertheless, Nohl says that some of the USB controller chips that were found to be immune were protected “by accident” and were deliberately custom-designed (“defeatured”) for unique applications for economical considerations that oh-by-the-way, also makes them immune to reprogramming. However, Nohl warns that “every chip that could be reprogrammable is reprogrammable,” and vulnerable to BadUSB..
In summary, Nohl states that because of lack of transparency (openly identifying the source of the USB controller chips), and the unpredictable mix of secure and insecure USB controller chips, practically every device produced by the USB device industry is suspect.
As we noted previously, the solution is not a patch. We will have to fundamentally change how we use USB devices. To avoid an attack, you do not connect your USB device to computers you don’t own, or don’t have good reason to trust. Conversely, you don’t plug an mistrusted USB device into your own computer.
And, as we also noted previously, for the security-conscious printer/copier industry, this probably means the death of USB convenience ports that are located on the control panel of a printer or MFP or print controller, as well as those found on the back of some devices to facilitate firmware upgrades, PictBridge printing, and peripheral attachment. At the very least, this news should spur the manufacturers to: 1) eliminate USB ports altogether; 2) provide the concrete ability to lock them down both electronically and physically; 3) secure firmware related to said USB ports; and 4) re-consider their marketing strategies when it comes to USB. Finally, providers of USB-based solutions will have to re-group and consider a fundamental re-design of their solutions.
- ‘BadUSB’ Malware Has Effectively Killed USB Devices in the Enterprise
- About Imation’s Ironkey USB Security Schema
- Security Researchers Publish Code for BadUSB Malware on GitHub
- Nohl and Associates Publish List of Vulnerable USB Devices
Like this content? Help keep it coming.