In a gambit aimed at driving manufacturers to beef up protections for USB flash drive firmware, two security researchers have released a collection of tools that can be used to turn those drives into silent malware installers.
The code release by researchers Adam Caudill and Brandon Wilson comes two months after researchers from Berlin-based Security Research Labs (SRLabs) demonstrated an attack dubbed BadUSB at the Black Hat security conference in Las Vegas.
The BadUSB attack showed how a USB thumb drive connected to a computer can automatically switch its profile to a keyboard -- and send keystrokes to download and install malware -- or emulate the profile of a network controller to hijack DNS settings.
The attack requires modifying the firmware on the USB controller, which can easily be done from inside the OS, the SRLabs researchers said at the time. However, they didn't release any tools or details on how to do it, because the vulnerability doesn't have an easy fix, they said.
This prompted Caudill and Wilson to replicate the attack in order to better understand how it works and the security risks it poses to computer users. They presented their findings last Friday at the Derbycon security conference in Louisville, Kentucky, but unlike the SRLabs researchers they actually released the tools they used, complete with firmware patches, payloads and documentation.
During their Derbycon demonstration, which is available on YouTube, the two researchers replicated the emulated keyboard attack, but also showed how to create a hidden partition on thumb drives to defeat forensic tools and how to bypass the password for protected partitions on some USB drives that provide such a feature.
The published tools were designed to work with thumb drives that use a USB controller called Phison 2251-03. However, they can easily be adapted to work for other controllers designed by Phison Electronics, a Taiwanese electronics company, the researchers said during their presentation. Phison controllers are found in a very large number of USB thumb drives available on the market.
"We really hope that releasing this will push device manufactures to insist on signed firmware updates, and that Phison will add support for signed updates to all of the controllers it sells," Caudill said in a blog post. "Phison isn't the only player here, though they are the most common -- I'd love to see them take the lead in improving security for these devices."
Unfortunately, there really aren't any good options to defend against such attacks, Wilson said during the presentation. "You're dealing with a tiny little computer that has complete control over what happens over USB, so it can lie to you, it can do whatever."
One way to prevent attacks would be for manufacturers to require signed firmware updates for USB controllers or to disable the ability to change the firmware once a device leaves the factory. Some vendors might already do this, but many don't. And even if more manufacturers start doing this, the millions of existing insecure USB thumb drives will linger on for years and users will have a hard time telling them apart.