AidanMontareDotNet

You are on the old part of aidanmontare.net, which I am no longer maintaining. Newer versions of some of this content can be found on the active part of my site, which you can reach from my homepage.

Thoughts on BadUSB

(last updated

The bad USB vulnerability has caused a lot of panic over the potential for evil USB thumb drives doing all sorts of nasty things. Listening to Security Now! cover the topic, I think it seems reasonable to have USB devices with read-only memory so that their firmware cannot be reprogrammed with malware, though I’m not sure if many manufacturers will want to spend the money to do this.

Even if they did, a problem still remains. If a standard consumer USB device can be manipulated to become evil, then it is possible for dedicated hackers to create their own custom evil USB devices. If manufacturers fix the vulnerabilities in their devices, the weaknesses in the OS’s handling of USB devices still allows a custom device to perform the same trickery.

Granted, the level of difficulty required to make a custom evil USB device provides some level of security, and fixing commercial devices is an important step to prevent other people’s infected computers from compromising your USB devices. However, it is a dangerous assumption to rely on difficulty of attack to protect computers, and so I think OS developers should create a more secure way of handling USB devices.

I think the solution suggested in Security Now! Episode 467 is a good start. A simple dialogue asking to grant privileges to a device, like the dialogues seen when installing applications on a mobile device, would prevent USB devices from being able to spoof their device types. However, even this would not prevent all attacks. Some potential attacks might involve bad firmware that does not change device types, but simply does malicious things, such as modifying files on a filesystem. Since the device type would not change, even a permissions system would not block these types of attacks, but it would be a significant step forward.

Unfortunately, there doesn’t seem an easy way out of this problem. BadUSB is inherit to the way USB works, and there is no easy patch to install and fix all our problems. I would like to see USB device manufacturers make thumb drives with read-only firmware. Security-conscious people could then make sure to only use those drives when transferring files to other people’s computers. Additionally, it would be nice to see operating system designers add some sort of permissions structure for device interfaces in order so that users can catch malicious devices. Any Linux developers out there who want to get started on this?