
Why the Security of USB Is Fundamentally Broken - justinpaulson
http://www.wired.com/2014/07/usb-security/
======
JackC
To the skeptics here -- the problem is that malware can turn one kind of USB
device into another kind of USB device, and that creates a massive attack
surface given the scope of USB.

Check out all the things that a USB device can claim to be.[1] You don't just
need your OS to be secure against a malicious storage device; you need it to
be secure against a malicious keyboard and mouse, speaker/microphone/sound
card, printer/scanner, CNC machine, webcam, ethernet or wifi adapter,
bluetooth adapter, infrared adapter, RNDIS adapter (whatever the heck that is,
but it's supported by BSD as well as Windows), an ActiveSync device, a smart
card reader, a fingerprint reader ...

As I understand it (and I wouldn't mind being wrong), a hostile USB stick
could claim to be a hub running all of these at once, and orchestrate them in
an attack. Consumer-oriented OSes will happily load up standard drivers to
talk to most of them in an attempt to be user-friendly, each with their own
hooks into the OS. And the hostile device can detect what OS and probably
specific hardware it's talking to,[2] so it can target an attack at the
drivers that are likely to exist.

If that's true, I don't see how anyone could be confident that such a stack
could ever be secured on the OS side. A secure bulk storage driver is one
thing, but your laptop has to be secure against a hostile keyboard working
with a hostile CNC machine, sound card, and ethernet device?

At a minimum it seems like devices should be locked at the hardware level to
the kind of device that they are. Code signing makes a lot of sense too,
although it's sad to lose the (hypothetical?) ability to install alternative
drivers.

[1]
[http://en.wikipedia.org/wiki/USB#Device_classes](http://en.wikipedia.org/wiki/USB#Device_classes)
[2]
[http://ix.cs.uoregon.edu/~butler/pubs/sadfe11.pdf](http://ix.cs.uoregon.edu/~butler/pubs/sadfe11.pdf)

~~~
eevilspock
Seems to me that pluggable USB is no different from installable software. So
why not just the same sort of sandbox + permissions model that iOS/Android
apps live in?

Discussed in other thread:
[https://news.ycombinator.com/item?id=8115002](https://news.ycombinator.com/item?id=8115002)

~~~
Burz
Qubes OS is evolving in this direction for all peripheral devices (even some
of the ones on the motherboard such as NICs). USB is taking more time, but
controllers will in future automatically be sandboxed in Service VMs. For now,
a Qubes user can quickly create their own USBVM that uses the system IOMMU (if
present) to reassign USB controllers to that VM; Likewise, you can also assign
particular USB controllers to individual VMs. These VMs can be selected for
autostart at boot time with a couple mouse clicks.

A more granular and hence flexible way to sandbox and handle USB devices will
be coming to Qubes by way of Xen's PV USB feature.

[https://qubes-os.org](https://qubes-os.org)

------
taeric
Seems the problem is basically one of "physical access to the machine is hard
to secure against." Combining with "multi purpose computing device attached to
your computer is dangerous."

Would it not be simple to offer up "non generic" USB port support? That is,
the problem is that plugging a USB device could be plugging in a variety of
things, which makes it tough. You have to assume that every stack on your
machine is hardened against attack.

Instead, make it so that a user can designate that a port can only be used by
mass storage devices or keyboards. A basic UI could be devised showing all of
the ports and what is expected to be plugged in to them. If something
different is actually plugged in, it is not allowed to connect.

That make sense? Something like this already exist?

~~~
Phoshi
So, essentially a Specific Serial Buss? We'd be going back to pre-USB times,
except without the advantage of differently shaped connectors.

~~~
taeric
Yes, except I'm saying to do it by software. Make sense? The port _could_ take
in anything. But there is no reason for it to expect anything. It should
really only expect things I have indicated for it to expect.

~~~
smacktoward
Wouldn't that just end up working like this?

1) User finds USB stick in parking lot

2) User takes USB stick back to desk and plugs it into workstation

3) Workstation throws up a dialog saying "Hey! I don't recognize that thing
you just plugged in! Are you sure you want to let it connect?"

4) User blindly clicks "OK" on dialog without reading it while surfing porn in
another window

~~~
taeric
The UI should instead say "The device plugged in is not a storage token" or
some such. Even better if it lists what the device is claiming to be.

And, really, if we are concerned with people blindly clicking "OK", I'm not
sure of what you can do.

------
jwcacces
“These problems can’t be patched,” says Nohl, who will join Lell in presenting
the research at the Black Hat security conference in Las Vegas. “We’re
exploiting the very way that USB is designed.”

‘In this new way of thinking, you have to consider a USB infected and throw it
away as soon as it touches a non-trusted computer.’

So now we need a USB abstinence campaign?

When you have a USB with someone, you are having a USB with everyone they had
a USB with for the last ten years, and everyone they and their partners have
had a USB with for the last ten years.

Also, we're just calling it a USB now? Not a USB thumbdrive, USB hard drive,
or whatever? This article sounds like it was written by my mom.

~~~
bitJericho
It most surely can be patched. Allow a USB device to offer up a signature that
the PC can verify. The CA would be the manufacturer which has a private key
for each USB key manufactured (so hackers can't steal one private key and copy
it). Make sure the manufacturer revokes keys that are compromised. Bam,
instant manufacturer guarantee that the hardware is genuine. That is, until
the private key is uncovered by the hackers, but that's what expiration dates
are for I suppose.

~~~
admax88q
The firmware on a USB stick should not be writeable.

When will you ever update the firmware on your storage device. Never, USB
sticks are cheap and disposable. Mass produced ones should have their firmware
burned into ROM.

~~~
taeric
This does nothing to protect you. Malicious users will just make their own usb
stick. The parts aren't exactly expensive.

~~~
MereInterest
Of course it does something to protect me. It means that I can plug my USB
drive into a friend's computer, then plug it back into my own computer without
worry.

~~~
taeric
Only if you fully trust the entire supply chain down to you. Do you have any
way to verify that the mass storage device you bought was not a forgery?

~~~
MereInterest
I'm not aiming for perfection, just aiming to improve. It is easier for me to
trust that the sealed USB drive I bought has not been tampered with than it is
for me to trust that all of my friends are knowledgeable and avoid malware.

~~~
mikemoka
yes I agree that this looks like a good step, vendors should also probably
release some tools to verify the integrity of their firmwares if possible.

------
pjc50
Seems to be lacking in technical detail.

I suppose the fundamental problem is treating the thing on the other end of
the wire as a "peripheral" (i.e. _inside_ the computer's logical boundary)
rather than as another computer on the end of a network (which might be
expected to be hostile).

Firewire and Thunderbolt are much worse: the peripheral has potential DMA
access to the whole of system memory.
[http://support.microsoft.com/kb/2516445](http://support.microsoft.com/kb/2516445)

------
riskable
This article is severely lacking in actual information. They also make no
distinction between Windows, Macs, or Linux. I seriously doubt that if I plug
in an infected USB device to my Linux laptop its firmware will be able to
alter the DNS settings (/etc/resolv.conf which is owned by root). That sounds
like a very OS-specific (probably Windows-specific) vulnerability. My best
guess is it has something to do with the "automated whether you want it to be
or not" printer driver installation mechanism whereby Windows PCs inherently
trust the driver that's provided by the device.

The ability to modify the data as it's copied seems like the only _actual_
vulnerability to me. As in, I write some executable to the USB drive and the
firmware modifies the executable to perform other functions. Once the file is
copied off of the device though it should be pretty easy to detect such
shenanigans with something as simple as a hash check.

You could also have separate flash storage on the device that isn't visible to
the OS where you could store whatever data you want but that's less of a
concern when you consider that a perhipheral like a keyboard can't record the
keystrokes of another perhipheral (not directly, anyway--you'd have to get the
user to execute some malware).

~~~
jagermo
This kind of attack has been around for some time, but so far you needed a
special, programmable chip for that. And yes, it can attack nearly every OS,
including Linux.

Check out this for more information: [https://github.com/hak5darren/USB-
Rubber-Ducky/wiki](https://github.com/hak5darren/USB-Rubber-Ducky/wiki)

~~~
riskable
The USB Rubber Ducky just emulates a keyboard. That's not a vulnerability,
really. Unless I'm actively logged in it won't compromise anything. It just
speeds up the process of installing back doors (and the like) if you've
already got physical access to a system that is already logged in.

I could do the same with any $5 Arduino Leonardo device (of which I have
several).

------
mschuster91
This applies to _all_ USB devices indeed and can even be made OS-agnostic.

USB stacks have been proven to be buggy (one of the PS3 exploits iirc used a
modified Android phone giving malformed USB descriptors to the host). Add DMA
to the mix and you have root access...

~~~
j_s
This is an interesting statement; I'm not sure how you can substantiate it --
I will not be able to evaluate the impact of the vulnerabilities until
everything is published after the Black Hat presentation next week.

I looked to see if USB could 'do' DMA (similar to i1394) and the general
consensus seemed to be that it was in the hands of drivers several layers
below what was normally accessible to device developers - so unlikely but
perhaps possible if there was an exploit. (It sounds like all DMA by the USB
device would have to go through driver software on the computer, instead of
direct memory access as is possible with firewire.)
[http://www.osronline.com/showthread.cfm?link=243802](http://www.osronline.com/showthread.cfm?link=243802)

This all sounds similar to how 3d graphics drivers are a new security frontier
as web browsers rush to support arbitrary shaders: any usb device can claim to
be something with a 'ships-with-the-OS' exploitable driver (eg. a 10-year-old
usb network adapter) and then pop the exploit to run arbitrary code with
device driver level access.

The solution will require sandboxing device drivers (in user-space or with
virtualization) and will probably affect performance to such a degree that it
will have to support opt-out.

~~~
mschuster91
Unfortunately I'm on mobile so cannot do any further research.

I'd just google for ps3 usb exploit, that should give you the iformation.

The DMA stuff was basically just imagination. With Firewire, it has been
proven to work as the port itself gives DMA access. USB has something like
this not built-in, but most people use the same or similar controller
chipsets, so that, like in GSM baseband processors, a single exploit could
target loads of devices.

The main problem is that hardware was usually built with full trust in mind...
I wonder what Lightning does, given it is essentially a PCI lane in optic
wire. Lightning stuff is hellish expensive at the moment, but I'm just
waiting...

------
erikb
Does USB promise any security? If so I never heard about it before. Otherwise
it's not much surprise that an unsecured protocol is not secure, though.

~~~
mhurron
> Does USB promise any security

I don't believe so. It's just a bus and protocol for easily connecting
external peripherals and it doesn't look like it does much else.

Others have compared it to networking technologies, but a more apt comparison
for its use and design would be the PCI r PCI-E bus. You're connecting things
to act as the local machine, by that point you're implicitly trusting them.

------
hamiltonkibbe
By this logic, if "USB" (the bus) is broken, so are i2c, SPI, etc. PS/2 is
equally broken, because a nefarious PS/2 keyboard or mouse can do exactly what
that USB thumbdrive can do too. Also your RAM bus. And that IDE/SATA/Whatever
Hard Drive. And even that sneaky VGA cable. A microcontroller in the connector
could alter your display to cause you to click on dangerous things/delete
files/etc. I could give you a laptop power supply cable that will destroy
years' worth of your work, along with your laptop. There are lots of attack
vectors involving things you stick in your computer, but I really don't think
a bus protocol is the problem.

~~~
vonmoltke
The attack the article is describing can be used to infect USB devices that
are plugged in to a compromised machine. They do not require a malicious actor
to provide a compromised USB device. The attacks you describe involve
altering, physically, a peripheral in order to perform the compromise. That
has been possible as long as computer peripherals have existed.

~~~
adestefan
I think you're vastly underestimating the devices that have a modifiable
firmware on them that connect to busses other than USB.

However, the one thing that is unique to USB is the nature in which USB
storage devices are shared between multiple devices.

~~~
vonmoltke
> However, the one thing that is unique to USB is the nature in which USB
> storage devices are shared between multiple devices.

That was half of my point. I was not underestimating the vulnerability of SATA
and other on-board communications protocols. I was ignoring them because the
parts connected to these are generally not moved between machines. Yes, you
could infect these devices and hope they spread through the secondary market
to a desirable target, but the utility of such an attack is very limited.

------
leni536
Stating the problem:

1.) You want to trust your USB device. 2.) You want to use your USB device on
another non-trusted computers. 3.) Non-trusted computers can update your
device's firmware behind your back.

So how can you handle firmware upgrades on your USB without trusting
computers? One way to do this is to have an firmware update approval mechanism
directly on the device.

For keyboards the mechanism could be the following:

\- The computer initiates a firmware update. \- The keyboard leds start to
blink \- You have to enter your keyboard's UUID (which is on the bottom)

Now you only have to make sure that you don't lend your keyboard to someone
that you don't trust.

~~~
dublinben
Why does a keyboard even have/need a firmware update mechanism? USB devices
are disposable commodities. Their firmware should be permanently burned into
whatever minuscule ROM they need to function.

~~~
riskable
To answer your first question: There exists a great number of programmable
keyboards that are, frankly, awesome. I used to use a Fingerworks TouchStream
LP keyboard that let you program the hell out of it. It was great... I had
macros that would auto-type all sorts of handy things like my username, email
address, etc. You could also program mouse movements into the thing.

It supported ten finger gestures so basically the sky was the limit in terms
of what you could program it to do. It had only one flaw: There was no tactile
feedback so it was easy for your hands to get out-of-alignment resulting in
incorrect characters being typed pretty often. On the other hand it was much
faster to move the cursor around than a regular keyboard so correcting
mistakes was less of a hassle.

------
InfiniteRand
The main issue I think is having an active vs intert system as a data storage
mechanism. A usb drive must interact with the computer in order to transmit
data, a CD or DVD are ultimately inert disks which are read without any back
and forth alterations. There is a higher degree of security inherent in that I
believe.

Unfortunately, the popularity (and honestly the convenience) of USB flash
drives has made it hard to switch onto safer mechanisms.

~~~
adestefan
While true for commercially pressed optical media, this is not true for
writable media. Although in that case the fix is straightforward, only use a
read-only drive.

------
PythonicAlpha
I am missing one information here (maybe one hw-hacker can give the answer):

Is it possible (for some or many) USB-sticks or USB devices to reprogram the
firmware from an PC that it is connected to it?

The article plays a little with the threat, that I (I want to put it this
way:) lent my USB stick to a friend, he uses it, but clears it afterwards and
gives it back to me and the stick now contains an infected firmware (that I
can not find out by normal means). And also the friend knows nothing, since
his computer was infected before.

Of course, I know that it is possible to change a firmware by hw-means
(replacing the chip or reprogram it with special hw) but when the firmware of
some or all USB-devices would be alterable just by plugging them into a
computer, a new kind of virus would be possible spreading more silently and
dangerously as all of them before.

HW hacking the firmware of USB devices of course is possible, but would be
more in the field of industrial or real espionage. Reprogramming firmware "on-
the-run" would cause a new mass-threat for computers.

~~~
danelectro
The firmware on today's USB drives is flashable from Windows (usually XP)
using the manufacturer's proprietary utility for that particular flash memory
controller. Sandisk remains mysterious as their utility if it exists has not
been leaked.

This is likely because the firmware has not been perfected yet, so ugrades are
continuing. Plus completely different characteristics can be obtained to
arrive at multiple device brands or behaviors from the same hardware.
"Identical" flash drives from the same manufacturer containing the same exact
chips can often have different firmware revisions, and different resulting
performance.

On most units an additional CDROM device, or extra partitions (hidden,
private/secure or not) can be configured to be detected (or not) when plugged
in to any OS. The controller provisions the available flash memory among the
dictated devices and makes them available to you.

I've been adjusting the firmware for a couple years now as I do the continuous
improvement on my rapid multibootable sticks.

~~~
PythonicAlpha
Thanks. So, if anybody reverse engineers the proprietary utility, a virus
could be coined that spreads via USB devices and infects thousands of
computers and USB sticks and the like. Scary.

------
kstenerud
I'm not so sure that security should be built into peripheral connect
protocols like USB. We could just as easily treat a usb device like we do a
network device, and harden the drivers against attack.

~~~
peterwwillis
If you plug in a usb stick and it pretends to be a keyboard/mouse, it can do
anything it wants to your system [within the context of a keyboard and mouse]
as soon as it's plugged in. Hardened drivers do not prevent this. Granted,
this is less dangerous if a machine is locked, but you can leave it plugged in
and wait for someone to log on.

It does point out the most glaring flaw in the lack of a security model,
though: you should be able to approve or deny a _new_ peripheral connection
before the drivers are loaded or DMA is allowed.

~~~
duaneb
typing =/= full control of system.

~~~
PythonicAlpha
Since the typing is made with the full privileges of the current user and he
might be totally unaware of this, it is nearly as good -- the dongle has only
to wait until some administrator is on the computer. It gives all sorts of new
attack vectors at least.

~~~
duaneb
That's true, and people should be very wary of plugging in USBs. I, for one,
would like the option to sandbox usbs: when it gets plugged in, ask my goddamn
permission before granting it driver privileges. I'd probably be ok with a
keyboard one, but write-only. But that doesn't mean USB is an inherent
security risk, like something with DMA might be. One huge benefit of the
serial bus is that by serializing the operations, you don't have to grant it
access to bypass the cpu.

------
Kayou
First of all, I think the title has been chosen to click-bait the reader.
Second, maybe the real problem is that USB was never designed to be the main
way to physically share data, or not even to be used with external storage?
Please correct me if I'm wrong. Maybe people should start exchanging data on
media that are designed to store data, like a memory card, but maybe this
medium can also be compromised.

~~~
sophacles
I don't understand what you're saying. At the simplest level, there is no such
thing as a bus which doesn't exchange data... even my keyboard and mouse are
just sending data. At multiple levels there is software (therefore the
potential for security bugs) in this process. My keyboard has software to
convert a set of input pin readings into a form to put on the bus. It has a
bus communications chip that has software (firmware whatever) to talk to a
host. The other side has a similar set of software to send data from the bus
to memory or to input pins on a chip. The chip runs software to interpret
these signals into usefulness. There are lots of places for problems in there.

Further, USB was designed from the beginning to allow block devices to
transfer data. I don't quite get why this means it wasn't designed for data
sharing - moving around physical, removable disks was the standard for data
sharing for a long time when usb came out - back then most people couldn't
reliable send big stuff over the network. The plan was definitely for sharing
data.

Basically the security issues come from the shape of the problem rather than a
specific implementation of it. For example there's always someone doing "fun"
things with network cards - another example of a device with DMA access and a
microprocessor. If you can root the network card, you can get access to other
parts of the device.

So yeah - usb seems to be particularly easy to break, but it part of a
generally hard problem. It would be nice to see a standard that takes the
lessons of USB into account, and makes it much harder to break things.

~~~
Kayou
I meant to say "share files" instead of "share data". But you're right, as I
said, "Please correct me if I'm wrong". What I really wanted to say is that
USB has been designed with so many different usages in mind that if you plug
something in it, you should expect this "something" to be doing anything the
USB has been designed for. And if you only want to share files and be sure
it's not doing anything else, maybe you shouldn't be using USB. But at least
this "problem" with USB is not as bad as with firewire or thunderbolt external
storage.

------
terranstyler
I don't understand how code on a USB drive can be executed on a PC. I
seriously thought that USB was (as a protocol) a generic data interface.

However, if it is something else (like, e.g., something that executes code
from time to time), isn't it insecure by design?

And if so, why did nobody see it and was it malice or stupidity?

------
kretor
Protection against most attacks: The first time I connect a device, the OS
should show me what type it is (keyboard, mouse, etc.) and ask me if I want to
use it. Only at that time it gets activated.

~~~
mjg59
How do you uniquely identify a device?

~~~
rainforest
You could have the OS randomly generate a token and give it to the device and
require it to repeat it each time it's plugged in.

Devices without tokens or with unrecognised tokens would need user approval,
those with the correct one would be trusted. That still doesn't solve the
problem of deciding if a device should be trusted or not though.

~~~
deckiedan
OK - so if I plug it into my computer, I'll get the same unique information
that lets you identify it. Now I can plug my USB stick into your computer and
pretend to be that device.

------
knd775
Well, that certainly isn't good. As if companies needed another reason to be
obnoxiously paranoid about flash drives.

------
jbb555
Well..... duh.

if you are goign to plug unknown hardware into your machine what do you expect

