The threat from USB sticks used to be limited to autorun
virus’s that would be triggered when you put the stick into a vulnerable machine;
many security professionals have used this as an infection technique as it
needed little to no interaction. The
autorun infection methods were quickly stopped and modern antivirus can protect
against the malware but the new and emerging threat is potentially much worse
and a bigger long term threat.
At Blackhat 2014 two
security researchers will be presenting a talk on BadUSB “On Accessories that
Turn Evil”, Jakob Lell & Karsten Nohl will present research that will
define a new form of malware that can reside on a stick hidden from antivirus
scanners and is capable of compromising systems as well as replicating the
problem to other USB devices.
The new threat to be outlined lies in the USB device themselves;
due to the way the memory works USB sticks have a controller chip that allows
them to function even when the memory becomes corrupt or unusable, their stated
capacity isn’t the full picture, your 4Gb USB stick may actually contain 8Gb or
more actual storage managed by these controller chips. The chips themselves can be compromised and
subverted and this is where the new threat resides, the controller chips
themselves have been compromised and in some cases can be rewritten to deliver
malware and further spread infection.
They can become self-replicating and can deliver or harbour key loggers,
can steal data or further infect USB devices.
The nature of the USB controllers don’t allow anti-virus software to be
able to test or check for this emerging threat; a key logger or data stealer
could remain dormant and kick into life stealing data and keystrokes without
anyone being aware.
We cannot continue using USB sticks and devices across
multiple machines without first giving thought to the threat and the risk, has
the stick been compromised? Where has it
been and who used it? We will need to
start protecting the sticks and USB peripherals with more reverence, no longer
accepting them from strangers and more importantly will need to identify new
ways of secure disposal of old USB devices.
The size and convenience of them has until now made them almost
indispensable for storing and sharing information, disposing of them needs to
be a consideration. How many companies
have already suffered data loss from removable media? Even when using caution we cannot guarantee
data is deleted from USB sticks and they need to be considered with much more
concern as the data they once held may be retrievable using simple tools and
techniques.
As end users we need to protect our own USB sticks and
devices, give thought to the ‘what if’ scenario and not be so willing and keen
to share them to all and sundry. USB
data-less cables are a thing and a good investment if you need to charge your
phones as many smartphone owners do. Do
you want your smartphone and its stored data (photo’s, emails, contacts) stolen
or damaged by the machines you plug into?
In the meantime you can buy data-disabled USB cables to
charge your smartphone without sharing data (intentionally or otherwise) as
well as “USB
condoms” which create a similar data gap in cables.
How long will it be before office shredders have a slot for
USB sticks? How do you dispose of your USB sticks when they become too small,
too slow or broken? What data breaches
are around the corner from BadUSB?
I would recommend old USB sticks are smashed with a hammer
(outside whilst wearing safety glasses) to ensure data cannot be retrieved;
Invest in a data only cable for charging your smartphone in less trustworthy
environments and be aware of the risk when the smiling stranger offers you
their USB stick next time.
Jamie Duxbury, Senior Security Specialist
No comments:
Post a Comment