Repelling The BadUSB Exploit With Cryptography And Secure Boot
07/08/2014 Rüdiger Kügler
The Security Research Labs demonstrated how they could perpetrate an attack on USB devices by reprogramming the firmware with malicious code.
By now, many of you have heard about the "BadUSB" exploit, where two security researchers at Security Research Labs demonstrated how they could perpetrate an attack on USB devices. By reprogramming the USB’s firmware with malicious code, attackers could gain control of a PC or any other USB-driven peripheral, such as a mouse, keyboard or even a smartphone. Once the infected USB is connected to the device, the software can be programmed to perform any number of malicious acts, from corrupting data to impersonating a USB keyboard to type in its own commands. And, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted.
So what should we conclude about the vulnerabilities of USB sticks? Given the ubiquity of USB technology, consumers using USB memory sticks should be aware of the potential threat and be more cautious about the origin of the stick and who else may have used it, before it’s connected to a device. But we should also be aware that not all USB sticks are alike and some, such as our WibuKeys and CodeMeter sticks (CmStick), incorporate advanced security technology that make attacks, such as BadUSB, impossible to perpetrate.
Let’s take a deeper look. Each USB stick consists of a controller chip and at least one memory module. The controller is responsible for the communication with the computer over the USB interface, and manages the memory. In principle, this can be equated to a microcomputer that, upon being plugged in, boots its operating system (firmware) from a non-visible part of the flash memory. Then it sets the flash memory of the computer as an available drive.
For economic reasons, the firmware on USB sticks is updateable, and therein lies the vulnerability. There are two ways to update the firmware: 1) a safe, secure boot process or 2) a simpler one with obfuscation of undocumented commands. The latter approach applies to all classic USB sticks and is the main vulnerability to the BadUSB threat.
The first step to a BadUSB attack is the manipulation of the firmware, which must be reversed engineered. New custom firmware is then developed and loaded onto the stick, in a manner that circumvents the obfuscation protection.
Secondly, the modified USB stick presents itself to the computer as an HID device. Once the USB stick is connected, the computer recognizes the HID device and initializes it automatically - a standard procedure that would not draw suspicion from the user. Once initialized, the modified firmware goes into action and the programmed malware is unleashed.
Although the explanation of the exploit seems simple enough, the demonstration by Security Research Labs is extremely difficult to achieve. Reverse-engineering controller firmware requires great technical skills and is extremely time consuming. Plus, the attack is controller specific, so it would require extensive knowledge of the specific chip and the reverse engineering effort would need to be repeated for each threat.
However, as we have grown to understand the hacking community, we don’t underestimate their persistence and leave nothing to chance in terms of the protection we build into our CmSticks. At Wibu-Systems, our own security experts have been developing and refining technologies to make software safe from malicious tampering since 1989.
Our family of CodeMeter CmSticks comes in many form factors. All are implemented on a separate chip that has its own memory and cryptographically secure firmware. Only firmware signed by Wibu-Systems can be downloaded into the controller, making a BadUSB attack impossible. Our most modern CmStick offers further protection. The chip firmware is encrypted and signed and the root key is stored in non-alterable ROM. This key is written only once during manufacturing and cannot be subsequently updated in the field under any circumstances. This is our implementation of a secure boot process. The inter-chip communications is also encrypted, making the stick immune to hardware based attacks.
In conclusion, if you are using any of our USB powered devices, you can feel confident that you are protected from the BadUSB threat.
For a more detailed description of our cryptographic protection and secure boot process, please read our official statement "BadUSB Uncovered", or contact one of our security experts.