Bad, bad Lero…err, USB…baddest USB in the whole town

USB. We all use it. It is ubiquitous these days. Our phones use it for power and to transfer data to and from the phone to a computer. Our keyboards, mice, mobile devices, external hard disks, cameras, you name it, it probably has a USB port.  Even some of our power outlets in the wall have them.  So, why am I saying something you already know? Well, two gentlemen at SRS Labs have ‘discovered’ something that many of us probably knew, but just didn’t want to admit.

usb-drive-2What’s that, you say?

Well, unless the USB device is a simple power adapter, it contains a tiny little computer.  Yep, the two dollar USB Thumb drive is, in fact, a full fledged little computer. It has a CPU, internal memory, firmware (the OS or software that makes it all work, including the complicated USB protocol itself) and, of course, the gigs of memory that you bought it for. So, what does this mean? 

Well, for the vast majority of things, it means little.  However, there is a significant portion of USB devices-mainly the aforementioned two dollar thumb drive-that contain EEPROM instead ROM.

EEPROM is erasable programmable read only memory. It is a type of ROM that can, with the right combination of hardware and software, have its memory replaced-something standard ROM cannot do.  ROM, or READ ONLY MEMORY, is a write once memory. That is, once you have ‘burned’ or uploaded whatever you want to put in it, it cannot be changed. So, you better get it right the first time.  Which is why, I’m guessing, that some of the lower cost drives use EEPROM instead of ROM.  Perhaps the same chips are used in two or three memory sizes. It is easier to re-burn an EEPROM with different parameters than to purchase unused ROMS, go through the hassle of burning them, etc.   EEPROMS are just convenient.

So, what, exactly does this mean? So what if they used EEPROM, what does that have to do with me?

Simple: YOUR USB device COULD be hacked and its firmware changed to accomplish something more nefarious than just saving your Leonard Nimoy musical collection. 

For example, say that two dollar thumb drive was intercepted at some point before it got to the store. It’s firmware changed so that when you plug it in, it makes a copy of itself on your computer. It plants something in your operating system that allows it to copy itself back to other USB drives. Oh, it also could record your keystrokes. Or, perhaps, it could encrypt your data. Bottom line is that you don’t know what it could do.

One concern is that the device, if compromised, could actually overwrite your computer’s operating system.  Now, the chances of this happening are astronomical. I chuckled when I heard it, but…it is not out of the realm of possibilities.  So, maybe unplug the thumb drive before you shut the computer down, if you do that.

Now, before you go throw them all away, consider this:  there’s been no known exploits.  Most USB devices likely use real ROM-certainly the firmware in that Seagate you bought is in ROM. The chances of your computer actually being able to re-program other USB devices is likely slim. These embedded computers are limited in what they can do.

I, personally, am not too concerned about this, but I will think twice about grabbing that freebie drive or getting them at the Dollar General or Five Below. (Note: those are two fine stores, but some of the merchandise may not be as fine. They cannot control distribution from end to end. Just saying)

The two researchers are presenting their findings at the Black Hat conference this week. I will follow up this post with any additional information they present.

Steven Nichols has a typical story that came out this past week regarding BadUSB. Have a gander here.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s