A Berlin-based research duo Karsten Nohl and Jakob Lell have created BadUSB, an exploit that enables hackers to easily attack USB devices by controlling and attacking the firmware with malicious software.
Ken Jones, VP of Engineering and Product Management for IronKey, noted that “attacks using USB flash drives are nothing new. Stuxnet is an example of a USB-delivered virus which targeted a nuclear power plant in Iran.
“What has changed with BadUSB is the level of sophistication. It modifies the controller firmware on the device hardware, not the data stored on the device. The infected device can then pass on that infection whether or not there is any data stored on the USB. Preventing BadUSB from infecting a device requires that the controller firmware is locked down and not changeable by an unauthorized agent.
“In order to block BadUSB, USB storage devices need to prevent a hacker from reading or changing the firmware. They also need ensure that the firmware is digitally signed so even if it did get modified, the devices would not operate with the modified firmware. FIPS 140-2 Level 3 certification is validation of these benchmark mechanisms.
“IronKey has always been on the front lines of providing secure USB drives, and its devices have digitally signed firmware with verification on startup. IronKey’s approach, which has been validated by NIST in IronKey FIPS 140-2 Level 3 devices (http://csrc.nist.gov/groups/STM/cmvp/standards.html), means that if the firmware is tampered with, the device won’t function.”
Trey Ford, Global Security Strategist at Rapid7, added, “I’m interested in seeing what Karsten and Jakob have come up with. ‘Do not trust USBs’ isn’t exactly news; USBs have been used in a variety of attacks ranging from masquerading as CD ROMs (launching files via OS auto run permissions) to posing as keyboards, as well as being used to infect machines across air-gaps. It’s good to be reminded that you need to be suspicious of anything you’re plugging into your computer.
“I hope this work introduces clear guidance on how to handle unknown or malicious USBs. I don’t think I’ve seen any really good guidance beyond ‘do not plug in unknown USB drives’.”
About IronKey
About Rapid7
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.