Reference: CERT-EU Security Advisory 2014-138 - New: BadUSB


Short Summary
- -------------
BadUSB is a dangerous USB security flaw that allows attackers to turn a
simple USB device into a keyboard, which can then be used to type
malicious commands into the victim's computer. Potentially, although a
working exploit is not currently covering this, a BadUSB device could
inject malware into files as they're copied from a USB device to a
computer and back [2].


Impact
- ------
Once reprogrammed, benign devices can turn malicious in many ways,
including [1]:

* A device can emulate a keyboard and issue commands on behalf of the
logged-in user, for example to exfiltrate files or install malware. Such
malware, in turn, can infect the controller chips of other USB devices
connected to the computer.
* The device can also spoof a network card and change the computer=E2=80=99=
s DNS
setting to redirect traffic.
* A modified thumb drive or external hard disk can - when it detects
that the computer is starting up - boot a small virus, which infects the
computer=E2=80=99s operating system prior to boot.


Technical Description
- ---------------------
BadUSB revolves around the fact that many different devices plug into
the same USB connectors. By hacking the code of the USB micro-controller
of an "innocent" device, like a USB memory stick, you can turn it into
something far more capable, such as a keyboard or a network card. Insert
the device into a computer and it could execute commands or even a
malicious program without the owner knowing. This is made worse by the
fact that malware scanners cannot access the firmware running on USB
devices, meaning they cannot fix the problem [2].

The exploit code that demonstrates this problem has been posted on
GitHub [3]


Solutions
- ---------
There is essentially no short term solution to this  problem except for
not plugging unknown USB devices.


Vulnerable Systems
- ------------------
Any USB host device (computers, routers, printers, etc.) is potentially
vulnerable.


References
- ----------
[1] SRLabs:
https://srlabs.de/badusb/

[2] Mashable:
http://mashable.com/2014/10/03/bad-usb/

[3] GitHub:
https://github.com/adamcaudill/Psychson


CERT-EU (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail:
cert-eu@ec.europa.eu<mailto:cert-eu@ec.europa.eu>
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383