Menu
Tools for creating malicious USB thumb drives released by security researchers

Tools for creating malicious USB thumb drives released by security researchers

The tools can be used to modify the firmware on USB flash drives in order to infect computers with malware

In a gambit aimed at driving manufacturers to beef up protections for USB flash drive firmware, two security researchers have released a collection of tools that can be used to turn those drives into silent malware installers.

The code release by researchers Adam Caudill and Brandon Wilson comes two months after researchers from Berlin-based Security Research Labs (SRLabs) demonstrated an attack dubbed BadUSB at the Black Hat security conference in Las Vegas.

The BadUSB attack showed how a USB thumb drive connected to a computer can automatically switch its profile to a keyboard -- and send keystrokes to download and install malware -- or emulate the profile of a network controller to hijack DNS settings.

The attack requires modifying the firmware on the USB controller, which can easily be done from inside the OS, the SRLabs researchers said at the time. However, they didn't release any tools or details on how to do it, because the vulnerability doesn't have an easy fix, they said.

This prompted Caudill and Wilson to replicate the attack in order to better understand how it works and the security risks it poses to computer users. They presented their findings last Friday at the Derbycon security conference in Louisville, Kentucky, but unlike the SRLabs researchers they actually released the tools they used, complete with firmware patches, payloads and documentation.

During their Derbycon demonstration, which is available on YouTube, the two researchers replicated the emulated keyboard attack, but also showed how to create a hidden partition on thumb drives to defeat forensic tools and how to bypass the password for protected partitions on some USB drives that provide such a feature.

The published tools were designed to work with thumb drives that use a USB controller called Phison 2251-03. However, they can easily be adapted to work for other controllers designed by Phison Electronics, a Taiwanese electronics company, the researchers said during their presentation. Phison controllers are found in a very large number of USB thumb drives available on the market.

"We really hope that releasing this will push device manufactures to insist on signed firmware updates, and that Phison will add support for signed updates to all of the controllers it sells," Caudill said in a blog post. "Phison isn't the only player here, though they are the most common -- I'd love to see them take the lead in improving security for these devices."

Unfortunately, there really aren't any good options to defend against such attacks, Wilson said during the presentation. "You're dealing with a tiny little computer that has complete control over what happens over USB, so it can lie to you, it can do whatever."

One way to prevent attacks would be for manufacturers to require signed firmware updates for USB controllers or to disable the ability to change the firmware once a device leaves the factory. Some vendors might already do this, but many don't. And even if more manufacturers start doing this, the millions of existing insecure USB thumb drives will linger on for years and users will have a hard time telling them apart.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwarephysical securityExploits / vulnerabilitiesDesktop securitySecurity Research LabsPhison Electronics

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments