News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • BadUsb

    Posted on Robertos42 Comment on the AskWoody Lounge

    This topic contains 10 replies, has 7 voices, and was last updated by  mn– 1 month ago.

    • Author
      Posts
    • #1980889 Reply

      Robertos42
      AskWoody Plus

      I am trying to research how serious badusb really is.  I know the risky scenarios of the stick found in the carpark, or the giveaways at events, but what is the likelihood of an infected stick appearing at random?

      A scenario I heard of was 2to3 years ago someone got a usb stick with wedding photos on it, placed it in an early windows 10 machine which proceeded to try and back up to it.  It was then tried in a better specced windows 7 laptop, refused to load any files and seemed to die.  If there had been an infection how would it have manifested itself?  The laptop had since been upgraded to windows 10 pro and had a couple of bios updates.  Would the bios update have ‘killed’ bad usb.

      Thanks in advance for any information or comments

    • #1980965 Reply

      mn–
      AskWoody Lounger

      There’s all kinds of funny things that can be done with USB.

      First, the pure hardware attack – using standard power-transform techniques to feed back ever higher voltage pulses until the computer side dies. This’ll kill many motherboards. No “device recognition” necessary, prevention by building in hardware overvoltage protection. Can happen by honest accident, especially if connecting a device that also has a mains plug.

      Second, the “remote-controlled keyboard” thing – by default a new USB keyboard is allowed to input keystrokes, so, if you disable this you risk not having a keyboard.

      Third there’s System Management Mode, USB devices can often get there to do things like emulate PS/2 keyboards, and once there can do all kinds of nasty things all over – as in access to the system state, potentially including everything in memory, and CPU debugging features. NSA is known to have a library of brand-specific SMM exploits so at least some things may require specific targeting?

      Fourth, all kinds of devices that initiate an automatic driver search… and bad drivers can do all kinds of nasty stuff even by accident. (USB webcam driver that renders 64-bit Windows 7 Pro unbootable, seen one.)

      Fifth, on storage devices you can cause all kinds of “fun” with a malformed filesystem, or something that looks like it. (You know how NTFS volume ID is supposed to be unique, and…)

      Sixth, regular untrusted files. Don’t appear as “coming over the network” so don’t get the security label that Windows uses for those, the document macro malware on USB is a classic.

      USB devices can be read-only in hardware so cannot be permanently decontaminated, and can even fake temporarily accepting writes in some circumstances (reverts to original state when unplugged for a minute, say).

      Even old-fashioned boot sector malware has been seen on USB. Requires booting with USB device connected and prioritized before internal disk, rare on UEFI and made more difficult by Secure Boot.

      Then there’s very simple AutoRun executable malware on USB storage devices… about the simplest thing to block, but apparently still sometimes gets through.

      2 users thanked author for this post.
    • #1981112 Reply

      OscarCP
      AskWoody Plus

      mn- That is quite a catalogue of nastiness-by-USB-memory-stick you’ve got there!

      USB memory sticks have been banned from government places, both civilian and military, for years now, the main concern being that they might be vehicles of malware, spyware, and so on. But I was not aware that all those other bad problems are also possible. Of course, something plugged into a computer is more like a part of the computer than something in an infected Web site connected via browser. But I am not sure what is the point of damaging computers, particularly by way of rogue memory sticks that, except in the case of the stick in the parking lot, require the attacker to get close and even in person to the intended attackee.

      Sure, one could do something like that to Woody’s sainted aunt, but why? Sheer vandalism? Most people, particularly working in offices, must by now be aware that sticking non-company USB sticks, DVDs, and other data storage devices into company machines is forbidden, under penalty of firing? (And I would say that if that is not a policy and everyone there knows about it, then the organization in question is asking for it.) Social engineering might be used to induce an employee to insert a supposedly “approved” stick, but it seems like a rather far-fetched way of messing with someone’s computer. Specially since there are so many (and to the intruder or system wrecker, safer) ways to get into someone else’s system from afar and do serious damage, safely, from there.

      Now, downloading faulty drivers? Well, yes, as when installing any faulty software (Windows patches anyone?) that is a worry.

       

      Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

    • #1981157 Reply

      GoneToPlaid
      AskWoody Plus

      I had our IT guy disable all front-case USB ports on all computers at the office (he internally unplugged them), except for a select few computers which are used by trusted long-term attorneys and long-term trusted staff. All other office staff has no clue. The threat is not simply infections getting in, but data going out on unauthorized USB sticks or USB drives via untrustworthy employees is a serious issue. Other detection measures for unauthorized actions are also in place.

    • #1981204 Reply

      wavy
      AskWoody Plus

      Isn’t that how Stuxnet was implemented?🤯 😬

      🍻

      Just because you don't know where you are going doesn't mean any road will get you there.
    • #1981230 Reply

      Alex5723
      AskWoody Plus

      But I am not sure what is the point of damaging computers, particularly by way of rogue memory sticks

      The Stuxnet virus that hit Iranian nuclear SCADA systems has been transmitted via a rogue USB stick.

      • #1981347 Reply

        OscarCP
        AskWoody Plus

        Alex5723: I don’t think that we are talking about the same thing, because I am referring to actual physical damage to computer hardware (and not to hardware that is computer-controlled, with something like Stuxnet) via USB stick, as in the several of the ways of doing that that listed by mn-  What is the point of doing this, what is to be gained by the attackers? Particularly when some of these ways mean the perpetrator has to get rather close to the intended victim to make sure this one gets the evil USB drive in the first place. Now, planting malware via USB stick, that is a software attack to infect with ransomware, spyware or worms to create a botnet, doing all of which might make it worthwhile to a black hat person or organization to take some risks, and something many, including myself, already know about and (supposedly) also know how to guard against to avoid, or at least minimize its effects.

        Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W(?) + Mac&Lx

        • #1981370 Reply

          mn–
          AskWoody Lounger

          referring to actual physical damage to computer hardware

          Well really there was just the one method, which is particularly important in that it can happen by accident if a connected device is damaged in certain ways.

          Of course if the overvoltage pulse is on purpose, it can be timed or remote-controlled too. And that’s one of the things that can be built into any USB device – keyboard, mouse, extension cable… sneak that into the server that controls office doors and fails open for fire safety?

    • #1981249 Reply

      access-mdb
      AskWoody MVP

      My organisation had software that encrypted any USB stick that was put in the PC. IIRC you had to take said stick to support to get it the password (or whatever) to be able to use the stick again. I think you also had questions to answer. I thought the software was called Ironman but Googling didn’t seem to get any hits. It was 7 years ago I retired!

    • #1981344 Reply

      mn–
      AskWoody Lounger

      Oh and for many of these the USB device doesn’t have to appear to be a storage device at all, or report a storage function to the controller.

      There are examples of such tools being built into phone charging cables and such.

      My organisation had software that encrypted any USB stick that was put in the PC. IIRC you had to take said stick to support to get it the password (or whatever) to be able to use the stick again.

      Encrypting the stick requires having it presented as writable storage at a minimum, and then actually saving the changes. I have one USB device here that has a slot for a microsd card, and then presents the contents of it as a CDROM – read-only mode. And that’s not even the primary function of the device in question.

      Yeah, there’s really no way to be absolutely sure with USB.

      For a “USB vetting” box I’d want to get one where USB keyboard/mouse support at least can be turned off, then optocouplers with overvoltage / pulse warning lights and…

      • #1981379 Reply

        mn–
        AskWoody Lounger

        For a “USB vetting” box I’d want to get one where USB keyboard/mouse support at least can be turned off, then optocouplers with overvoltage / pulse warning lights and…

        … hm, if I was actually building that now, I might start with a Raptor Blackbird base. https://www.raptorcs.com/content/base/faq.html says they have fully open firmware and that thing certainly won’t run any Windows-only code, or any binaries made for amd64, x86, ia64 or arm, certainly not SMM code…

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: BadUsb

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.