Computer Ebola

Ebola virus brings fear to us all, lay or professional. Although far less readily transmitted than SARS, ‘bird flu’ and other recent candidates for the Next Big Epidemic, it remains deadly to the majority who become infected, and there is still no sign of effective immunisation.

The chances of it changing the Western world seem very small, and hopefully the recent outbreak in Africa will continue to fade away.

Our world is more likely to be transformed, at least in the medium term, as a result of work reported by Karsten Nohl and Jakob Lell to the Black Hat Security Conference in Las Vegas back in August 2014. Since then, anything that you have connected to a USB port could have compromised, damaged, or subverted the Mac or device to which it was connected. Fatality is pretty well guaranteed, and not only is there no protection, but nothing can even detect such malware: welcome to BadUSB.

Although you might think that simple USB devices like memory sticks are just a wodge of flash memory, in reality every such device requires its own microcontroller: in practice, a programmable microprocessor. Nohl and Lell have shown some of the nasty things that these processors can do when reprogrammed maliciously, including emulating a keyboard and taking control of the computer to which it is connected, spoofing as a network card and redirecting Internet traffic, and installing malware which runs prior to normal boot processes.

BadUSB can readily be cross-platform, wreaking havoc on whatever device you connect it to. It is undetectable by anti-virus software, operating system security, and everything else. Because USB standards 1.x to 3.0 place complete trust in USB devices, and USB firewalls do not exist, the only way that you can protect against BadUSB devices is not to connect them.

In computer security terms, it is pretty well the ultimate nightmare scenario.

Even if you are not a profligate exchanger of memory sticks and other USB peripherals, there are ample cunning means of attack. Industrial spies have been known to drop a few carefully doctored memory sticks in corporate car parks, as most will get picked up, taken inside secure areas, and connected to a computer.

Already USB memory sticks have been used to sneak the Stuxnet worm into Iran’s isolated nuclear facility, and we should not be surprised if they have penetrated other secure sites. Imagine the yield from one or two production batches of re-programmed memory sticks.

For the time being, there is only one solution to BadUSB apart from glueing up your USB ports: never connect anything to them that you are not absolutely certain is friendly.

How you can be so certain that a device is not malicious is another thorny issue, as software that interrogates a USB device has to take on trust whatever the device says. Even if those who develop anti-virus software were to extend it to try and check what sits on the USB ports, they have no way of telling truth from lies, of distinguishing the genuine from the malicious. There is no means of authenticating USB devices, no secure signature system, no firmware checksums – nor is there any provision in existing or planned USB standards for such security measures.

Karsten Nohl has been testing memory sticks, keyboards, and other peripherals, and has a helpful website listing vulnerable USB devices including hubs, SD card adaptors, SATA adaptors, input devices, webcams, and of course USB storage. However as you will see there, even he cannot always tell whether a product is safe or flawed.

So Ebola quite rightly brings fear, and hopefully with that fear comes the respect that will stop it from breaking out from its African base, and killing thousands more. Simple hygiene and barrier techniques should drive the number of cases down until it retreats into its previous obscurity.

BadUSB, on the other hand, is going to force a fundamental rethink of how computers and mobile devices can trust connected peripherals. Watch for changes in USB and other standards, or the first exploit will drive the memory stick and peripherals industries into rapid decline.

Updated from the original, which was first published in MacUser volume 30 issue 11, 2014.