The BadUSB exploit is an idea and working proof of concept which takes advantage of the fact that some USB devices have firmware, and on some of those devices the firmware can be updated.
BadUSB has exploded onto the press in the last few days with articles like Wired – The Unpatchable Malware That Infects USBs Is Now on the Loose, CNBC – Why USB malware just became a big problem , The Verge – This published hack could be the beginning of the end for USB.
This first wave of articles have a few problems, as you might guess. As a former Development Manager of the USB team at Microsoft and the founder of a USB device maker (Plugable Technologies), I hope to fill in a few more of the pieces.
First off, this is a real family of security issues. Anywhere there’s running code, there’s opportunity for exploit. In the Internet of Things era, there is code running nearly everywhere. As electronics shrink, things we think of as “devices” are really computers. To deal with an evolving world, we often want these little devices to be software fixable and upgradable. This creates risks that need to be actively mitigated.
To hack a computer with a USB device, at least 2 things have to be true:
- The USB device being infected needs to have firmware, that firmware needs to be software upgradable, and that upgrade mechanism needs to be insecure. That is true of some USB devices but not others.
- If a USB device is vulnerable, the virus has to be designed for particular USB controller(s) in that device. The method of flashing firmware on the device and the instruction set is controller specific. The BadUSB code out now is specific to one USB flash controller (Phison) and won’t affect other USB devices. It is not a universal attack.
Whether #1 and #2 are true depends on the particular device. Take our Plugable USB product line as an example: none are exploitable with the BadUSB code as it stands right now because we don’t use the Phison controller. However, some would be vulnerable if specific attacks were targeted at the specific controllers in the devices.
For example, the Termius Technology Chipset used in all of our Plugable-brand USB 2.0 hubs is a fixed-function hardware ASIC without executable or updatable firmware. These USB devices are not vulnerable to BadUSB-style attacks of any kind.
On the other side, our USB 3.0 SATA drive docks use the ASMedia 1051E and 1053E chipsets, which have an 8-bit microcontroller. It is firmware upgradable. So while the recently released BadUSB code will not infect these docks, in theory they could be targeted in the future with a similar effort to that which went into BadUSB.
An interesting 3rd example is our Plugable USB 3.0 Tablet / Laptop Docking Stations and Graphics Adapters. These use DisplayLink DL-3×00 and DL-5×00 chipsets. They make use of firmware. That firmware is software upgradable. However, DisplayLink has implemented on-chip authentication, encryption, and firmware validation which makes it quite difficult for any 3rd party to successfully update firmware. To date, no 3rd party has successfully been able to crack this and talk to the DisplayLink chip. That is one of the reasons why these products work only with Windows and Mac where DisplayLink provides drivers themselves. No software-based security is invulnerable. But it can be a strong mitigation.
You can find out which USB controllers are used in our products on the product pages at Plugable and on Newegg or Amazon listings, etc. We do that because chipset is the best way to dig into compatibility details, but it’s also the best way to research what security features the chips have. We’ll be working to expand on our security information and features over time.
Hopefully some of this detail helps create a fuller picture of what BadUSB is and isn’t. You can also get a lot of great detail from Brandon Wilson and Adam Caudill’s video of how BadUSB was created. If you have any questions, we’re happy to share what we know, just comment below.
Founder, Plugable Technologies