At BlackHat 2014, a new attack on USB peripherals was presented. The attack has been dubbed BadUSB and uses the specified behavior of USB - thus it will be very hard to do something about. The attack fundamentally is quite similar to boot sector attacks in that it infects a section of USB tools that aren't very easy to scan. The actual place that is infected in BadUSB is the firmware in the controller for the peripheral. This gives it significant powers while also being extremely hard to diagnose. Since dumping the firmware would involve trusting the firmware to dump itself honestly, even a simple virus would be able to hide its presence completely. The only way to actually detect this kind of infection is by using expensive techniques to extract the firmware directly from the components.

I wanted to talk through some of the implications of this attack, since a lot has been said about it lately. My assumption is that the exploit does not work on the USB host controller inside a computer - it is restricted to peripherals.

So what can you do with this attack and how can you mitigate?

You can usually get someone to execute arbitrary code if the peripheral is a USB stick that stores something, and there is an executable or document with macros in it stored. In this case the firmware just dynamically rewrites the code while reading the data from the stick. The mitigation for this attack is to use and check cryptographically strong signatures for everything before executing or using it. (You obviously have to copy the data over to your own machine first). If the checking is only doing using a hash (like MD5 or SHA-256) this is not sufficient unless you transport the hash over a completely different transport medium. If you just put the hash in a file next to the executable, the virus could simply modify the hash as well.

Another attack is to get the firmware to look like a keyboard and enter arbitrary commands on the computer. In most cases I suspect this is not very likely, since it should be obvious that this is happening. But you can imagine this attack used to put up a fake screen saver that asks for a password and records that password. On Linux you can generally turn off different uses for a USB peripherial. Turning off the auto-configuration of a USB keyboard might save you against this attack.

A attack that the original researchers showed was to make the USB thing look like a network card and then use that to override routing and DNS information. I'm not sure of all pieces of this attack, but the right answer to solve it is to be rigorous about using https for as much as possible. In that case you will start getting warnings for the places where the DNS server is trying to attack you. This should be quite obvious when it happens as well.

The most serious attack I can imagine - and an attack that I haven't heard anyone mention yet - is the operating system replacement attack. Say you are using TAILS for your most sensitive work, and you have TAILS on a USB stick. If that USB stick gets infected, it could dynamically patch TAILS while the operating system is loaded from the stick. This way it can insert arbitrary backdoors, including patching the kernel to do all kinds of evil things. At that point things are basically game over for you. There are a few ways of dealing with this. First, you can run TAILS from a live CD instead of a USB stick. But in the current world of laptops without CD/DVD drives, you might end up having to use a USB CD reader, and you are back to the same problem. For this attack I actually don't know how to guard yourself very well. The only thing to do is to be very wary of your USB sticks, even if they don't contain any sensitive data. Regularly throwing away and buying new ones and reflashing them might also be a good mitigation technique.

The biggest problem that a BadUSB virus will find is that it will have to figure out a way to exfiltrate the information it steals (provided it's an attack intended to steal data). For most of the attacks above, that seems to be the place where things break down. But with the TAILS scenario, as long as there is a network connection, a virus could always send out information through it. And if no network connection is available, the virus could store the data on the USB stick in a hidden partition etc.

So in summary, this is a scary attack for some scenarios - but not all of them. There are mitigation techniques for most of the attacks although the TAILS USB stick attack is definitely a problem.