USB
Universal Serial Bus is a connection, communication and power supply protocol…
…which means that it defines how different devices can communicate: as a consequence, both sides are actively exchanging information. It’s not just “one side is reading some data written on the other side”.
So, something like a USB stick is not pure data storage. It’s not just a book that you read.
Even something as small as a USB key is actually a small computer.
This is also true for any active USB device: memory sticks, webcams, keyboards – even chargers can actively communicate.
It’s even possible for devices to behave in different ways depending on the user’s choice: for example, smartphones can act as simple storage device, or sync with a PC.
Anything using USB is a small computer. What are the consequences ?
Security
What about security?
Well, USB has nothing to do with security. It’s not meant to authenticate, encrypt…
This means that any USB device can do whatever it wants:
- it can pretend to be another kind of device:
- a USB key can behave as a keyboard and send keystrokes
- a charger can behave as storage, and infect your PC
- a docking station could jailbreak your smartphone
- it can behave as a storage device, but show or hide different content, depending on a specific trick, or on the OS it’s connected to.
- it can exploit a specific USB driver, and find vulnerabilities.
Is that new? No!
Is USB bad? No!
Security is a problem that USB was not made to solve.
What about encrypted USB sticks ?
It’s an extra layer of security, implemented over USB: sadly, it’s sometimes easy to bypass their security.
Not only for bad purposes
It’s not just bad news: some USB devices, on the other hand, have extraordinary abilities, for good purposes:
Innocent devices turned evil
Not only it’s possible to create malicious USB devices, but it’s possible to turn ‘innocent’ devices evil: standard USB controllers can be modified: they are cheap, so they have no protections against modifications at all:
“the integrity of these devices is based entirely on obscurity”
Brandon Wilson – DerbyCon 2014
So Richard Harman, Karsten Nohl, Sascha Krißler, Jakob Lell, Adam Caudill and Brandon Wilson studied Phison USB controllers (Phison has the biggest marker share in USB controllers), and eventually, modified firmwares for the Phison 2251-03 were developed and released.
The catch is that you can’t know from the outside which USB (key or device) could be altered, since USB device manufacturers don’t always use the same controller brand inside.
Avoid risks
- How can you tell if a device is malicious?
You can’t, at least not easily – it could even fake the result. - How likely is it to happen to you?
It’s far from trivial to perform such a hack, so it’s very unlikely 😉 - What is more likely to happen to me ?
- stupid VBScript trojans made of trivial code snippets taken directly from MSDN, that replicates by infecting USB drives still survive nowadays, and this is more likely to happen than your neighbors patching the firmware of your webcam to hack you (well, your neighbors’ mileage may vary).
- plugging your phone in an unknown phone charger booth at an airport is more likely to cause troubles: in this case, you might want to use a device that prevents data connection over USB, and just let charging power coming in.
Wrapping it up
Any USB device is a small computer.
It could be malicious, but it’s unlikely to happen as it’s far from trivial to make a malicious USB device, or infect an innocent USB device.
This is not new, as USB is not a security protocol, so it is not designed to make sure that a USB device is unmodified, and USB devices don’t protect themselves from modification.
On the other hand, you should be careful with unknown USB sticks, and unattended charging stations (in airports, …).
