By now I am sure even your grandmother has heard about Bad USB. It is a fundamental flaw in the way USB works that some German researchers found can be leveraged to do bad things. I will not go into detail as to what Bad USB is because I am sure if you are looking to fix it you already know what it is. For those that don’t know what Bad USB is here is a link to a Wired Article on it.
From reading a few articles on this I know there are a lot of people out there that are trying to come up with a way to fix this issue. Here are some of the typical ones most people have suggested:
- Can’t an Antivirus protect us?
- Why don’t they sign the firmware?
- Can’t we just refresh the firmware to make sure it’s the right one?
- Why is it writeable to begin with, just remove that feature!
These are all good points that I will try to touch on. So let’s look at number 1. Can’t an Antivirus protect us? the answer is no. There is no way for an Antivirus to look at the firmware of a USB controller. The only thing that Antivirus could do is ask the USB controller for information about its firmware. The way USB is designed is that there is no way for a computer to see the firmware of a USB controller. Everything you do with USB is talking to the USB Controller and then it giving you want you asked for. So since everythign has to go through the USB controller, do you think the USB controller would tell the truth about what’s going on with its firmware? That is like expecting a criminal to tell the truth, probably not going to happen unless they a few french fries short of a Happy Meal. The same would be true about an infected or re-flashed USB controller. There is no way to trust a USB controller so antivirus as it sits now is out of the question.
The next question is a topical one. 2. Why don’t we just sign the firmware? If you understand signing this is a perfect solution. It is a way to confirm that something is exactly as it was intended by the person that signed it. This sounds like a great idea till you realize the points from question 1 again. You are trusting the USB controller to test that the firmware is signed. In a good world It should have a program that it runs to find out if the firmware is signed properly and then would report back a Yes or No. The problem is again how do you trust a bad USB controller. How do you know that the USB controller even did the test? The bad guy could have just reprogrammed it to say Yes no matter what. So signing is out of the question.
Question 3, Can’t we just refresh the firmware to make sure it’s the right one? Sounds like a good course of action. Have manufactures post the good firmware on their support website. If you are unsure if your USB has been owned then you can just make sure and re-flash the firmware with known good firmware. Sounds great… until you realize the same problem happens again as Question 1 and 2. If the USB controller that is responsible for reprogramming the flash is bad how do we know it did the job? It could just take the firmware say it updated it but didn’t do anything. So there is no way to knowingly tell if it did its job or not.
Question 4, Why is it writeable to begin with, just remove that feature! Well you can thank consumerism for this one. You want a cheap USB flash drive or keyboard or mouse, well everyone does so most companies will make a single USB controller that works for all of these devices and then just load custom firmware based on what its going into. This saves money which can then be passed on to the user. So we could create a read only ROM for these devices but then the price would go up by $10 and people would complain of being ripped off. Oh and if there is an issue with a bad firmware well throw the whole device out and get a new one because you cant fix the error. So this is doable but wont happen because people want cheap.
So how can we solve this problem? Is there a way to fix this problem. I think there is, it’s not perfect but it is an option and a way to make sure you can’t be owned. Have the manufactures remove the code that allows you to rewrite the firmware. Its a one shot deal. It is like making a ROM but using firmware instead. It would allow then to use the same chip for many different devices but once you know the code is good you flash the firmware with a version of code that will not allow you to re-flash it again just like the bad guys do. Leave it up to the user and if they feel like removing that feature let them by downloading a firmware that prevents all attempts in the future. You would go to the store, get a USB drive, go to their site and lock the device down before it gets a chance to be infected. If there is new firmware in the future well you are out of luck and there would have been a disclaimer when you installed it that you know there is no way to update it in the future.
This solution would not fix a device if you are already owned of course but I would never trust a device ever again if it was owned, it would go in the garbage. I think if you put this in a users hands then they can take the responsibility of deciding what they want to do, or how security conscious they want to be. Just an idea of course…
© Caspan 2014