BadUSB — #badBIOS In Practice (and Ukrainian TSCM)

Ukrainian TSCM: Here’s how you deal with unwanted electronics if you live in the middle of a war zone (Luhansk)…
(Also featured in that YouTube channel — a Marx generator… made with STICKS. That’s right, wooden sticks off a tree somewhere.)

Anyway, news from the #badBIOS front. Karsten Nohl has successfully replicated another aspect of the infamous malware. In an upcoming BlackHat talk, he’s going to show all the havoc that can be wreaked by screwing with the firmware on your USB devices.

The long and the short of it is, you can reprogram the controller chips (which are separate from the actual memory on a USB stick, for example) and make them compromise your computer… or other USB sticks:

“1. A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.

2. The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.

3. A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot. […]

A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive.”[1]

This is in fact classic #badBIOS, which according to reports would spread from USB device to computer to USB device.

(For industry-watchers, it’s worth noting that ArsTechnica heavily UNDERSTATED the capabilities of Nohl’s attacks — I had to go to the official SRLabs writeup for this!)

Now nobody here has suggested this in fact proves Dragos was right… Nohl told ArsTechnica just that “Everything Dragos postulated is entirely possible with reasonable effort… I’m pretty sure somebody is doing it already. This is something that’s absolutely possible.”

Yet in the heat of the #badBIOS saga, Dragos went to considerable lengths to hand off samples of his infected devices to researchers. One person even suggested he re-book his flight back from an Asian security conference to give him a stop-over in Berlin (Karsten Nohl’s hometown) though there is no confirmation this occurred.

So it may well be that there is some quiet reverse-engineering going on here.


%d bloggers like this: