The facts about BadUSB (the "undefendable" securityproblem)

[hackerman1]

The facts about BadUSB

“Wednesday October 8, 2014
Introduction

Since the BadUSB talk[1] by Karsten Nohl and Jakob Lell at Black Hat USA in August there has been much discussion about the implications of this class of USB attack.

The discussions gained additional momentum when Adam Caudill and Brandon Wilson investigated the attack further and publicly released working code[2] at the DerbyCon security conference.

This blog post is intended to dispel some of the misunderstandings that have arisen around BadUSB and provide some practical advice to organisations so they can protect their Enterprise IT infrastructure from this class of attack.
Dispelling some BadUSB misunderstandings
The media is reporting that BadUSB is the result of a fundamental flaw in the USB protocol that cannot be fixed.

What is this flaw?

The “flaw” that some people have quoted relates to the fact that host operating systems implicitly trust devices that are plugged into a USB socket and as a result they cannot tell,
for example, if a real keyboard has been connected and is being operated by a human or a fake keyboard has been connected that is being operated by software.
This has been known and understood for many years and is the attack vector that is used by HID-based attack products such as the “USB Rubber Ducky”[3].
In fact, the technique that has become so widely known that it is being used by marketing companies, as we reported back in 2012[4].

The ability to upload modified firmware to some USB devices is not the result of a fundamental flaw in the USB protocol, rather the ability to reprogram a microcontroller that has not been sufficiently secured by the product vendor.
“

For more information, including advice on how to protect yourself,
read the full story: https://www.nccgroup.com/en/blog/2014/10/the-facts-about-badusb/

[Author]

Posts