There has recently been a lot of media attention surrounding research published by Karsten Nohl and Jakob Lell of SRLabs. This research has attempted to demonstrate how USB devices could potentially be a means for introducing malware into computing and portable electronics platforms. It has subsequently gone on to imply that there isn’t any effective method to protect against this particular vulnerability. Their provocative, if not bordering on inflammatory, comments that USB is ‘critically flawed’ and computer/portable electronic device users will not be able to ‘trust anything anymore after plugging in a USB stick’ are not in any way realistic however. Things therefore need to be put straight.
The two researchers, located in Berlin, have made demonstrations showing that USB memory thumb drives which appear to be completely empty, have been formatted as well as virus scanned could still have undetected malicious code upon them. This would be hidden within the firmware of their interface ICs.
Based on their findings they have implied that this is the end for USB thumb drives and many other USB accessories, and there is the prospect that it may even be necessary that ‘businesses should stop using them’ altogether. They have even suggested that, despite its huge prevalence (with over 6 billion ports in operation around the globe), the findings of their research basically signify the end of USB as a data transfer medium. This is a bold statement and furthermore it is completely unjustifiable. In truth USB is simply no more at risk to malicious attack than any other means of transferring data, such as via wireless communication (Bluetooth/Wi-Fi) or Internet connections.
Though the research conducted at SRLabs highlights the fact that there is an increasing danger posed by all manner of cyber attacks in every element of modern society, this certainly does not mean that the days of USB are numbered. It should be pointed out that concerns about susceptibility of firmware to manipulation of this kind are usually centred on microcontroller-based products where there is the possibility for the microcontroller unit to be reprogrammed on the fly in order to perform some additional unwanted functions. Though it can be applied to some USB interface ICs on the market, as long as OEMs producing USB peripherals chose to incorporate better quality ones into their designs then the threat is mitigated.
The SRLabs researchers have gone on the record saying that there are ‘no effective defences from USB attacks’, but this is actually far from correct. Certain established semiconductor manufacturers addressing the USB market already have the proven technology necessary to combat the issues raised here.
The popular USB bridge ICs offered by FTDI Chip are vendor class, rather than memory stick (mass storage) class. This device class cannot be customised in order to appear as an alternative device type. Since these ICs are hardwired (relying on fixed function ASIC implementations), they do not have any firmware whatsoever. As a result there is no place for this malicious code to be placed. All the control of communications is done totally in hardware. Some ICs in its portfolio make use of a small EEPROM memory resource, but this is merely for storing settings – it is not capacious enough for any form of malware to be held there. As a result of all this, FTDI Chip’s USB Bridge ICs cannot be reprogrammed to do something other than what they were originally designed to do, and the possibility of it being corrupted is therefore eliminated. Because they are vendor class they require a specific FTDI driver/API if they are to be accessed.
So there are USB ICs currently available, constructed upon hardware state machine architectures, rather than being microcontroller based, which are impossible to reprogram them. The reason that the aforementioned research omits details of how the industry can take steps to overcome the issue by specifying such ICs makes it somewhat evident that this whole affair is more about self promotion than acting in the public interest.
It is not unusual of course for those within the IT security sector to pull off publicity stunts such as this – with the intent more often than not of simply serving their own agenda. There has always been a tendency to make exaggerated (and generally poorly informed) claims in order to cajole people into investing in new software packages and suchlike. The problem is that by resorting to scaremongering tactics can in many cases lead to an overreaction.