In an effort to convince the makers of universal serial bus drives to improve the security of their firmware, a team of security researchers demonstrated how easy it is to turn the thumb drives in USBs into a malicious installer.
On top of that, researchers Adam Caudill and Brandon Wilson have published the actual tools they used to convert those drives into malware. The work of turning the drives into malicious installers could be done through a keyboard attack, which the researchers demonstrated with exact likeness during a Derbycon exhibit.
The USB thumb drives with which the tools employed by the researchers are found to be using the Phison 2251-03 controller, which has been further discovered to also apply to other controllers that the Phison Electronics company in Taiwan developed. At present, there are quite a number of USB thumb drives containing the Phison controllers that are easily accessible in the market.
In releasing the tools for turning the thumb drives into malicious installers, the security researchers are hoping to spur USB manufacturers to move and bolster the protection of their flash drive firmware with new updates and also urges Phison to add support for signed updates on USB controllers that the company sells.
But of course it is not only Phison Electronics that offers USB controllers on a large scale, there are other manufacturers too, but it is the hands of Phison that Caudill and Wilson expect to see the initiative first for securing the devices.
To some degree, the attack can be mitigated. But the security researchers acknowledged the fact that the device’s thumb drive itself is hard to combat since the miniature computer is in full control over the events taking place within the USB, therefore the certainty that it might be made to hide malicious activities.
At the very least, USB manufacturers could require the installation of signed firmware updates on the devices’ controllers in order to avoid alterations to the firmware once purchased by users. Although this has been in practice among many USB vendors, quite a considerable number of sellers still do not observe this security measure.
Caudill and Wilson released the code after they first learned of the idea during a demonstration by other security researchers during a Black Hat security conference in Las Vegas, where the so-called BadUSB attack was demonstrated. Based on the demonstration, a BadUSB attack enables a computer-connected USB thumb drive to switch its profile and transmit keystroke data to install a malware or maneuver the DNS settings.
