Government workers are always a big target for hackers because of the information they protect. And of everything sitting inside government cubicles right now, keyboards and mice are probably the most trusted devices — or at least the most overlooked — when it comes to security. Well, you can regard those as a potential vulnerability now thanks to an emerging threat, and one with not too many defenses.
Called BadUSB, this threat goes back to the Black Hat convention in July when researchers announced they had discovered a way to infect the firmware of USB devices. This lets them inject malicious code into machines those devices connected with. It also allowed keystroke logging and could even reprogram the compromised device so it reports itself as something else (like a camera saying that it’s a keyboard). The worst part is that because this is done by hacking the firmware, for the most part it’s undetectable and outside the realm of virus or malware scanners.
Researchers Karsten Nohl and Jakob Lell presented their findings as a proof of concept, but they didn’t release any specifics at the time, fearing hackers would begin to exploit BadUSB before companies could work on a fix. They bought a little time, but not that much, apparently. Just last week another team of researchers cracked the secrets of BadUSB, too — only they posted the malicious code for everyone to see, and quite possibly use, on a public GitHub site. Their argument was that information should be made public and that hackers may have already discovered the BadUSB secrets. In any case, it’s in the wild now, and likely being modified and used by criminal hackers looking for a new tool.
I thought that someone must have worked out a proper defense and went searching for folks. It took a while, but finally I came across the director of product management for IronKey, Mats Nahlinder. According to Nahlinder, most of IronKey’s secure drives and products are safe from BadUSB because of a unique firmware check that happens every time one of its devices is inserted into a computer.
“It’s quite simple how we do it,” Nahlinder said. “All of the software running inside the firmware on our products is digitally signed. BadUSB is insidious because it happens below the [operating system] level, which prevents malware scanners from detecting it. But we can stop it.”
Nahlinder explained how the process works. IronKey takes all the code inside one of its devices and creates a cryptographic hash, which is a non-reversible operation. The certificate for that hash value is then encrypted itself and embedded inside the non-writable hardware cryptochip. When users insert the device into a computer, they automatically use a public key to decrypt the hash value. If any changes have been made to the firmware, even one single byte of data or one number switch in the code, the stored hash will no longer match the newly created one.
“If there is no match, then the drive will refuse to start,” Nahlinder said. “The red LED light will illuminate to indicate that there is a fault, and the drive becomes inoperable.”
One place where the government can make use of this technology to protect USB devices is with the new IronKey Workspace W700 mobile workspace, which creates Windows 8.1 desktops in a secure space anywhere in the world for traveling employees.
The W700 recently earned FIPS 140-2 Level 3 Certification. Nahlinder explained that, as part of that, the device had to be able to maintain a noncorruptible firmware, which it does. If BadUSB finds its way onto one of their drives, the change in code would render the device useless. Of course that means the user is out one portable USB workstation, but their network — and more importantly their data — remains uncompromised and safe, a price most government agencies would be more than willing to pay for that level of protection and assurance.
Unfortunately, neither IronKey nor its parent company Imation make mice or keyboards. But perhaps companies that do could follow the pattern of protection put forward by IronKey in its secure drives to lock down the firmware throughout the USB landscape. BadUSB only just got into the hands of the bad guys a week ago, yet it has the potential to be a huge security risk in the very near future. Adding an encrypted firmware checking process to a mouse would likely significantly increase its price, but the cost for doing nothing in the face of BadUSB could be so much higher.