BadUSB vulnerability: This vulnerability is to store malicious code in the firmware storage area of USB device controller, rather than other storage areas that can be read through USB interface, such as Flash, so that antivirus software or ordinary formatting operations cannot delete the code. In the design stage of USB device, a special method is used to implant malicious code into the firmware of USB device controller, so that USB device can cheat PC OS when accessing PC and other devices, thus achieving a certain purpose. The article introducing this vulnerability originated from an article published by WIRED (), an American online electronic magazine, on July 3, 20041day: Why the security of USB was fundamentally breached. What needs to be explained here is that Wired magazine is a famous online electronic magazine in the United States, which reflects the application of computer technology in all aspects of modern and future human life. Every issue of Wired magazine scans the future of business, science, entertainment, education and culture, and reveals amazing stories about how technology has changed our lives. Wired has always been at the forefront of reporting, whether it is science and technology, business, new media, art and culture, environment or the latest products. In other words, the news is not from traditional security vulnerability research and evaluation institutions or academic journals.

According to the original text (attached), there is the following information:

1. Two attackers Nohl and Lell spent several months reverse engineering the controller firmware of a USB device. Note that USB devices (which should refer to USB communication chips) have a controller chip. They found that the firmware of USB devices can be reprogrammed to implant attack codes (specifically, this refers to the firmware of devices, which can be re-brushed into devices after the attack codes are injected).

2. At present, no manufacturer or authority has confirmed this loophole. Nohl and Lell contacted a USB device manufacturer in Taiwan Province Province (the specific name was not disclosed) for safety warning, and the manufacturer repeatedly denied the possibility of attack. Wired contacted the non-profit organization USB implementer forum, and the spokesman of the organization gave a stylized answer, that is, people should always confirm the credibility of the source of the device when using USB devices.

3. The details of this article and related documents are obscure and there is no more information.

The following is a USB security analysis for the attack described in this article:

1. Most USB device controllers are ASIC, which means that these controllers are highly customized and have no ability to extend other devices, let alone execute other codes. According to the original text, the attack needs to modify the USB device type, and the USB endpoint that marks the USB device type and various information is solidified in the device in most cases, because these information will not need to be changed.

However, since most USB device controllers are ASIC, few devices may be infected. In view of the cost sensitivity of manufacturers, the equipment they manufacture is as simple as possible and does not have the conditions to run malicious code. In other words, even if you are infected with some devices, only the infected devices can't run, not malicious code. The so-called USB controller firmware is mostly aimed at the configuration file of the logic circuit, even if it is tampered with or destroyed, it can only make the device unable to run. Few manufacturers will produce universal USB controllers.

Most USB devices cannot be changed by firmware upgrade/reprogramming, which will make the controller very expensive. In fact, most USB device controllers do not support reprogramming at all. Many ASIC have no MCU core and rely entirely on logic circuits, which makes this kind of attack completely impossible.

2. The premise of the attack is the reverse engineering of the equipment firmware. First of all, different devices and different manufacturers have different firmware due to different device structures, and there is no malicious code that can be infected. Most ASIC use custom MCU cores, and there is no external register/programming guide at all, so reverse engineering is impossible. Secondly, manufacturers usually pay great attention to protecting device firmware, because it usually contains sensitive information, which is never made public; Finally, the manufacturer will check the validity of the firmware when the controller is running, that is, the manufacturer usually signs and checks the firmware. These make possible attacks only on very few devices.

3. Even if the attacker finds that for some reason, he can support other USB classes and endpoints by changing the firmware, and the attacker successfully reverses the firmware, the attacker must write the tampered firmware into the device. The firmware of USB device controller is usually stored in the metal layer of the chip, but it is read-only and not writable. Even if the firmware can be written or stored in external memory, the attacker still needs special commands or special equipment provided by the manufacturer.

According to this article, the attacker's malicious program is located in the space of USB controller. The firmware of USB controller and BIOS/ firmware /OS of PC and other systems are completely isolated, and only USB commands predefined by the controller can be run. Once it comes to maliciously affecting the PC's OS through USB behavior (such as keyboard and mouse input, etc. ), it will inevitably involve bypassing the firewall and obtaining system permissions, and it is impossible to quietly.

But it must be noted that the above analysis is mainly aimed at the vast majority of USB devices we actually use; According to its initial description, the exploitation of this vulnerability is realized by supporting the USB device controller developed by general programming, successfully completing the reverse engineering of firmware, and then successfully writing the firmware into the USB device controller (possibly directly using development tools).