Luke, there is no real ways to block BadUSB.
BadUSB is like this: you get some USB device. It pretends to be USB flash drive. It is device who makes such abstraction. There is some CPU ("controller") inside of device. It talks USB. And exposes device as USB flash. If device's firmware haves malicious intentions, it can suddenly misbehave.
Flash can return bogus data, possibly causing foreign code execution in way you don't even usually expect. Just rewriting file on flash would not help - it is controller who passing all requested data. It can do runtime patching of data on the fly. Sure, you can add checksums, etc and eventually it would get too complicated for controller to do it unnoticed. But you should understand: there is CPU. It runs foreign code. Most of time you do not know what is this code and what it can do.
BadUSB attack goes a bit further. Say, flash drive can suddenly became keyboard. USB is universal bus, device functions are purely software-defined by device firmware. So there is nothing wrong if device suddenly becomes something else. It is technically possible. Then "flash drive" can suddenly type some commands into your system. Possibly executing something nasty, if guess has been correct (device can't see/analyse your screen easily so its blind attack). Say, in windows you usually can emit kypresses like <Win+R>, "calc.exe", <enter> - and well known PoC (aka calculator) is here. Boo-hoo.
There're even more sophisticated attack possible and reported to exist. Many modern 3G/4G modem+router devices are full fledged computer inside. They often run Android or Linux internally. So on one side device haves network connectivity, in fact being autonomous computer inside and it pretends to be usb peripheral for you. Needless to say, someone who had malicious intent can either hack such device remotely or put malicious code into firmware. Then device could suddenly turn into keyboard. Wireless keyboard. Incredibly long range wireless keyboard which can be controlled from any place around the world.
So what BIOS can do about it? Basically nothing: it does not handles devices enumeration and so on once OS booted. It can disable USB controller I guess but then you'll be completely unable to use USB devices. Doesn't sounds very cool, right? There is no way to change this without completely wrecking compatibility with existing USB devices.
It is up to OS to defend itself at this point. I can imagine OS can request some extra confirmation to use new, previously unknown keyboard (and maybe other potentially troublesome device classes) and just refuse to deal with new keyboard without some extra confirmation from user. Typed via old keyboard, obviously. But who does it right now? Nobody? Hmm, okay - now BadUSB attacks are problem.
I can imagine some funny ways to divert BadUSB at hardware level. Imagine you have 4G USB modem and it got hacked. But if it has been plugged into some TL3020 running openwrt and it lacked HID kernel module - uh-oh, good luck to type something from "keyboard". And it's not like if pocket sized router needs keyboard for normal course of actions. So its possible to "firewall" suspicious devices. Yet it would require some chunk of hardware where you can control firmware and hence can intercept undesired activity.
But key problem acutually is the fact most devices are running internal firmware. Of course well hidden and blob-only most of times. So you never can be sure what this crap does, is it vulnerable or not, etc. All interactions with device are handled by device's firmware. So device can do whatever it wants and there is no real way to prevent it. You never know what particular device is up to.
BadUSB is like this: you get some USB device. It pretends to be USB flash drive. It is device who makes such abstraction. There is some CPU ("controller") inside of device. It talks USB. And exposes device as USB flash. If device's firmware haves malicious intentions, it can suddenly misbehave.
Flash can return bogus data, possibly causing foreign code execution in way you don't even usually expect. Just rewriting file on flash would not help - it is controller who passing all requested data. It can do runtime patching of data on the fly. Sure, you can add checksums, etc and eventually it would get too complicated for controller to do it unnoticed. But you should understand: there is CPU. It runs foreign code. Most of time you do not know what is this code and what it can do.
BadUSB attack goes a bit further. Say, flash drive can suddenly became keyboard. USB is universal bus, device functions are purely software-defined by device firmware. So there is nothing wrong if device suddenly becomes something else. It is technically possible. Then "flash drive" can suddenly type some commands into your system. Possibly executing something nasty, if guess has been correct (device can't see/analyse your screen easily so its blind attack). Say, in windows you usually can emit kypresses like <Win+R>, "calc.exe", <enter> - and well known PoC (aka calculator) is here. Boo-hoo.
There're even more sophisticated attack possible and reported to exist. Many modern 3G/4G modem+router devices are full fledged computer inside. They often run Android or Linux internally. So on one side device haves network connectivity, in fact being autonomous computer inside and it pretends to be usb peripheral for you. Needless to say, someone who had malicious intent can either hack such device remotely or put malicious code into firmware. Then device could suddenly turn into keyboard. Wireless keyboard. Incredibly long range wireless keyboard which can be controlled from any place around the world.
So what BIOS can do about it? Basically nothing: it does not handles devices enumeration and so on once OS booted. It can disable USB controller I guess but then you'll be completely unable to use USB devices. Doesn't sounds very cool, right? There is no way to change this without completely wrecking compatibility with existing USB devices.
It is up to OS to defend itself at this point. I can imagine OS can request some extra confirmation to use new, previously unknown keyboard (and maybe other potentially troublesome device classes) and just refuse to deal with new keyboard without some extra confirmation from user. Typed via old keyboard, obviously. But who does it right now? Nobody? Hmm, okay - now BadUSB attacks are problem.
I can imagine some funny ways to divert BadUSB at hardware level. Imagine you have 4G USB modem and it got hacked. But if it has been plugged into some TL3020 running openwrt and it lacked HID kernel module - uh-oh, good luck to type something from "keyboard". And it's not like if pocket sized router needs keyboard for normal course of actions. So its possible to "firewall" suspicious devices. Yet it would require some chunk of hardware where you can control firmware and hence can intercept undesired activity.
But key problem acutually is the fact most devices are running internal firmware. Of course well hidden and blob-only most of times. So you never can be sure what this crap does, is it vulnerable or not, etc. All interactions with device are handled by device's firmware. So device can do whatever it wants and there is no real way to prevent it. You never know what particular device is up to.
Comment