Doubts about USB security are ill-founded -

Doubts about USB security are ill-founded


There has recently been a lot of media attention surrounding research published by Karsten Nohl and Jakob Lell of SRLabs. This research has attempted to demonstrate how USB devices could potentially be a means for introducing malware into computing and portable electronics platforms.

They have subsequently gone on to imply that there isn’t any effective method to protect against this particular vulnerability. Their provocative, if not bordering on inflammatory, comments that USB is ‘critically flawed’ and computer/portable electronic device users will not be able to ‘trust anything anymore after plugging in a USB stick’ are not in any way realistic however. Things therefore need to be put straight.

The two researchers, located in Berlin, have made demonstrations showing that USB memory thumb drives which appear to be completely empty have been formatted – as well as virus scanned -could still have undetected malicious code upon them. This would be hidden within the firmware of their interface ICs. on their findings they have implied that this is the end for USB thumb drives and many other USB accessories, and there is the prospect that it may even be necessary that ‘businesses should stop using them’ altogether. They have even suggested that, despite its huge prevalence (with over 6 billion ports in operation around the globe), the findings of their research basically signify the end of USB as a data transfer medium.

This is a bold statement but it is completely unjustifiable. In truth USB is simply no more at risk to malicious attack than any other means of transferring data, such as via wireless communication (Bluetooth/Wi-Fi) or Internet connections.

Though the research conducted at SRLabs highlights the fact that there is an increasing danger posed by all manner of cyber attacks in every element of modern society, this certainly does not mean that the days of USB are numbered.

It should be pointed out that concerns about susceptibility of firmware to manipulation of this kind are usually centred on microcontroller-based products where there is the possibility for the microcontroller unit to be reprogrammed on the fly in order to perform some additional unwanted functions. Though it can be applied to some USB interface ICs on the market, as long as OEMs producing USB peripherals chose to incorporate better quality ones into their designs then the threat is mitigated.

The SRLabs researchers have gone on the record saying that there are ‘no effective defences from USB attacks’, but this is actually far from correct. Certain established semiconductor manufacturers addressing the USB market already have the proven technology necessary to combat the issues raised here. This includes USB bridge ICs, which are vendor class, rather than memory stick (mass storage) class.

This device class cannot be customised in order to appear as an alternative device type. Since these ICs are hardwired (relying on fixed function ASIC implementations), they do not have any firmware whatsoever. As a result there is no place for this malicious code to be placed. All the control of communications is done totally in hardware.

Some ICs in its portfolio make use of a small EEPROM memory resource, but this is merely for storing settings – it is not capacious enough for any form of malware to be held there. As a result of all this, USB Bridge ICs cannot be reprogrammed to do something other than what they were originally designed to do, and the possibility of it being corrupted is therefore eliminated. Because they are vendor class they require a specific FTDI driver/API if they are to be accessed.

There are also USB ICs currently available constructed upon hardware state machine architectures –  rather than being microcontroller based – which are impossible to reprogram. The reason that the aforementioned research omits details of how the industry can take steps to overcome the issue by specifying such ICs makes it somewhat evident that this whole affair is more about self promotion than acting in the public interest.

It is not unusual of course for those within the IT security sector to pull off publicity stunts such as this – with the intent more often than not of simply serving their own agenda. There has always been a tendency to make exaggerated (and generally poorly informed) claims in order to cajole people into investing in new software packages and suchlike. The problem is that by resorting to scaremongering tactics can in many cases lead to an overreaction.

Fred Dart is the founder and CEO of FTDI Chip, which specializes in producing computer connectivity ICs, particularly for the Universal Serial Bus (USB). More recently he has instigated the company's entry into the graphic controller and microcontroller markets. He has a BSc (Hons) in Electronic & Electrical Engineering from the University of Strathclyde, Glasgow. After graduating university, he worked for Motorola and STC. Prior to founding FTDI, Fred ran a consultancy business, Computer Design Concepts Limited which was a sub-contract design work for other companies.

3 thoughts on “Doubts about USB security are ill-founded

  1. “Its not the USB Flash drive you bought at Fry's or Best Buy that consumers need to worry about. While someone *could* make a device that looks like one of these with security hacks built in, most of them are — as you point out — fixed function devices.

    Log in to Reply
  2. “Let me rephrase that last paragraph of yours into something equally or more valid:nn”It is not unusual of course for those within the IT vendor sector to publicly decry stunts such as this – with the intent more often than not of simply serving their o

    Log in to Reply
  3. “So about a year later little misunderstood Freddie wrote a driver “update” and submitted it to Microsoft. It had the sad effect of bricking devices that used his competitors chips, and some people applauded, but Microsoft made him take it back (but not

    Log in to Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.