[Discuss] code for hacked USB drive (BadUSB) released on Github

[Chuck Anderson]

On Mon, Oct 06, 2014 at 03:06:44AM -0400, Tom Metro wrote:
> If these drives look like an ordinary USB storage drive when first
> attached, I wonder what they are using as a trigger to have them switch
> into malicious keyboard mode? I don't think it can pose as both
> simultaneously. The switch might occur after a simple count down timer
> starting when it was powered up.

Why couldn't it pose as both simultaneoulsy?  Couldn't it embed a USB
hub to present more than one device id to the host?

> So the tester gizmo just needs to wait it out. Maybe you'll "quarantine"
> your USB drives for 24 hours before attaching them to your real
> computer. At least until the hackers increase the delay, or figure out
> how to fingerprint the host they are attached to, and only go malicious
> if it's the desired target (like a machine running Windows). There's a
> good chance this sort of fingerprinting would be possible by looking at
> how the OS interrogates the USB controller. So your tester would need to
> have a custom USB driver that emulates Windows or OS X.
> 
> One way to address this vulnerability is to modify the OS to put up a
> dialog any time a USB hotplug event is detected. "Found a new keyboard
> device, identifying itself as ... If you did not just plug in a
> keyboard, answer no. Use this device? Yes  No"
> 
> Of course the hackers could return an identification matching some very
> popular USB keyboard and hope to get lucky, or pester the user enough
> times so that they think their keyboard has a loose plug.

Qubes OS can solve this problem by using VM isolation for USB,
especially if you have a PS/2-connected keybaord and mouse (like most
PC laptops' internal keyboards/touchpads).  Just avoid Apple laptops.

I wonder if the OSes can be tweaked to refuse new USB keyboards/mice
after the first one has been connected.