BadUSB Detection: Shape & Controller Checks

TL;DR

While checking a USB device’s physical shape and controller model can offer clues about potential BadUSB attacks, it’s not a foolproof solution. Attackers are getting better at disguising malicious devices. It should be part of a wider cybersecurity strategy including firmware analysis, access control, and monitoring.

Understanding the Threat

BadUSB is an attack where the firmware on a USB device is reprogrammed to act like a different type of device (e.g., keyboard) and execute malicious commands. It’s sneaky because it doesn’t rely on exploiting software vulnerabilities; it manipulates the hardware level.

Can Shape Help?

1. Visual Inspection: Look for anything unusual about the USB device’s physical appearance.
   • Are there seams or gaps that shouldn’t be there?
   • Does it feel heavier or lighter than expected for its size and type?
   • Is the branding correct and consistent with legitimate products?
2. Compare to Known Good Devices: If possible, compare the suspect device side-by-side with a known good one of the same model. Subtle differences in casing or construction can be indicators.
   • Be aware that attackers can easily replicate common USB drive casings.

Can Controller Model Help?

The controller is the “brain” of the USB device. Identifying it can sometimes reveal if something is amiss.

1. Using lsusb (Linux): This command lists connected USB devices and their details.

   lsusb -v

   Look for the ‘idVendor’ and ‘idProduct’ values. These identify the manufacturer and model of the controller.

2. Using Device Manager (Windows):
   • Open Device Manager (search for it in the Start Menu).
   • Expand “Universal Serial Bus controllers”.
   • Right-click on the USB device and select “Properties”.
   • Go to the “Details” tab.
   • Select “Hardware Ids” from the Property dropdown.
3. Cross-Reference Controller IDs: Search online databases (e.g., USB ID Repository) to verify if the reported controller model is consistent with the device type.
   • Unexpected or generic controller models are red flags.
   • Beware: Attackers can sometimes spoof legitimate controller IDs.

Limitations & Why It’s Not Enough

1. Sophisticated Attacks: Attackers can use genuine USB controllers in malicious devices, making identification difficult.
2. Casings are Easily Replicated: Physical casings are relatively easy to copy, so visual inspection isn’t reliable on its own.
3. Firmware is Key: The real danger lies within the firmware, which shape and controller checks don’t directly reveal.

Better Cybersecurity Measures

• Disable USB Booting: Prevent devices from booting from USB in BIOS/UEFI settings.
• Access Control: Restrict the use of unknown USB devices on critical systems.
• Firmware Analysis (Advanced): Use specialized tools to analyze the firmware of USB devices for malicious code. This requires expertise and is not practical for most users.
• USB Data Blockers: These physically prevent data transfer, allowing only power delivery.
• Monitoring & Logging: Track USB device connections and activity on your systems.