The recent report from researchers at Security Research Labs on the vulnerability of USB devices has seen equal amounts of soul searching and indignation from the industry. While the advice has been to make sure you use devices from trusted sources, some USB IP companies have been highlighting what device makers can do to ensure that their systems are secure.
Rather than use malware on a USB device, SR Labs researchers Karsten Nohl and Jakob Lell reverse-engineered the code in the USB controllers and used it to inject a virus or trojan into a system.
Gordon Lunn, customer engineering support manager at Glasgow, UK-based USB chip IP developer FTDI Chip, points out that the report highlights programmable devices, which are just one type of USB device. He tells EE Times:
We felt the report was inflammatory to say that USB firmware was the problem. From an FTDI perspective we did see the report as a generic attack on USB as a bad system. I don't see that as being any different from any infected source. This is a hardware thing that you would have to disinfect. Antivirus software can block threats from the Internet, so it can block threats from a USB stick.
In the embedded market, many USB ASIC implementations provide a serial-to-USB bridge that is not vulnerable to this reprogramming. This requires OEMs write drivers to FTDI's API, avoiding the problem.
One of the reasons USB-to-serial is a vendor solution, there is no defined class for USB-to-serial, so all such devices tend to be vendor class, whereas a memory stick is a mass storage class with the drivers embedded in Windows or Linux and is easier to access in a rogue piece of code. Because the bridge solutions are non-programmable, the security question doesn't come up, and the system developers understand the system has to have its own security, that this is just a data port.
But FTDI has also developed its own programmable core, the FT900, that can be used as a USB controller. Lunn says:
The FT900 is more branded as an MCU rather than USB. It just happens to have USB. Yes it's programmable and in theory we have the issues of the other programmable controllers. We have an e-fuse technology to mask and write-protect the flash of the device, so we do protect people's application code.
With our device we have both host and device support, and we have up to seven end-points with multiple classes. Although you can't change the device, you can program it to be different things.
For example, if you have a WiFi dongle, it plugs in as a dongle, downloads the drivers and then reconfigures itself to be a data transfer device. If you have reconfigured the device, you can't change the flash, but you could change the RAM locally. Once you re-power, it returns to its original state. What damage could be done before you realize there is a problem is then a question, but that is no different from any other programmable device, he says.
FTDI last week signed a deal to add a full USB stack called TrueStack from Ithaca NY-based MCCI Inc. to its FT900 programmable controller. This uses FTDI's own architecture optimized for data transfers, so it gives more protection against attack.
Security of a programmable core in connectivity applications is always a concern. The related software is complex, and so is subject to compromises, says CEO Terry Moore at MCCI. The solution is defense in depth. He says:
MCCI’s USB stack has been extensively tested with the Windows ecosystem of devices, and was designed from the start with an awareness of the threat model. The FT900 has all the required tools to allow system makers to harden it, in particular e-fuses which, once programmed, prevent further changes to the program storage. But device designers have to be similarly careful when integrating, both to code carefully, and to make sure they take advantage of all the tools available, such as the security fuses.
He does acknowledge that programmability introduces a new and subtle route of turning a trusted device into a malicious device. “Although we shouldn’t dismiss this, we should remember that there are hundreds of different programmable cores on the market running thousands of different software stacks, with dozens of unique CPU instruction sets. Few of them allow direct in-the-field programming over USB.”
He also points out that the recent security attacks using USB are not actually new. The threat has been known to USB insiders for years. “It’s been possible for at least 15 years to use COTS products to put together type-one malicious devices, even on a research budget,” he says.