securitybreach Posted July 31, 2014 Share Posted July 31, 2014 Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn't just in what they carry, it's built into the core of how they work. That's the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user's internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device's memory would appear to the average user to be deleted. And the two researchers say there's no easy fix: The kind of compromise they're demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue. These problems cant be patched, says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. We're exploiting the very way that USB is designed............ The problem isn't limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed in addition to USB memory sticks, Nohl and Lell say they've also tested their attack on an Android handset plugged into a PC. And once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play." http://www.wired.com...7/usb-security/ 2 Quote Link to comment Share on other sites More sharing options...
ebrke Posted July 31, 2014 Share Posted July 31, 2014 :'( Quote Link to comment Share on other sites More sharing options...
securitybreach Posted July 31, 2014 Author Share Posted July 31, 2014 To avoid the attack, all you have to do is not connect your USB device to computers you don’t own or don’t have good reason to trust—and don’t plug untrusted USB devices into your own computer. Quote Link to comment Share on other sites More sharing options...
ebrke Posted August 1, 2014 Share Posted August 1, 2014 I was just thinking about all those users who will never hear about this and the havoc it will wreak on their cyberlives. Quote Link to comment Share on other sites More sharing options...
sunrat Posted August 1, 2014 Share Posted August 1, 2014 Scary Where's my tinfoil hat? 2 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted August 1, 2014 Author Share Posted August 1, 2014 Scary Where's my tinfoil hat? BTW aluminum foil is not tinfoil..... 1 Quote Link to comment Share on other sites More sharing options...
Cluttermagnet Posted August 1, 2014 Share Posted August 1, 2014 (edited) Pretty scary all right. This is really getting out there- I first learned of this in a Yahoo article. Gives one pause. Really need to rethink things... BTW aluminum foil is not tinfoil..... Have to make do with aluminum. Tin foil is real hard to get hold of these days. Both are good RF shields. But tin probably shields against bad vibes much better... Edited August 1, 2014 by Cluttermagnet 2 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted August 1, 2014 Share Posted August 1, 2014 The thing that scares me is that there are many technicians that don't want to do the inconvenient thing by burning a CD/DVD with the tools needed to clean an infected computer. They just use the USB. To me that has always not made any sense. It is worth the time to burn a CD/DVD if you are needing to clean an infected computer. “These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.” ‘IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.’ Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted August 1, 2014 Share Posted August 1, 2014 (edited) Another really scary thing is they teach kids to use USB drives like they did floppies for their documents. Years ago, I told the story of how I got into malware fighting. My elder daughter needed to take a document to school to print it on their laser printer (at that time we only had a dot matrix printer -- should tell you how long ago this was. ). She was told not to turn off the write protect to protect the floppy. Just print and bring it home. Despite that, I told her to put the floppy on my chair when she brought it home. She did not. She put it in the computer and I didn't realize it and turned on the computer and lost my Windows system to a boot sector virus that prevented it from booting. When I realized what happened, I queried her about the disk and why she took the write protect off. She didn't realize I would know. The reason I didn't trust it was I had heard of school networks/computers being heavily infected during that time. I lost everything. And had to start all over. Hopefully that has changed, but since they encourage using USB devices, I doubt it. Edited August 1, 2014 by LilBambi Quote Link to comment Share on other sites More sharing options...
ross549 Posted August 1, 2014 Share Posted August 1, 2014 I've been doing some research on the topic...... The original posting about this that everyone is yelling about leaves out one important detail..... This was a particular firmware chip that was found to be vulnerable. It was one chip, from one vendor. Supposedly, other chips from other vendors could be found to be vulnerable, but that has not happened yet. Using certificates and SSL will prevent this from being an issue on infected hardware. We simply have not secured the USB protocol in any conceivable way. If we do, the data channel can then be trusted. It would probably also help stop things like the Rubber Ducky USB stick (Google it, I will not link it here). The reporting on this has been irresponsible, to say the least. Adam 2 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted August 1, 2014 Share Posted August 1, 2014 Yes, excellent Adam! It could be much more but only one was tested. The real problem comes in when people don't really know what chip is on their USB device. Also, USB drives are not the only thing that have this potential; keyboards, mice can also have their firmware downgraded to be malicious. Quote Link to comment Share on other sites More sharing options...
ross549 Posted August 1, 2014 Share Posted August 1, 2014 Yes, that would be true, *if* other firmware were found to have vulnerabilities. In any case, much ado about something that really has been known for some time...... This from IEEE has been published for 9 years- http://ieeexplore.ieee.org/stamp/stamp.jsp?reload=true&arnumber=1392705 Discussion on Reddit.... Adam Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted August 1, 2014 Share Posted August 1, 2014 Here's the article from the developers/researchers (in English) that will be reporting on this at BlackHat 2014. Turning USB peripherals into BadUSB Reprogramming USB peripherals. To turn one device type into another, USB controller chips in peripherals need to be reprogrammed. Very widely spread USB controller chips, including those in thumb drives, have no protection from such reprogramming.BadUSB – Turning devices evil. Once reprogrammed, benign devices can turn malicious in many ways, including: A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer. The device can also spoof a network card and change the computer’s DNS setting to redirect traffic. A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted August 1, 2014 Share Posted August 1, 2014 (edited) Yes, that would be true, *if* other firmware were found to have vulnerabilities. In any case, much ado about something that really has been known for some time...... This from IEEE has been published for 9 years- http://ieeexplore.ie...rnumber=1392705 Discussion on Reddit.... http://www.reddit.co.../2c9otm/badusb/ Adam NOTE: Anyone reading the IEEE link; be advised this is a PDF document. Great info for sure. But the information isn't full available until after BlackHat 2014. Mostly speculation until then. Edited August 1, 2014 by LilBambi Quote Link to comment Share on other sites More sharing options...
ross549 Posted August 1, 2014 Share Posted August 1, 2014 Yep, and all this hinges on the ability to compromise the chip. If the chip cannot or is not easily compromised, it's not going to be able to be used in this type of an attack. 1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted August 1, 2014 Share Posted August 1, 2014 There is still very much up in the air. We need to keep our ears/eyes/minds open. This is not the first time this type of situation with USB devices in general has come up in the past. It may just be another vector of a growing problem. Quote Link to comment Share on other sites More sharing options...
ross549 Posted August 1, 2014 Share Posted August 1, 2014 We must also do our best to not post wild speculation here at Scot's as well. It only adds to the hysteria. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted August 1, 2014 Share Posted August 1, 2014 Also another possibility is that like old BIOS (I mean REALLY OLD BIOS chips) that could not be flashed, there were old USB Flash drives, USB external hard drives and other devices like keyboards and mice, etc. that could not be flashed. But that has almost universally changed. Now all their chipsets can be flashed over the Internet, or the new firmware downloaded and flashed locally on the computer. And not to down play something that could very well be important. We may well have to wait till after the BlackHat 2014 to know for sure. If nothing else, we should all be keeping our eyes open for the BlackHat 2014 conference where we will be given more information. Quote Link to comment Share on other sites More sharing options...
sunrat Posted August 2, 2014 Share Posted August 2, 2014 @Adam thanks for mentioning RubberDucky, I didn't know about them and they sound dangerous. "If it quacks like a keyboard......." Quote Link to comment Share on other sites More sharing options...
securitybreach Posted August 2, 2014 Author Share Posted August 2, 2014 @Adam thanks for mentioning RubberDucky, I didn't know about them and they sound dangerous. "If it quacks like a keyboard......." Nah, it's from the guys/gals at Hak5, They have tons of Linux tutorials and have been around since 2005 or so. http://hak5.org/?s=linux Quote Link to comment Share on other sites More sharing options...
crp Posted August 3, 2014 Share Posted August 3, 2014 #1: this is not new , as was mentioned above. Just go to Hak5 and look for RubberDucky #2: There is no such thing as vulnerability that will affect all USB devices. USB devices are micro-computers, it would be like saying there was a vulnerability that would affect all pc BIOS's. #3: even if the vulnerability is doable on one firmware, you would need someone to do so and then get it plugged into another pc. So , yeah, if a stranger gives you a USB device or you buy a used one you would look up to see if the firmware is the vulnerable one AND if the device has a write enabled ROM. Finally, I do not think it does good to do chicken-little routines on pre publicity on papers for BlackHat conventions. Def-Con? okay, take those a little more seriously, but only a little. Wait for the official release of the materials. (kudos to Adam for "keeping it real") 2 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted August 12, 2014 Share Posted August 12, 2014 Here's what Leo has to say... http://askleo.com/is-usb-safe/?awt_l=9kKfx&awt_m=JUpFRDfptJdfbL 1 Quote Link to comment Share on other sites More sharing options...
Cluttermagnet Posted August 13, 2014 Share Posted August 13, 2014 Here's what Leo has to say... http://askleo.com/is...=JUpFRDfptJdfbL Thanks, Eric. Good, short read. A lot of common sense in that article. I sense a coming market opportunity- electronic devices sold as flash drive sanitizers "If a virus was there, we guarantee it ain't after our device is through with it..." You're welcome. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.