Welcome to WebmasterWorld Guest from 54.242.9.97

Forum Moderators: incrediBILL & lawman

Message Too Old, No Replies

All USB devices are 'critically flawed'

     
7:00 pm on Aug 8, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member lame_wolf is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Dec 30, 2006
posts:3224
votes: 9


Berlin-based researchers Karsten Nohl and Jakob Lell demonstrated how any USB device could be used to infect a computer without the user's knowledge.

The duo said there is no practical way to defend against the vulnerability.

[bbc.co.uk...]
7:55 pm on Aug 8, 2014 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14650
votes: 94


Sure there's a practical way - you change your USB device drivers to stop doing what they're doing.

This is not a hardware problem, this is a software problem, a simple driver issue.

The fact that you aren't alerted to things auto-running off the USB card is the flaw, if it doesn't, it should ask permission, the AV software should validate the contents of the device.

The same could also be said about CD's, esp. CD-RW's that put auto-run files on them, and floppies, etc.

This isn't rocket science, it's not terribly hard either, but they're flinging the FUD.

Nothing you can do? Not with that stupid attitude.

Crap like this makes me weep for the future.

P.S. My credentials include writing device drivers and I've played with USB stuff, it can all be changed because without software engaging on the computer, there's nothing the USB can do by itself, and that software can be changed.
10:30 pm on Aug 8, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2006
posts:1661
votes: 10


easy......

[labs.bitdefender.com...]
6:52 am on Aug 9, 2014 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2522
votes: 36


This is NOT auto-run malware, it operates at the firmware level, spoofing different devices during boot (e.g. a fake keyboard that sends input), overwriting the BIOS, and installing a rootkit.

The proof of concept attack can infect a USB stick plugged into a Windows machine and then infect Linux if present at boot.

The best protection for the moment appears to be to not share devices that are present at boot.
10:53 am on Aug 9, 2014 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member piatkow is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 5, 2006
posts:3335
votes: 24



The best protection for the moment appears to be to not share devices that are present at boot.


Which is essentially the computer equivalent of unprotected sex.
8:52 am on Aug 11, 2014 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2522
votes: 36


Yes, but,

1) they are talking about all kinds of devices, not just USB storage and other obvious threats: printers, mice, ....
2) a reformatted USB stick will still be infected because this resides in the firmware, not the storage.
3) there is a potential threat after boot, but its probably harder to exploit - something like fake keyboard input after boot is likely to be noticed by users... and its effects will be less predicable than at a known point in the boot sequence. A fake USB network card is potentially still nasty though.
10:08 am on Aug 11, 2014 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:23241
votes: 357


There are very few occasions i've used a USB device from someone else, and even then, it has to be from a trusted source.

There's nothing wrong with articles such as the one that prompted this thread as it informs users and reminds them of the risks. Most people just don't think about the threat from a usb device, or CD, etc.

I do remember removing a music CD from my computer because some "smart clown" decided to put things on the CD other than just the music. Nothing really nasty, but something persistent - a screen saver. I did not choose that option to install it, it was a self install. I removed the CD and copied the audio onto a new CD and use that instead.
I know that some run a menu without notification when inserting the CD. Bad, bad, bad, imho.

USB devices are probably worse as it's easier for a virus or malware to copy itself to a flash drive or hard drive than to a CD.
3:03 am on Aug 12, 2014 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14650
votes: 94


This is NOT auto-run malware, it operates at the firmware level, spoofing different devices during boot (e.g. a fake keyboard that sends input), overwriting the BIOS, and installing a rootkit.


OK, it's STILL auto-running something and it's STILL software on the computer.

The BIOS drives all devices and the BIOS can be fixed, this isn't rocket science.

Even if it was 100% hardware, hardware can be FIXED.

The simplest solution for today would be to build a USB shield device that is a small plug between the computer and all USB ports that disables this vulnerability.
4:27 am on Aug 12, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:6968
votes: 389


I'm with IncrediBILL, kiddies. Managed systems will NOT allow any of this to occur. Truly managed systems will deal with USB in VMs that never see the underlying hardware OR the original OS Start/Run. As a final, I do not accept files, devices (USB or otherwise), or LINKS from any source I do not TRUST (and that is a shared trust using the same protections).

If you have not disabled autorun of ANY KIND or ANY OS, then you're an accident looking for a place to happen.
6:13 am on Aug 12, 2014 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2522
votes: 36


@engine, it is pretty common practice to share data using USB sticks.

@incrediBill, no, some attacks do not run software on the computer: see the one on page 13 and some others in the slides:

[srlabs.de ]

The same applies to fake keyboard input. The problem is that compromised USB devices can be used to send the computer fake input, misdirect DNS queries (through a fake USB interface) etc.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members