Welcome to WebmasterWorld Guest from 54.158.166.6

Forum Moderators: incrediBILL & lawman

Message Too Old, No Replies

All USB devices are 'critically flawed'

   
7:00 pm on Aug 8, 2014 (gmt 0)

WebmasterWorld Senior Member lame_wolf is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Berlin-based researchers Karsten Nohl and Jakob Lell demonstrated how any USB device could be used to infect a computer without the user's knowledge.

The duo said there is no practical way to defend against the vulnerability.

[bbc.co.uk...]
7:55 pm on Aug 8, 2014 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Sure there's a practical way - you change your USB device drivers to stop doing what they're doing.

This is not a hardware problem, this is a software problem, a simple driver issue.

The fact that you aren't alerted to things auto-running off the USB card is the flaw, if it doesn't, it should ask permission, the AV software should validate the contents of the device.

The same could also be said about CD's, esp. CD-RW's that put auto-run files on them, and floppies, etc.

This isn't rocket science, it's not terribly hard either, but they're flinging the FUD.

Nothing you can do? Not with that stupid attitude.

Crap like this makes me weep for the future.

P.S. My credentials include writing device drivers and I've played with USB stuff, it can all be changed because without software engaging on the computer, there's nothing the USB can do by itself, and that software can be changed.
10:30 pm on Aug 8, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



easy......

[labs.bitdefender.com...]
6:52 am on Aug 9, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



This is NOT auto-run malware, it operates at the firmware level, spoofing different devices during boot (e.g. a fake keyboard that sends input), overwriting the BIOS, and installing a rootkit.

The proof of concept attack can infect a USB stick plugged into a Windows machine and then infect Linux if present at boot.

The best protection for the moment appears to be to not share devices that are present at boot.
10:53 am on Aug 9, 2014 (gmt 0)

WebmasterWorld Senior Member piatkow is a WebmasterWorld Top Contributor of All Time 5+ Year Member




The best protection for the moment appears to be to not share devices that are present at boot.


Which is essentially the computer equivalent of unprotected sex.
8:52 am on Aug 11, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



Yes, but,

1) they are talking about all kinds of devices, not just USB storage and other obvious threats: printers, mice, ....
2) a reformatted USB stick will still be infected because this resides in the firmware, not the storage.
3) there is a potential threat after boot, but its probably harder to exploit - something like fake keyboard input after boot is likely to be noticed by users... and its effects will be less predicable than at a known point in the boot sequence. A fake USB network card is potentially still nasty though.
10:08 am on Aug 11, 2014 (gmt 0)

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



There are very few occasions i've used a USB device from someone else, and even then, it has to be from a trusted source.

There's nothing wrong with articles such as the one that prompted this thread as it informs users and reminds them of the risks. Most people just don't think about the threat from a usb device, or CD, etc.

I do remember removing a music CD from my computer because some "smart clown" decided to put things on the CD other than just the music. Nothing really nasty, but something persistent - a screen saver. I did not choose that option to install it, it was a self install. I removed the CD and copied the audio onto a new CD and use that instead.
I know that some run a menu without notification when inserting the CD. Bad, bad, bad, imho.

USB devices are probably worse as it's easier for a virus or malware to copy itself to a flash drive or hard drive than to a CD.
3:03 am on Aug 12, 2014 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



This is NOT auto-run malware, it operates at the firmware level, spoofing different devices during boot (e.g. a fake keyboard that sends input), overwriting the BIOS, and installing a rootkit.


OK, it's STILL auto-running something and it's STILL software on the computer.

The BIOS drives all devices and the BIOS can be fixed, this isn't rocket science.

Even if it was 100% hardware, hardware can be FIXED.

The simplest solution for today would be to build a USB shield device that is a small plug between the computer and all USB ports that disables this vulnerability.
4:27 am on Aug 12, 2014 (gmt 0)

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



I'm with IncrediBILL, kiddies. Managed systems will NOT allow any of this to occur. Truly managed systems will deal with USB in VMs that never see the underlying hardware OR the original OS Start/Run. As a final, I do not accept files, devices (USB or otherwise), or LINKS from any source I do not TRUST (and that is a shared trust using the same protections).

If you have not disabled autorun of ANY KIND or ANY OS, then you're an accident looking for a place to happen.
6:13 am on Aug 12, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



@engine, it is pretty common practice to share data using USB sticks.

@incrediBill, no, some attacks do not run software on the computer: see the one on page 13 and some others in the slides:

[srlabs.de ]

The same applies to fake keyboard input. The problem is that compromised USB devices can be used to send the computer fake input, misdirect DNS queries (through a fake USB interface) etc.