Severe USB Vunerability

31-07-2014 5:00pm #1

http://www.wired.com/2014/07/usb-security/

Interesting technique, changing the firmware instead of the storage. Even a thorough format won't help

AnCatDubh · 31-07-2014 8:47pm

"It’s basically like unprotected sex: If you plug your USB memory stick into another computer, you should then assume that your memory stick is forever compromised." - same story via extreme tech

LoLth · 31-07-2014 11:04pm

hmmm not sure about "your own computer could infect USB firmware" as you surf the web. would separation of User/Root priviledges not take care of this? Or can you get firmware level access to a device as a standard user?

I fully agree that this is a serious issue but, just like the USB autorun infections, this seems like its more of an issue for OSes (yes, this means windows primarily) that encourage ease of use by allowing users too many permissions. If anyone knows otherwise I'm happy to be corrected on this.

LoLth · 31-07-2014 11:10pm

future solution: standards to designate "secure" firmware chipsets. Only signed chips are accepted and each device purpose has a signature unique to that particular device, so a USB thumbdrive has a storage signature and cannot be given a keyboard signature without invalidating the firmware/hardware relationship.

as a happy aside, this unique signature could also aid law enforcement in tracking what systems different USB devices were plugged into. (beyond the current software signature found in windows registry hives).

skimpydoo · 03-08-2014 1:06am

Yeah I read about it here. It maybe scaremongering but still worth being prepared for.

Impetus · 06-08-2014 7:24pm

Steve Gibson did a show around bad USB last night:

On Demand -

(Video/audio):

http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/sn/sn0467/sn0467_h264m_1280x720_1872.mp4

(Audio only)

http://www.podtrac.com/pts/redirect.mp3/twit.cachefly.net/audio/sn/sn0467/sn0467.mp3

This show also has a look at browser password managers.

http://twit.tv/show/security-now/467

Rucking_Fetard · 15-08-2014 1:12am

Study: Firmware Plagued By Poor Encryption and Backdoors

The first large-scale analysis of firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things. Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin. In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image. They also uncovered 41 digital certificates in firmware that were self-signed and contained a private RSA encryption key and 326 instances of terms that could indicate the presence of a backdoor.

Rucking_Fetard · 02-10-2014 10:16pm

Annnnnd it's been released.

http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

Keyzer · 07-10-2014 11:27am

Rucking_Fetard wrote: »

Annnnnd it's been released.

http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

Not the same as the two German researchers that presented at BlackHat but similar. Confirmed, its freely available on GitHub. Playing with it now...

http://www.welivesecurity.com/2014/10/06/unpatchable-usb-exploit-posted-github/

Severe USB Vunerability

Comments