http://market-ticker.org/akcs-www?post=229474
http://www.wired.com/2014/07/usb-security/
Josh Valcarcel/WIRED
Alex Washburn / WIRED
BADUSB: How Bad?
I wondered how long this would take to come out in the form of a "kit"....
The HID (input) device vectors are especially bad because today's operating systems won't ask or stop one of these from attaching automatically. That in turn means that an attacker can "inject" a command exactly as if you typed it.
Now if that same malware and figure out when to send the specific nasty command (specifically, when you just authorized the machine to do something that requires privileges) Bob's Your Uncle (or rather, your computer now belongs to the bad guy!)
This is very hard to stop without changing how we think about USB in general, and human input (like keyboard) devices in particular. Specifically, how do you ask a user if it's ok to use a keyboard without a keyboard? You see the problem with popping up a box asking, right?
Are there ways to address this? Maybe. But not using the paradigms we use today for USB.
Is it time to put electrical tape over the USB port? Maybe. It is definitely well-past the time to allow someone possessing a device you do not explicitly trust to plug into your system -- but that's been true for a very long time.
It's just that now everyone and their brother who wants to screw with you was given the code to do it.
In July, researchers Karsten Nohl and Jakob Lell announced that they'd found a critical security flaw they called BadUSB, allowing attackers to smuggle malware on the devices effectively undetected. Even worse, there didn't seem to be a clear fix for the attack.That's because there isn't a clean fix. The problem resides in the fact that a USB device can "announce" that it has multiple capabilities and the machine they're connected to will believe it. Some of those can be input/output devices (like a keyboard) and others can be storage-related.
The HID (input) device vectors are especially bad because today's operating systems won't ask or stop one of these from attaching automatically. That in turn means that an attacker can "inject" a command exactly as if you typed it.
Now if that same malware and figure out when to send the specific nasty command (specifically, when you just authorized the machine to do something that requires privileges) Bob's Your Uncle (or rather, your computer now belongs to the bad guy!)
This is very hard to stop without changing how we think about USB in general, and human input (like keyboard) devices in particular. Specifically, how do you ask a user if it's ok to use a keyboard without a keyboard? You see the problem with popping up a box asking, right?
Are there ways to address this? Maybe. But not using the paradigms we use today for USB.
Is it time to put electrical tape over the USB port? Maybe. It is definitely well-past the time to allow someone possessing a device you do not explicitly trust to plug into your system -- but that's been true for a very long time.
It's just that now everyone and their brother who wants to screw with you was given the code to do it.
http://www.wired.com/2014/07/usb-security/
Why the Security of USB Is Fundamentally Broken
- |
- 3:00 AM |
- PERMALINK
Josh Valcarcel/WIRED
Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.
That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.
“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”
‘IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.’
****
http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/
The Unpatchable Malware That Infects USBs Is Now on the Loose
- |
- 6:30 AM |
- PERMALINK
Alex Washburn / WIRED
It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer.
In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience on Friday. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
*****
Like Nohl, Caudill and Wilson reverse engineered the firmware of USB microcontrollers sold by the Taiwanese firm Phison, one of the world’s top USB makers. Then they reprogrammed that firmware to perform disturbing attacks: In one case, they showed that the infected USB can impersonate a keyboard to type any keystrokes the attacker chooses on the victim’s machine. Because it affects the firmware of the USB’s microcontroller, that attack program would be stored in the rewritable code that controls the USB’s basic functions, not in its flash memory—even deleting the entire contents of its storage wouldn’t catch the malware. Other firmware tricks demonstrated by Caudill and Wilson would hide files in that invisible portion of the code, or silently disable a USB’s security feature that password-protects a certain portion of its memory.
“People look at these things and see them as nothing more than storage devices,” says Caudill. “They don’t realize there’s a reprogrammable computer in their hands.”
No comments:
Post a Comment