Olympus-OM
[Top] [All Lists]

Re: [OM] The scariest computer security problem I've ever seen

Subject: Re: [OM] The scariest computer security problem I've ever seen
From: Scott Gomez <sgomez.baja@xxxxxxxxx>
Date: Sun, 5 Oct 2014 19:30:58 -0700
That was a nice write-up on the issue, Chuck. Thanks for saving me the
trouble for the list :-) (it was on my list of things to do this week).

I'm had not been aware that USB controllers are vulnerable (in the sense of
the machine's controller, or the controller embedded in phones) only the
on-board controller of USB sticks, from what I had read. I'll have to watch
the video and see what else can be gleaned that I may have missed.

And now, having watched it, I agree with the conclusion of the presenters:
the only way to prevent this is to provide a hardware fuse that is opened
in manufacturing, before the device is shipped, to prevent reprogramming.
Of course, that simply shifts the burden of security to the manufacturers...

On Sun, Oct 5, 2014 at 5:30 PM, Jim Nichols <jhnichols@xxxxxxxxxxxxx> wrote:

> Thanks, Chuck.  Sounds like we must practice safe sex with USB devices of
> dubious origins.
>
> Jim Nichols
> Tullahoma, TN USA
>
>
> On 10/5/2014 8:46 AM, Chuck Norcutt wrote:
>
>> Watch this from the Blackhat conference
>> <https://www.youtube.com/watch?v=nuruzFqMgIw>
>>
>> The full video is 44 minutes long but you can get much of the gist within
>> the first 15 minutes.  The problem described is called "BadUSB".
>>
>> As it turns out all USB devices (including USB 3.0) contain a
>> microprocessor and *rewritable* memory whose control program contents
>> define the character of a particular type of USB device. But, as part of
>> the USB standard a particular device is allowed to change its device type
>> or even be more than one type of device.
>>
>> If a USB device is inserted into a computer infected with appropriate
>> exploit code that device may be surreptitiously reprogrammed by inserting
>> new code into unused memory areas on the USB devices memory chip.  Then,
>> this second bit of exploit code now exists within the memory of the USB
>> device as additional code.  If the USB device was a flash drive, inserting
>> it into a second computer will visibly detect nothing but the original
>> flash drive behaviour.  However, the hidden exploit code may have first
>> identified itself as a USB boot device and taken over the initial booting
>> of the computer ahead of the operating system and installed itself by
>> taking over the boot record of the computer boot drive.  It can also
>> describe itself as a keyboard and type whatever it wants or capture all
>> your keytstrokes.  It can even describe itself as a network card and
>> capture your network traffic.  The scenarios are endless... consider that
>> someone asks you if they can charge their Android phone (with USB) on your
>> computer's USB port.  The USB controller on the phone may be infected and
>> infect your computer. As they say on their video, the authors have so far
>> only scratched the surface of what may be possible.
>>
>> The really serious problem with the USB device as the attack vector is
>> that it cannot be detected in any conventional way.  The malware exists in
>> the microcode of the USB device.  Today there is no software that read and
>> verifies that code nor, if there was, could it even be enabled if the
>> malware takes over booting of the machine.
>>
>> ps:  This has nothing to do with Windows, iOS or Linux or any other
>> operating system.  The infection is in the hardware and all are
>> vulnerable.  Sorry to ruin your day (as it has mine) but we should all be
>> aware of what's possible.
>>
>> Chuck Norcutt
>>
>
> --
> _________________________________________________________________
> Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
> Archives: http://lists.thomasclausen.net/mailman/private/olympus/
> Themed Olympus Photo Exhibition: http://www.tope.nl/
>
>
-- 
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/

<Prev in Thread] Current Thread [Next in Thread>
Sponsored by Tako
Impressum | Datenschutz