Yet Another "People Plug In Strange USB Sticks" Story

Bruce Schneier's blog has a bit about a subject that gets my blood boiling too. He says "I'm really getting tired of stories like this: Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers... People get USB sticks all the time. The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks."

Re:Windows

[fuzzyfuzzyfungus]

Unfortunately, while this does preclude the lowest form of hackers, the ones with firmware-level access can still do their thing...

The most famous example are those fuckers at U3 [wikipedia.org]. In order to allow the delight of having an autorunning launcher pop up and annoy you every time you pop a flash drive in, they produced a little firmware modification that causes the flash drive to show up as a composite device containing one flash drive, and one CD-ROM. Since autoplay is generally still enabled on CDs, the CD contained the payload that executed the launcher.

They, as a commercial venture, weren't truly bent on malware-style evil; but they provide a good example of how it could be done.

No, that's a job for the police!

[Anonymous Coward]

It's not safe to stop for random strangers on the highway. That is a job for the police. My sister was robbed, raped, and then murdered by two men who were faking a flat tire. They did the same thing to a dozen other people before they got the wrong person and were shot by a passerby with a hunting rifle.
So when you see a car on the side, DON'T STOP, just CALL THE POLICE. They can deal with it.

My sister had no idea there was a second man hiding in the back seat, and just wanted to be nice. She paid for this mistake with her life. That's fact. Nobody can afford to be nice anymore. The world has changed. If you are nice, you will be taken advantage of by those who aren't. Be nice at your own risk.

Wanting to stay alive does not make me an evil person. People who are nice are killed. If you want to survive, you need to learn to TRUST NOBODY, EVER.

Re:hrmmph..

[Shadow99_1]

Yes, it's always because IT 'trusts' the OS... It has nothing what-so-ever to do with management complaining in the 'your about to be fired!' fashion if they can't simply plugin x device at their whim... As an admin my job was to make things as secure as I couldn't, without pissing off the people writing my paycheck. Just as I have to leave the OS to automatically access USB devices, so to the OS must trust these devices because otherwise the people with the money get pissy.

Re:not just autorun!

[DeadCatX2]

Not really.

When you connect a USB device, Windows automatically polls information from the device, called descriptors. This is a process called enumeration. If Windows recognizes the device class (e.g. HID Keyboard), it will automatically install drivers without user intervention. So will Linux and Mac OS; it has to, otherwise when you plug in a keyboard or mouse it wouldn't work until you activated it, and how can you activate a keyboard or mouse without either one?

I'm not sure it's even possible to stop this process. The best you can do is eavesdrop on the data using a USB Sniffer to see what the device is sending for its descriptors, but by the time the sniffer sees the data it's too late.

What's worse is that you can craft special descriptors which can exploit the OS! This is how the PSJailbreak worked.

The only solution I can think of is to use an embedded host to read the descriptors without attaching it to a computer.

Re:not just autorun! (device to filter?)

[linebackn]

Is there any kind of device that can be used to ensure you are only presented with a mass storage drive?

I'm thinking of something like a small adapter where you plug the USB "drive" in one end and the other in to your computer. The device could intercept and reprocess the communication so that anything that is not a standard drive would not get through. That would be nice to have because these days you never know what hardware is really in a seemingly standard looking USB drive. At the rate things are going we might need something like this built in to motherboards.

Also, I actually bought a couple of genuine Sandisk 1gb "U3" flash drives a while back at Microcenter. When inserted on a Windows XP machine it presented itself as both a standard drive AND a CD drive - that autoruns some useless preloaded windows software. (In some work environments just letting it run this hopefully harmless but unauthorized software would be enough to get someone in trouble.) Actually had to download and run a special program just to remove this garbage, and it wipes the flash drive in the process. So yes, even a legitimate commercial flash drive can be hiding stuff.

Re:not just autorun!

[mmcuh]

USB doesn't have a "one device per port" rule. You could plug in an evil USB stick, it could behave just like an ordinary storage device, and then, in the middle of the night (if the computer is still on) it could start up another device, say a "keyboard" which is preprogrammed to send you to a webpage with a known exploit or to run a program in a previously hidden directory that connects to an SSH server and gives whoever is listening at the other side shell access to your computer. This could also be hidden in an USB mouse, or a USB webcam, or absolutely anything USB.

I think I'm getting some ideas for a DIY project...

Re:not just autorun!

[Jarik C-Bol]

no, it did what you said, it faked the uid to be a keyboard, then it, as a keyboard, said: 'windows key, arrow up, enter, ,enter' which then of course launched the default browser and visited a page. same device could in theory be programed to erase your HD from command line if you where logged in as admin and blinked as the device mounted.