"BadUSB" Exploit Makes Devices Turn "Evil" 205
An anonymous reader writes with a snippet from Ars Technica that should make you (even more) skeptical about plugging in random USB drives, or allowing persons unknown physical access to your computer's USB ports: When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses. Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.
USB 4.x to offer signed USB device signatures??? (Score:5, Interesting)
Here comes the digitially signed / encrypted usb dongles for USB 4.x, where every device has a firmware signature encrypted within the device and part of the usb handshake will be to read the entire firmware to re-calc the signature to make sure it matches, with a 3rd comparison via the internet to a usb device registry.
Then the criminals will figure out how to falsify the signature with the bad firmware anyway.
Re:How is this viable as an attack medium? (Score:5, Interesting)
Really? Because the worst I can imagine is the NSA or another spy agency getting a shipment of devices from the manufacturer so that when you get it delivered new and in the box it's already compromised. Your brand new shiny Dell or HP would be compromised from the factory.
Think I've not got enough layers of tinfoil? Google for "Cisco NSA routers".
At this point, if it can be exploited by these clowns, it will be.
Unless, of course, it's law enforcement who have done it.
Re:How is this viable as an attack medium? (Score:5, Interesting)
1. A ton of USB devices are actually implemented as general-purpose components with programmable firmware (attached to whatever support hardware, like a network card or a webcam, is necessary). So they're more common than you think.
2. Smartphones are an excellent reprogrammable USB device that lots of individuals have.
3. This is difficult enough to really engineer well that it is probably a bigger threat as a targeted attack against a big organization for now. Until someone does the engineering to make it easy to deploy widely. Then, it'll be a threat for everyone. Kind of like automated hacking of consumer-grade routers to modify the firmware to participate in an Internet-wide portscan. It's the Metasploit effect: it's not a big problem until someone makes it automated, then it is.
Re:and this is news why? (Score:4, Interesting)
Re:How is this viable as an attack medium? (Score:5, Interesting)
Smartphones is the big problem. People think it is acceptable to just plug them in everywhere to "just charge them".
I can go to a train-station or another reasonable public spot. Look for a power outlet and plug in my "charging station" that turn a smartphone into a malicious device.
This will infect devices from a very diverse group that will travel around and connect their devices to whatever USB-port they can find.
Re:Do I need to be concerned about this? (Score:2, Interesting)
Yes, the "white-hat hackers" are Karsten Nohl and his gang. That's the guy behind the GSM hack. If he wants to know the algorithm that a smart card uses for encryption, he removes layer by layer of the chip and reconstructs the algorithm from the circuits. Nohl does not kid around. If he says it can be hacked, it can.
Re:Do I need to be concerned about this? (Score:4, Interesting)
Depends.
I once worked for a company that wrote web banking software. The laptops/desktops/etc of certain employees had a 'driver' that continually monitored the USB ports. If anything plugged into it that had storage on it but not the proper corporate auth key to connect as an approved storage device? It would automatically send an email to the IT department, immediately shut off the entire USB subsystem in the OS, and it stayed that way until the device was re-imaged (in many cases making the device completely useless). It also got you immediately perp-walked out of the building and freshly unemployed, unless you could immediately give them a reasonable (and provable) explanation as to why it happened.
Now in this case, I suspect that if the bad stick presented itself to the OS as a keyboard/mouse/whatever, it may circumvent that (I say "may" because I don't know if it would be able to dump any non-keyboard/mouse-related data onto the machine w/o presenting itself as storage.)
Either way, if you're that worried about it, then epoxy the USB ports shut (well, except on the phone for obvious reasons...)