USB coding anarchy: Consider all sticks licked Thumb drives are so inconsistently manufactured it is all but impossible to know if any unit could be reprogrammed to own computers, researcher Karsten Nohl says. The conditions that determined if a unit could be hacked varied not only between vendors but also within product unit lines due to manufacturers buying different …
In most cases USB ID is programmable in firmware so by whitelisting you have done little to avoid being hit by a hacked USB implementation. All modern USB storage works without any ID specific quirks so the fake ID peripheral will work and will be able to execute the attack.
In any case, USB is and will remain a more difficult attack vector compared to other peripherals. It does not have RDMA which was present in Firewire and is back with a vengeance in thunderbolt. With that you can do anything you like to the target without the target being able to mount any defence whatsoever.
By the way, this article firmly holds the crown for the least readable and worst English grammar on el reg so far. Granted, it is "before 4 th double espresso" time here... Still, I had to re-read some of the sentences more than a couple of times.
IRT to topic: Can this get any more scary for those of us in infosec? I have enough nightmares as it is
time to give up, move to that remote desert island that has no leccy/internet/etc and do nothing with the rest of your life...
Oh wait, there aren't enough islands to go round.
Drat.
Oh wait, there aren't enough islands to go round.
Well you could always take a Page from the Arabs, and build your own Island(s)...
So, back to DVD:s for sneakernet file transfers...
You may be right there, but given the implication that small devices in general may be vulnerable, and the fact that these days DVD drives tend to be external USB, maybe that won't help.
Back to serial link file transfers for me. Oh bugger - need a USB-Serial adapter!
This isn't just an initial distribution vector. It's also a re-infection vector.
That line of thinking would require stripping out any peripheral with reprogrammable firmware, whether USB-connected or not, which is practically all of them these days!
Back to MFM disk drives...
Couldn't a patch for operating systems have a default check message box come up for the user when a USB device is plugged in, asking them to confirm the type of device (and perhaps its manufacturer and model as well)? Such a check might not prevent every attack, but at least it would give the user a chance to stop any of the more obvious ones (like a memory stick pretending to be a keyboard or network interface, for instance).
I used a thumb drive for years and then when I plugged it into a Linux box I found a hidden partition with executables (and couldn't access the Windows partition).
So even after formatting a new drive, I reckon it's not possible to be secure knowing a drive is "clean". And this was from a known brand name, supplying UK gov't.
All a bit scary.
Isn't the hidden partition where the device drivers are stored (that Windows insist on installing every time you plug your USB device into a different slot, until all slots have been utilised)?
I have found that if you delete the hidden partition on a USB drive, Windows insist on scanning and fixing the "problem" ("Do you want to scan and fix Removable Disk (Whatever letter it decided to assign:)? There might be a problem with some files on this device or disc." Yadda yadda...) before you can use it. Skipping it, however, allows you to use the device.
Most annoying.
----------------> Windows, mostly - not your comment. For once I suffered from a surfeit of icons to choose from. Weird.
Isn't the hidden partition where the device drivers are stored (that Windows insist on installing every time you plug your USB device into a different slot, until all slots have been utilised)?
I have found that if you delete the hidden partition on a USB drive, Windows insist on scanning and fixing the "problem" ("Do you want to scan and fix Removable Disk (Whatever letter it decided to assign:)? There might be a problem with some files on this device or disc." Yadda yadda...) before you can use it. Skipping it, however, allows you to use the device.
Most annoying.
----------------> Windows, mostly - not your comment. For once I suffered from a surfeit of icons to choose from. Weird.
Is this really true? It could go a ways to explaining why everything USB, (MicroSD, USB Thumbdrives), that has ever touched (or has been formatted under), Android / Linux, are coming back to Windows 7 x86-64. With this really annoying question. I wonder if this um... Feature was the One responsible for trashing my what was then... a very expensive 32GB MicroSD Card...
Luckily, I was able to get it replaced under warranty. I never knew those things were guaranteed for up to Ten Years though. Since I already had it well over a Year, by then. But, that was pretty much how it all started. So I don't even bother trying to um... "Fix it" anymore. And on those few brief times when I mis-click on it... The actual "Fix" seems to do NOTHING! As the same Error will pop-up again afterwards.
About the only "Fix" I've found was to reformat said Device under Windows, and only use it on Windows. The Second the Android/ Folder is created on such a Device its like a license to Screen-print that Error Message...
Now I have something to do on my break!
thx!
Rule number one of successful exploitation of vulnerabilities - immediately patch the hole you used to get through so that the next attacker cannot get through.
So the fact that the USB does not seem vulnerable means nothing - it may have hacked firmware already which closes the original exploit hole.
I think it's worse than that. If the USB devices are surreptitiously reprogrammed, not even "nuking from orbit" will work. They can re-infect your or any other machine as quickly as you can re-install the OS. It's as bad as a BIOS/EFI malware because it's firmware-based and above the software layer, OS-agnostic, hard to detect once done, and once done basically bulletproof (as the malware will likely close the exploit to prevent its removal).
So this could potentially be more than Game Over. Unless some sureties are made about USB devices again, it could mean Game Over Forever: a full-on descent into DTA mode.
You need to have access to a USB device in order to re-program it. If you have that you can just as well open it and replace the electronics...
Reprogramming a device is a hell of a lot cheaper than disassembling it and replacing the electronics, so it's a much better attack vector for attackers with a limited budget or other constraints (e.g. the tools they can have on-hand), or for mass attacks.
In 2007 I visited suppliers in China to speak directly to the manufacturers of the various controller chips……
I have 'stuff' I was working on from 2008~. In 2011 I dropped an email to members of the security community, who were working on similar concepts.
My research covered 'anti-forensics' specifically to prevent block 'cloning' of storage devices, also systems for code injection into the data stream being read from the storage partition and systems for hiding encrypted data.( all done by controller reprogram)
I had future plans for when USB allowed a device to be both a master & slave, allowing it to probe external devices connected to hubs and utilize any WIFI adaptors plugged in.
All this was 'hidden' and non-detectable from outside of the device.
Some controllers also have a 'Fucked up mode" boot loader where they can page code from the nand-flash incase the masked rom is bad during production or extra functionality is needed.
With a multi-gb nand-flash you can build a 'paged' exploit kit, no longer limited to a particular internal code size of the controller chip.
One of my pets is a 'custom' development kit that 'emulates' the Nand-flash chip allowing rapid development from RAM/Disk without having to continually tool about , instead I just replace the 'Nand-chip' download an image of the contents of the 'flash' to ram then fiddle with the USB stick controller image in ram in an attached slave computer.
The greatest 'wet dream' are the Atheros chips….., consider all the 'datastream goodness' those reprogrammable chips have access to, plus they have their own handy WIFI which is a total black box to the computer or any computer based 'security' software.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
