Why the Security of USB Is Fundamentally Broken | Threat Level | WIRED

Computer users pass around USB sticks like silicon business cards. Why the Security of USB Is Fundamentally Broken http://www.wired.com/2014/07/usb-security/ article tells that we typically depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work. The security of USB devices has long been fundamentally broken: USB firmware,(which exists in varying forms in all USB devices) can be reprogrammed to hide attack code and USB device can completely take over a PC. USB firmware on many USB devices could be reprogrammed by malware on that PC, converting an innocent device to attack tool. All this is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue. The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets.

 

65 Comments

  1. Tomi Engdahl says:

    Malduino Elite – First Impressions
    http://hackaday.com/2017/05/31/malduino-elite/

    A while back, I wrote an article about Malduino, an Arduino-based, open-source BadUSB device. I found the project interesting so I signed up for an Elite version and sure enough, the friendly postman dropped it off in my mail box last Friday, which means I got to play around with it over the weekend. For those who missed the article, Malduino is USB device which is able to emulate a keyboard and inject keystrokes, among other things. When in a proper casing, it will just look like a USB flash drive. It’s like those things you see in the movies where a guy plugs in a device and it auto hacks the computer. It ships in two versions, Lite and Elite, both based on the ATmega32U4.

    The Lite version is really small, besides the USB connector it only contains a switch, which allows the user to choose between running and programming mode, and a LED, which indicates when the script has finished running.

    MalDuino — Open Source BadUSB
    http://hackaday.com/2017/01/24/malduino-open-source-badusb/

    Reply
  2. Tomi Engdahl says:

    How to use Linux’s built-in USB attack protection
    Worried over malicious USB sticks? Linux has you covered with USBGuard.
    http://www.zdnet.com/article/how-to-use-linuxs-built-in-usb-attack-protection/

    There are USB sticks that will destroy your computer, USB sticks loaded with spyware, and even official enterprise USB sticks infected with malware. Last, but never least, when it comes to stealing data from a computer, you can’t beat a USB stick. There are devices like the USG USB stick firewall, which can protect you, or if you’re a Linux user, you can always stop attackers armed with USB sticks with USBGuard.

    In the real world, Linux-based USB distributions such live-boot Tails makes this easy. USBGuard can stop any such attack.

    USBGuard, as current stable Linux kernel maintainer Greg Kroah-Hartman recently pointed out, has been around for over a decade. For some reason, this user-space tool, which provides access control to USB devices, is not well known. It should be. It’s a great addition to anyone needing to protect a Linux desktop or server.

    This software framework is designed expressly to protect your computer against rogue USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. It enables you to lock-down all USB devices from user space.

    UBSGuard is not installed by default, to the best of my knowledge, on any major Linux distribution. But you can install USBGuard on any Linux using the source code. It’s also available packaged up for easy deployment for Red Hat Linux family distributions in the Extra Packages for Enterprise Linux (EPEL) repository and in the Ubuntu universe repositories since the release of Ubuntu 16.10.

    Once in place, you control USBGuard by the settings in its usbguard-daemon.conf file: The USBGuard daemon configuration file. When set up, the USBGuard daemon scans each USB device or hub as it’s inserted into the system. The daemon then scans the existing rules sequentially, and when a matching rule is found, it either authorizes (allows), de-authorizes (blocks), or removes (rejects) the device.

    Reply
  3. Tomi Engdahl says:

    E-cigarettes can be used to hack computers
    https://www.techworm.net/2017/06/e-cigarettes-can-used-hack-computers.html

    To explain this, security researcher Ross Bevington showcased a presentation at BSides London that revealed how an e-cigarette could be used to attack a computer either by interfering with its network traffic or by deceiving the computer to make it believe that it was a keyboard.

    Many e-cigarettes can be charged over USB

    “PoisonTap is a very similar style of attack that will even work on locked machines,” Mr Bevington told Sky News.

    Another hacker and security expert, who goes by the name FourOctets on Twitter, published a proof-of-concept video demonstrating his work, wherein he plugs an e-cigarette into a computer’s USB port. The computer lights up as it normally does when an e-cigarette starts charging. However, after a few seconds, a message pops up on the computer screen.

    Reply
  4. Tomi Engdahl says:

    Injecting Code Into Mouse Firmware Should Be Your Next Hack
    http://hackaday.com/2017/07/29/injecting-code-into-mouse-firmware-should-be-your-next-hack/

    Here’s a DEF CON talk that uses tools you likely have and it should be your next hacking adventure. In their Saturday morning talk [Mark Williams] and [Rob Stanely] walked through the process of adding their own custom code to a gaming mouse. The process is a crash course in altering a stock firmware binary while still retaining the original functionality.

    The jumping off point for their work is the esports industry. The scope of esporting events has blown up in recent years. The International 2016 tournament drew 17,000 attendees with 5 million watching online. The prize pool of $20 million ($19 million of that crowdfunded through in-game purchases) is a big incentive to gain a competitive edge to win. Contestants are allowed to bring their own peripherals which begs the questions: can you alter a stock gaming mouse to do interesting things?

    The steelseries Sensei mouse was selected for the hack because it has an overpowered mircocontroller: the STM32F103CB. With 128 KB of flash the researchers guessed there would be enough extra room for them to add code. STM32 chips are programmed over ST-Link, which is available very inexpensively through the ST Discovery boards.

    Perhaps the biggest leap in this project is that the firmware wasn’t read-protected.

    The injected firmware is designed to enumerate as a USB keyboard, open Notepad, then type out, save, and execute a PowerShell script before throwing back to the stock firmware (ensuring the mouse would still function as a mouse). Basically, this builds a USB Rubber Ducky into stock mouse firmware.

    http://usbrubberducky.com/?_escaped_fragment_=index.md#!index.md

    Reply
  5. Tomi Engdahl says:

    Infosec eggheads rig USB desk lamp to leak passwords via Bluetooth
    Malicious gadgets can snoop on keypresses, other data, through ports, it is claimed
    https://www.theregister.co.uk/2017/08/11/leaky_usb_research/

    Malicious USB gadgets can secretly spy on data flowing in and out of devices plugged into adjacent USB ports, security researchers in Australia have warned.

    For example, keypresses from a USB keyboard could be read by a specially modified thumb drive placed in the next-door port. The spy stick can pick up electrical signals leaking from one port to another; analyzing this leakage opens the door to keylogging attacks in this case.

    It means miscreants can potentially read off sensitive info from a computer if they are able to get a booby-trapped thumb drive or some other evil gadget into a victim’s machine. It’s not a particularly practical or terrifying scenario, but interesting nonetheless – and definitely something to be aware of if you plug your devices into public charging points at, say, airports.

    “Electricity flows like water along pipes – and it can leak out. In our project, we showed that voltage fluctuations of the USB port’s data lines can be monitored from the adjacent ports on the USB hub,” said Dr Yuval Yarom, research associate with the University of Adelaide’s School of Computer Science, on Thursday.

    Reply
  6. Tomi Engdahl says:

    USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs
    https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/su

    The Universal Serial Bus (USB) is the most prominent interface for connecting peripheral devices to computers. USB-connected input devices, such as keyboards, card-swipers and fingerprint readers, often send sensitive information to the computer. As such information is only sent along the communication path from the device to the computer, it was hitherto thought to be protected from potentially compromised devices outside this path.

    We have tested over 50 different computers and external hubs and found that over 90% of them suffer from a crosstalk leakage effect that allows malicious peripheral devices located off the communication path to capture and observe sensitive USB traffic. We also show that in many cases this crosstalk leakage can be observed on the USB power lines, thus defeating a common USB isolation countermeasure of using a charge-only USB cable which physically disconnects the USB data lines.

    Demonstrating the attack’s low costs and ease of concealment, we modify a novelty USB lamp to implement an off-path attack which captures and exfiltrates USB traffic when connected to a vulnerable internal or a external USB hub.

    https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-su.pdf

    Reply
  7. Tomi Engdahl says:

    USB connections exposed as ‘leaky’ and vulnerable
    http://theleadsouthaustralia.com.au/industries/education/usb-connections-exposed-as-leaky-and-vulnerable/

    TESTS on USB connections have shown they are highly susceptible to information “leakage”, making them less secure than previously thought.

    He said USB-connected devices were the most common interface used globally to connect external devices to computers and included keyboards, cardswipers and fingerprint readers, which often sent sensitive information.

    “But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen,” Dr Yarom said.

    Dr Yarom said this “channel-to-channel crosstalk leakage” was analogous with water leaking from pipes.

    “Electricity flows like water along pipes – and it can leak out,” he says. “In our project, we showed that voltage fluctuations of the USB port’s data lines could be monitored from the adjacent ports on the USB hub.”

    The team used a modified cheap novelty plug-in lamp with a USB connector to “read” every keystroke from the adjacent keyboard USB interface. The data was sent via Bluetooth to another computer.

    Dr Yarom said other research had shown that 75 per cent of USB sticks dropped on the ground were picked up and plugged into a computer. But they could have been tampered with to send a message via Bluetooth or SMS to a computer anywhere in the world.

    He said Bluetooth was a more secure way of transferring information.

    Reply
  8. Tomi Engdahl says:

    Power/Performance Bits: Aug. 22
    USB data leakage; choosing the right battery; rechargeable zinc-air batteries.
    https://semiengineering.com/powerperformance-bits-aug-22/

    Researchers from the University of Adelaide found that USB connections are vulnerable to information leakage. In testing more than 50 different computers and external USB hubs, they found that over 90% of them leaked information to an external USB device.

    “USB-connected devices include keyboards, cardswipers and fingerprint readers which often send sensitive information to the computer,” said Yuval Yarom, Research Associate with the University of Adelaide’s School of Computer Science.

    The team used a modified cheap novelty plug-in lamp with a USB connector to read every key stroke from the adjacent keyboard USB interface. The data was sent via Bluetooth to another computer.

    “It has been thought that because that information is only sent along the direct communication path to the computer, it is protected from potentially compromised devices,” said Yarom. “But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen.”

    While those aware of security risks are wary of plugging in an unknown USB device, Yarom said other research has shown that if USB sticks are dropped on the ground, 75% of them are picked up and plugged into a computer.

    “The main take-home message is that people should not connect anything to USB unless they can fully trust it,” said Yarom.

    Reply
  9. Tomi Engdahl says:

    Many Vulnerabilities Found in Linux USB Subsystem
    http://www.securityweek.com/many-vulnerabilities-found-linux-usb-subsystem

    A Google researcher has found a significant number of vulnerabilities in the Linux kernel USB subsystem using the Syzkaller fuzzer.

    The fuzzing tool developed by Google helped Andrey Konovalov find tens of bugs, including 22 security flaws that have been assigned CVE identifiers. In an advisory published this week, the expert detailed 14 of the vulnerabilities he discovered.

    The vulnerabilities have been described as use-after-free, general protection fault, out-of-bounds read, and NULL pointer dereference issues that can be exploited to cause a denial-of-service (DoS) condition. The expert said some of the flaws might have a different impact as well, which typically means they could allow arbitrary code execution.

    Konovalov pointed out that an attacker needs to have physical access to the targeted system and connect a malicious USB device in order to exploit the vulnerabilities. Others suggested that an attacker who has remote access to a machine may be able to update the firmware on connected USB drives to plant exploits for these flaws and create malicious devices.

    Fixes for many of the vulnerabilities found by Konovalov are included in Linux kernel versions 4.13.4 and later, but many of the issues remain unpatched.

    Reply
  10. Tomi Engdahl says:

    Experts can hack most CPUs since 2008 over USB by triggering Intel Management Engine flaw
    http://securityaffairs.co/wordpress/65327/hacking/intel-management-engine-flaw-hack.html

    Intel’s management engine – in most Positive Technologies plans to demonstrate at the next Black Hat conference how to hack over USB into Intel Management Engine of most CPUs since 2008.

    Experts from Positive Technologies that in September announced to have devised a technique a to attack the Intel Management Engine, now provided more details about it and plan to demonstrate the God-mode hack in December 2017.

    Reply
  11. Tomi Engdahl says:

    Don’t worry about those 40 Linux USB security holes. That’s not a typo
    https://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/

    Move along. Nothing to see here. By the way, try this flash drive in your laptop, ta

    The Linux kernel USB subsystem has more holes than a donut shop. On Monday, Google security researcher Andrey Konovalov disclosed 14 Linux USB flaws found using syzkaller, a kernel fuzzing tool developed by another Google software engineer, Dmitry Vyukov.

    That’s just the tip of the iceberg. In an email to The Register, Konovalov said he asked for CVEs for another seven vulnerabilities on Tuesday, and noted there are something like 40 that have not been fixed or triaged.

    Konovalov downplayed the risk posed by the flaws, based on the fact that physical access is a prerequisite to an attack. In other words, to exploit these vulnerabilities and potentially hijack a machine or infect it with spyware, you have to be be able to actually insert a malicious USB gadget into a Linux-powered system.

    Still, there are plenty of these ports around

    Reply
  12. Tomi Engdahl says:

    Apple Patches USB Code Execution Flaw in macOS
    http://www.securityweek.com/apple-patches-usb-code-execution-flaw-macos

    One of the vulnerabilities addressed by Apple in its latest set of security patches for macOS is an arbitrary code execution flaw, which could be exploited via malicious USB devices.

    Discovered by Trend Micro security researchers and reported to Apple in April this year, the issue resides in fsck_msdos, a system tool designed to check for and fix errors in devices formatted with the FAT filesystem.

    The security researchers discovered that because the tool is automatically invoked by macOS when a device using the FAT filesystem (such as a USB disk or an SD card) is inserted, a security bug could allow malicious devices to execute arbitrary code when they are connected to a Mac.

    The vulnerability is created by a memory corruption issue and its exploitation could lead to an attacker taking full control of a vulnerable system, Trend Micro says.

    “We do not believe that this attack has been used in the wild. We strongly recommend that users update their software to address this flaw, as well as the others that were part of this update cycle,” the security researchers note.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*