Why the Security of USB Is Fundamentally Broken | Threat Level | WIRED

Computer users pass around USB sticks like silicon business cards. Why the Security of USB Is Fundamentally Broken http://www.wired.com/2014/07/usb-security/ article tells that we typically depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work. The security of USB devices has long been fundamentally broken: USB firmware,(which exists in varying forms in all USB devices) can be reprogrammed to hide attack code and USB device can completely take over a PC. USB firmware on many USB devices could be reprogrammed by malware on that PC, converting an innocent device to attack tool. All this is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue. The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets.

 

59 Comments

  1. Tomi Engdahl says:

    Malduino Elite – First Impressions
    http://hackaday.com/2017/05/31/malduino-elite/

    A while back, I wrote an article about Malduino, an Arduino-based, open-source BadUSB device. I found the project interesting so I signed up for an Elite version and sure enough, the friendly postman dropped it off in my mail box last Friday, which means I got to play around with it over the weekend. For those who missed the article, Malduino is USB device which is able to emulate a keyboard and inject keystrokes, among other things. When in a proper casing, it will just look like a USB flash drive. It’s like those things you see in the movies where a guy plugs in a device and it auto hacks the computer. It ships in two versions, Lite and Elite, both based on the ATmega32U4.

    The Lite version is really small, besides the USB connector it only contains a switch, which allows the user to choose between running and programming mode, and a LED, which indicates when the script has finished running.

    MalDuino — Open Source BadUSB
    http://hackaday.com/2017/01/24/malduino-open-source-badusb/

    Reply
  2. Tomi Engdahl says:

    How to use Linux’s built-in USB attack protection
    Worried over malicious USB sticks? Linux has you covered with USBGuard.
    http://www.zdnet.com/article/how-to-use-linuxs-built-in-usb-attack-protection/

    There are USB sticks that will destroy your computer, USB sticks loaded with spyware, and even official enterprise USB sticks infected with malware. Last, but never least, when it comes to stealing data from a computer, you can’t beat a USB stick. There are devices like the USG USB stick firewall, which can protect you, or if you’re a Linux user, you can always stop attackers armed with USB sticks with USBGuard.

    In the real world, Linux-based USB distributions such live-boot Tails makes this easy. USBGuard can stop any such attack.

    USBGuard, as current stable Linux kernel maintainer Greg Kroah-Hartman recently pointed out, has been around for over a decade. For some reason, this user-space tool, which provides access control to USB devices, is not well known. It should be. It’s a great addition to anyone needing to protect a Linux desktop or server.

    This software framework is designed expressly to protect your computer against rogue USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. It enables you to lock-down all USB devices from user space.

    UBSGuard is not installed by default, to the best of my knowledge, on any major Linux distribution. But you can install USBGuard on any Linux using the source code. It’s also available packaged up for easy deployment for Red Hat Linux family distributions in the Extra Packages for Enterprise Linux (EPEL) repository and in the Ubuntu universe repositories since the release of Ubuntu 16.10.

    Once in place, you control USBGuard by the settings in its usbguard-daemon.conf file: The USBGuard daemon configuration file. When set up, the USBGuard daemon scans each USB device or hub as it’s inserted into the system. The daemon then scans the existing rules sequentially, and when a matching rule is found, it either authorizes (allows), de-authorizes (blocks), or removes (rejects) the device.

    Reply
  3. Tomi Engdahl says:

    E-cigarettes can be used to hack computers
    https://www.techworm.net/2017/06/e-cigarettes-can-used-hack-computers.html

    To explain this, security researcher Ross Bevington showcased a presentation at BSides London that revealed how an e-cigarette could be used to attack a computer either by interfering with its network traffic or by deceiving the computer to make it believe that it was a keyboard.

    Many e-cigarettes can be charged over USB

    “PoisonTap is a very similar style of attack that will even work on locked machines,” Mr Bevington told Sky News.

    Another hacker and security expert, who goes by the name FourOctets on Twitter, published a proof-of-concept video demonstrating his work, wherein he plugs an e-cigarette into a computer’s USB port. The computer lights up as it normally does when an e-cigarette starts charging. However, after a few seconds, a message pops up on the computer screen.

    Reply
  4. Tomi Engdahl says:

    Injecting Code Into Mouse Firmware Should Be Your Next Hack
    http://hackaday.com/2017/07/29/injecting-code-into-mouse-firmware-should-be-your-next-hack/

    Here’s a DEF CON talk that uses tools you likely have and it should be your next hacking adventure. In their Saturday morning talk [Mark Williams] and [Rob Stanely] walked through the process of adding their own custom code to a gaming mouse. The process is a crash course in altering a stock firmware binary while still retaining the original functionality.

    The jumping off point for their work is the esports industry. The scope of esporting events has blown up in recent years. The International 2016 tournament drew 17,000 attendees with 5 million watching online. The prize pool of $20 million ($19 million of that crowdfunded through in-game purchases) is a big incentive to gain a competitive edge to win. Contestants are allowed to bring their own peripherals which begs the questions: can you alter a stock gaming mouse to do interesting things?

    The steelseries Sensei mouse was selected for the hack because it has an overpowered mircocontroller: the STM32F103CB. With 128 KB of flash the researchers guessed there would be enough extra room for them to add code. STM32 chips are programmed over ST-Link, which is available very inexpensively through the ST Discovery boards.

    Perhaps the biggest leap in this project is that the firmware wasn’t read-protected.

    The injected firmware is designed to enumerate as a USB keyboard, open Notepad, then type out, save, and execute a PowerShell script before throwing back to the stock firmware (ensuring the mouse would still function as a mouse). Basically, this builds a USB Rubber Ducky into stock mouse firmware.

    http://usbrubberducky.com/?_escaped_fragment_=index.md#!index.md

    Reply
  5. Tomi Engdahl says:

    Infosec eggheads rig USB desk lamp to leak passwords via Bluetooth
    Malicious gadgets can snoop on keypresses, other data, through ports, it is claimed
    https://www.theregister.co.uk/2017/08/11/leaky_usb_research/

    Malicious USB gadgets can secretly spy on data flowing in and out of devices plugged into adjacent USB ports, security researchers in Australia have warned.

    For example, keypresses from a USB keyboard could be read by a specially modified thumb drive placed in the next-door port. The spy stick can pick up electrical signals leaking from one port to another; analyzing this leakage opens the door to keylogging attacks in this case.

    It means miscreants can potentially read off sensitive info from a computer if they are able to get a booby-trapped thumb drive or some other evil gadget into a victim’s machine. It’s not a particularly practical or terrifying scenario, but interesting nonetheless – and definitely something to be aware of if you plug your devices into public charging points at, say, airports.

    “Electricity flows like water along pipes – and it can leak out. In our project, we showed that voltage fluctuations of the USB port’s data lines can be monitored from the adjacent ports on the USB hub,” said Dr Yuval Yarom, research associate with the University of Adelaide’s School of Computer Science, on Thursday.

    Reply
  6. Tomi Engdahl says:

    USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs
    https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/su

    The Universal Serial Bus (USB) is the most prominent interface for connecting peripheral devices to computers. USB-connected input devices, such as keyboards, card-swipers and fingerprint readers, often send sensitive information to the computer. As such information is only sent along the communication path from the device to the computer, it was hitherto thought to be protected from potentially compromised devices outside this path.

    We have tested over 50 different computers and external hubs and found that over 90% of them suffer from a crosstalk leakage effect that allows malicious peripheral devices located off the communication path to capture and observe sensitive USB traffic. We also show that in many cases this crosstalk leakage can be observed on the USB power lines, thus defeating a common USB isolation countermeasure of using a charge-only USB cable which physically disconnects the USB data lines.

    Demonstrating the attack’s low costs and ease of concealment, we modify a novelty USB lamp to implement an off-path attack which captures and exfiltrates USB traffic when connected to a vulnerable internal or a external USB hub.

    https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-su.pdf

    Reply
  7. Tomi Engdahl says:

    USB connections exposed as ‘leaky’ and vulnerable
    http://theleadsouthaustralia.com.au/industries/education/usb-connections-exposed-as-leaky-and-vulnerable/

    TESTS on USB connections have shown they are highly susceptible to information “leakage”, making them less secure than previously thought.

    He said USB-connected devices were the most common interface used globally to connect external devices to computers and included keyboards, cardswipers and fingerprint readers, which often sent sensitive information.

    “But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen,” Dr Yarom said.

    Dr Yarom said this “channel-to-channel crosstalk leakage” was analogous with water leaking from pipes.

    “Electricity flows like water along pipes – and it can leak out,” he says. “In our project, we showed that voltage fluctuations of the USB port’s data lines could be monitored from the adjacent ports on the USB hub.”

    The team used a modified cheap novelty plug-in lamp with a USB connector to “read” every keystroke from the adjacent keyboard USB interface. The data was sent via Bluetooth to another computer.

    Dr Yarom said other research had shown that 75 per cent of USB sticks dropped on the ground were picked up and plugged into a computer. But they could have been tampered with to send a message via Bluetooth or SMS to a computer anywhere in the world.

    He said Bluetooth was a more secure way of transferring information.

    Reply
  8. Tomi Engdahl says:

    Power/Performance Bits: Aug. 22
    USB data leakage; choosing the right battery; rechargeable zinc-air batteries.
    https://semiengineering.com/powerperformance-bits-aug-22/

    Researchers from the University of Adelaide found that USB connections are vulnerable to information leakage. In testing more than 50 different computers and external USB hubs, they found that over 90% of them leaked information to an external USB device.

    “USB-connected devices include keyboards, cardswipers and fingerprint readers which often send sensitive information to the computer,” said Yuval Yarom, Research Associate with the University of Adelaide’s School of Computer Science.

    The team used a modified cheap novelty plug-in lamp with a USB connector to read every key stroke from the adjacent keyboard USB interface. The data was sent via Bluetooth to another computer.

    “It has been thought that because that information is only sent along the direct communication path to the computer, it is protected from potentially compromised devices,” said Yarom. “But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen.”

    While those aware of security risks are wary of plugging in an unknown USB device, Yarom said other research has shown that if USB sticks are dropped on the ground, 75% of them are picked up and plugged into a computer.

    “The main take-home message is that people should not connect anything to USB unless they can fully trust it,” said Yarom.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*