Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

August 1, 2014

USB Security Fundamentally Broken

Filed under: Cybersecurity,Security — Patrick Durusau @ 3:28 pm

Why the Security of USB Is Fundamentally Broken by Andy Greenberg.

From the post:

Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.

That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”

You can get the gist of this new security issue from Andy’s post or pay late registration fees for Black Hat 2014 next week.

I was surprised when I learned a sneaker net using a USB device was part of the reason for the Snowden leaks. I was assuming that NSA computers had no USB ports and/or would have them glued up. Apparently not.

Are you going to send the NSA a note about this latest USB issue or should I?

PS: Aside from possible new USB designs, the upside of this issue may be a discussion of how much security do you want at what price? No system is “secure,” but rather “relatively secure under the following assumptions…”


Update:

Proof of concept: srlabs.de/badusb

Slides Leaves enough unspecified to make this a great semester project.

Video of BlackHat presentation.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress