What Iâd love to see is a SDK for the USB controllers, including source of a ânormalâ USB disk. At least for some more common ones. All sorts of tricks would then be possible, with a microcontroller with a multigigabyte flash attached; the dataloggers alone are a worthy application. Then thereâs the problematics of hidden data storage, hardened against even mid-grade forensics (as long as you donât access the flash directly, and even then that part of data can be encrypted); a hidden disk could be unlocked e.g. by writing a file (which would not actually be written) with a key-string. And lots and lots more of white-to-gray hat possibilities.
The thumbdrives have quite fantastic capabilities and it is a shame they are so underused.
I do not think I like the way you use âunderused.â I suppose you could say the same thing about nuclear weapons - but donât.
Hell, I never even knew there was a processor in there, and what you call âmicrocontrollerâ back in my day would have been called âsupercomputer.â What was wrong with plugging in a couple of wires? Wires will never threaten to stab you and in fact cannot speak.
That means just that you are unaware of the possible applications - for the low, low cost of a mass-produced chip.
Project Plowshare. Things like these will be a must-do for larger-scale planetary engineering on Moon and beyond.
The controllers like this are in next to everything, including SD cards. A rudimentary version is even in the Flash chips themselves. The xD cards have none, though, and are pretty much just a NAND flash with pins broken onto a connector - so the wear-leveling has to be done by the host computer, and there are way too many pins to bother with; silicon is cheaper than connectors these days.
And seeing this world of possibilities locked up and used only by the black hats is making me disappointed.
Electromagnetic emissions, my friend, Van Eck radiation. Wires speak. Wires talk. Wires SCREAM.
So this is basically about those attacks now being cheeper by reusing existing USB devices? I mean, all of this could have obviously been done before by just using a regular micro controller and maybe putting it inside a USB stick caseâŚ
Also, those hacked devices canât really do more than regular USB devices (e.g. hacked phones) were able to do before. Or am I missing something?
basically, a usb thumb driveâs hardware itself can become infected and be a vector of attack without the user ever knowing or any anti-malware software being able to detect it, which is a frightening thought. usb devices are typically trusted and in the case of thumb drives can be plugged into computers at multiple locations work/kinkos/home/friends house/etc making it easy for such an attack to spread and be implemented offsite and transported inside of trusted networks.
this exploit in its current incarnation only affects the one manufacturerâs chipset, it is possible that exploits for other chipsets will also become available.
Iâve been thinking lately about how primitive our computer hardware is compared to biological stuff, but the firmware seems to be getting up to the level of biological viruses. Doing naughty things with the microcontroller in a USB memory device? Sheesh!
No, youâre not missing anything. This is a massively over-sensationalised non-story.
USB devices can do what ever a USB device does; hardly news. The news is that there are more devices with the facility for the firmware to be reprogrammed than a lot of people expected, but that doesnât actually change much.
A great deal of the stuff in the article is pure bullshit. Eg: âTo prevent USB devicesâ firmware from being rewritten, their security architecture would need to be fundamentally redesigned, he arguedâ. Well, if he really argued that and itâs not just terrible reporting, heâs either a liar or an idiot.
Of course, itâs impossible that you donât understand the extent and implications of the problem, eh?
Just break out a firmware_reflash_enable# signal out to a pin, with internal pull-up. By grounding the pin in the factory, the chip can be flashed. This would prevent hostile reflashing without the ownerâs consent (e.g. by an infected computer), and would not prevent the owner from modding the thing (as he can easily split open the case and attach a wire) or a data rescue service from putting in an alternative firmware for dumping the raw NAND or other recovery assistance.
Voila, problem solved and nobody is harmed in progressâŚ
So this may be a dumb question asked out of complete ignorance of the factors involved, but:
If the USBâs memory is rewritable for bad uses in this way, couldnât an external means be devised to just have the host computer just automatically rewrite it to something harmless every time the drive is used?
A USB peripheral thatâs been reprogrammed canât possibly do anything that a purpose-designed USB peripheral canât. That shouldnât need stating.
Has the disadvantage of being visible to physical examination (e.g. comparison of xray with known-good one). Otherwise true. Not just cheaper but also more elegant and you have the hardware already mass-produced.
Youâre again right.
There is a possibility that this could spread around as a âflash virusâ, though. An infected computer waits for a USB mass storage controller of a certain type. If it is plugged in, its firmware gets modified and hostile code is inserted. The code then can under certain circumstances (e.g. code injection into stored .exe files?) infect other machines. Kind of like the old boot-viruses spread during the floppy timesâŚ
Ok, people cleverer than me:
Is this something I, as an ordinary punter, need to be alarmed about?
My guess is ânot yetâ, or at least ânot much yetâ. The future may prove me wrong, though.
This is however a pretty interesting attack mode for special cases, e.g. networks disconnected from the Big Bad Internet. But that can be achieved even by âconventionalâ infecting of USB disks âlostâ in convenient places (facility parking lot, for example); an autorun.inf combined with infected .exe or exploit-laden .pdf, sprinkled with userâs curiosity, can do wonders. Itâs being said that the Natanz complex was breached in a way like this.
Not practically. This kind of attack on the peripheral relies on reverse-engineering (or learning via some other means) the protocol that the device uses to make a firmware update, since the procedure is non-standardised and undocumented. Once youâve done that, youâd need to write a custom firmware image that does what you want, which is going to be a major undertaking unless youâve persuaded the manufacturer to give you the factory firmware image. Essentially, youâd need to duplicate the work of anyone devising malware, so youâd always be a step behind.
Even then, depending on the device thereâs a good chance that the firmware update progress is mediated by software on the embedded microcontroller, so the malware could plausibly be programmed to silently ignore firmware update requests.
Interesting. Iâve always thought of USB sticks as disposable. Specially the ones you carry to Kinko and other public places.
Nothing. People are panicking over this like if it was another âDeadly Y2K BUGâ (read: not deadly)
âAlarmedâ, no. âAwareâ, yes.
Most people by now should be at least cynical enough not to run programs they find on some random USB stick thatâs left lying around. This kind of firmware hack extends that such that, in principle, it could be possible to make the firmware insert malware in files that are saved at a later date, even if the device has been reformatted. Alternatively, you could (for example) have a USB network device that copies the data sent over it to some other destination - though practically everything important will be encrypted anyway since people want to be able to use untrusted networks all the time - or subtly alters the data itâs sending to you.
Code canât run itself; somehow the user or the userâs existing software needs to be tricked into running it. Practically speaking this means the device needs to inject it into something the user would run anyway, or into something file that the user would open if you could combine it with some other privilege escalation bug (unless the user is happy to run any old thing they see, in which case you donât need to go to all this effort). Thatâs why Iâm focussing on mass storage or network devices, though itâs not going to be specific to them - MTP devices spring to mind.
The ability to replace a deviceâs firmware with something nefarious isnât specific to USB - the same applies to almost all devices: hard drives, SSDs, network interface devices, GPUs, modems, etc. In fact, USB is safer than most of those because USB devices canât initiate DMA transfers, whereas all those other things (plus, notably, Firewire peripherals) can - meaning that they can potentially read and write arbitrary memory on your computer (Firewire has been actively exploited in this way).
There are basically two factors that make this slightly more notable:
-
One is that people are a lot more likely to plug a random USB device in to their computer than a random hard drive, say, and to move them between machines, theoretically making malware more transmissible, though that also means itâs much more likely to be detected.
-
The second is that people tend to consider the risk level of a USB device according to what the device looks like it can do, which is not necessarily the same as what it actually can do. In actuality, if thereâs any USB device that can perform a function, then thereâs nothing stopping some other USB device from being able to perform that function.
In practice though, this is fairly unlikely to be a major issue. If you plug in a USB stick and it pops up as a keyboard, that would look pretty sus. Similarly if you plug in a USB keyboard and it pops up as a mass storage device, and Windows (or whatever) asks you if youâd like to open the files on it, youâre probably likely to wonder whatâs going on.
Overall, the risk from any of these kind of attacks is extremely low, rising to merely very low if you have reason to believe youâre being personally targetted. There are far simpler avenues of attack to worry about long before this is really even on the radar.
Donât plug in a Firewire device though. Those things really do need to be âfundamentally redesignedâ, or at least completely isolated as a matter of course with an IOMMU, which probably the majority of even new CPUs donât have.
Is this how bluetooth reaches is apogee?
