Sourcecode for "unpatchable" USB exploit now on Github

Here, the video of the talk given by Nohl and Lell at BackHat.

You only need to watch from the 0’30" mark to the 2’30 mark.

Yes, what’s your point? That you can’t be bothered to say anything relevant? Why are you still posting here?

It’s obvious that you don’t understand this conversation. Do us a favour and go away.

OK, here it is:
ANYONE - not just those with the capability of manufacturing USB-like hardware - can easily go to GitHub and download the code. And then convert all the USB sticks in your local dollar store to botnet-creating thumbdrives. Or airplane-infecting thumbdrives. And the exploitation is not going to get more difficult, it will only become easier. A significant hurdle to doing this, the hardware manufacturing, has been eliminated.

Relevant enough?

I don’t know about you, but I do field service on kiosks that have USB ports for the public’s use. I’m quite sure that my workload is going to increase in the next months, a lot.

And finally, right back to the start. That’s already anyone. Making USB devices is piss-easy. That’s what sjm meant by “all of this could have obviously been done before by just using a regular micro controller and maybe putting it inside a USB stick case”. These things are readily available off the shelf for peanuts, and have been for years, and they’re really easy to program - much easier than messing about trying to reprogram an existing device.

This isn’t magic. It doesn’t grant any extra capabilities, and if you’re allowing member of the public unsupervised use of a general-purpose computer your exposure is not increased in any way. There is nothing new here at all except the potential for camouflage. The only way this could increase your workload is if you’re allowing semi-supervised use of your machines, where you visually check everything that’s plugged in to it, but then allow the user to do whatever they like while logged in as an administrator.

If you can break beyond the in-flight entertainment system, the plane has bigger problems to start with.

Minor discomfort. People who can handle code so close to “the iron” usually know what end of the soldering iron is hot. And slapping a chip onto a circuitboard is Not That Difficult.

Shutdown at 3:00 AM, reimage from a read-only medium. Can be automated at BIOS level (boot to a CD or read-only USB (the read-onliness can be achieved by the WP# signal on the flash being tied to ground). Alternatively, just run the thing entirely from a read-only medium and reboot often. Linux can run like this and windows on a publicly accessible computer is not that good idea.

@auerin_price Thanks for the explanation.

So if this is the case, why is it “unpatchable”?
Couldn’t the USB manufacturers just produce a downloadable firmware update to make their USB ignore future updates from malware sources?

I don’t get to chose how the companies whose the equipment I work on, set up their stuff…

With all due respect, I think you mis-overestimate the ease with which the hardware can be procured. Not everyone lives, for example, in San Francisco or in Shanghai - where the stuff is easy to get and the tools needed are cheap, or where there’s a kick-started ‘maker’ site nearby.

1 Like

Not good for you. :frowning:
(On the other hand… job security?)

In the age of eBay? They deliver even to villages.

I think you underestimate the availability of basic tools, if we don’t talk in context of African villages. You can mail-order pretty much everything. In larger cities there tend to be parts shops within public transportation reach (at least in context of East Europe).

You don’t need Shenzhen’s SEG market for even fairly advanced work - though you definitely want it.

A sharp-tipped adjustable-temp soldering station (and an ample supply of thin tin-lead solder wire - avoid the leadless crapola!) and a jewellery loupe (you want, but not strictly need, a stereomicroscope) is not that difficult to come by.

https://www.pjrc.com/teensy/

http://www.ladyada.net/products/atmega32u4breakout/
http://digistump.com/category/1

(Actually, I’m not entirely certain you can program a Gemma as a general-purpose USB device, which is why I put it at the end.)
The first three all use the same chip, I believe, although they’re rather overspecced for USB device emulation; there are lower-end chips in the same series that would do the job, but not much with them that comes pre-assembled.

Not to mention any number of Arduino clones. And that’s just sticking to the kind of things that are pre-built and require no soldering or hardware hacking (so you’re paying a bit of a premium to make it so easy). Anyone can buy these at a wide number of online retailers anywhere in the developed world, and program them via USB. If you’re willing to do your own soldering, the options increase.

1 Like

There isn’t likely to be a straightforward answer to this. The controller in most USB devices is a small but general-purpose computing device; these kind of micro-controllers would have been called ‘computers’ in their own right as recently as the 80s. Given that, it’s hard to come up with general answers because there are just too many variables to think of given the variety of hardware out there.

I’d probably just stick with a hand-wavy “maybe, depending on the device - if there were sufficient economic reason to do so”. So far this kind of threat isn’t really on the radar, and may never be. Malware could just as easily upload modified firmware to your graphics card, or your network card, or your BIOS, or even your CPU (CPUs have the facility to upload microcode updates, which is used to fix problems discovered in the design of a CPU after manufacturing). We did see BIOS viruses in the 90s, but not recently, and none of the others have ever been known as targets even though they’d make really big and obvious ones. Given that manufacturers have never needed to deal with the issue in any of the more obvious areas, it’s unlikely to become something they’re worried enough to counter any time soon.

I would suggest that a better option than relying on every peripheral to be changed would be to devise a sort of USB condom, which acts like a one-port hub but snoops on the data being transferred and only allows one type of traffic. For example, you could have a ‘mass storage only’ one, which would not pass through any USB messages identifying a device as anything other than a mass storage device. You could do that same thing for any of the standard device classes. You wouldn’t actually need it to be that sophisticated - I don’t think it would even need to be able to understand anything beyond the identification method, because if a USB device never gets the chance to say “I’m a keyboard”, then the computer will never listen for those events.
[Edit: I should point out that this simple approach wouldn’t stop the device from being re-programmed if it’s plugged in to an infected computer, but it would prevent an infected device from compromising the clean computer that it’s later plugged in to.]

Even in space, where no one hears them (with ears).


Alternatively:

#The Silent Scream II

1 Like

But not getting members of the public to use your obviously low-quantity-production-run device.

Instead of being a suspicious brown-paper-package with steam coming out of it, it’s a USB stick that’s been returned to Target and placed back on the shelf.

1 Like

Technically, you can just replace the lil’ board inside the original disk. Nobody will notice unless they crack open the shell, and the only person I know who does it to look inside is me.

And you can even send the board to be made in bulk professionally, including that green mask and white silkscreen.

Eutectic solder, my son! Once you use it, you never go back.

A lot of those African villages don’t even have electricity.

Yes, where’s the economic incentive for the manufacturer (or jobber) of house-branded, drop-shipped, negociated-to-the-lowest-price thumbdrives, so that they’ll write and test patches for those devices?

Tell me! :smiley: I did most of this table when doing research on available alloys.
Solder - Wikipedia
(Also check the chapter on intermetallics. These can bite you, reliability-wise.)

That said, the Sn63Pb34 is close enough to Sn60Pb40 for all or most practical purposes. More difference in the usability/handling will be with the flux core composition.

Then there are the alloyed compositions, flavored with a bit of copper or silver. These are good for special cases, e.g. for thin metalization (e.g. silver on ceramics), as the speed of dissolution of the metal in tin will be somewhat limited.

For larger jobs, e.g. plumbing pipes, you do not want an eutectic. You want to pick some alloy that has wide range between top and bottom melting point (when it is a paste); then you can use a wet rag or brush to smear the joint smooth.

Isn’t metallurgy fun? :smiley:

I’d be surprised if Bluetooth devices aren’t equally susceptible to this technique. Shouldn’t make a difference to the microcontrollers whether they’re using wires or radio for data transmission.

1 Like

They more than likely are. Plus there’s the can of worms inherent to wireless, aka remote attack. The bluesniping “rifle” can attack your devices from a mile away.

I guess this means USB dead drops are sort of… dead.

Well, it’s not like they were ever anything but the computer equivalent of a glory hole where condoms were banned anyway…