Sourcecode for "unpatchable" USB exploit now on Github

You’re wrong in a couple of ways. Cleverness will always prevail with any security hole. Saying that is basically an argument from ignorance and/or lack of creativity and totally discounting all aspects of how these devices are used.

First, to take a look at how they can be reprogrammed in ways that USB can be used, and in spec. You can either add new endpoints or add control code functions.

As far as endpoints go, you can make any type of device that can do anything you want here, but it’ll be noticeable by the user to a certain degree. For one, you can make a keyboard endpoint to insert keystrokes, and you can base this on anything that the USB device has access to, you can have it write keystrokes based on a block accessed or randomly, or something (I’m sure an attacker that has a cleverness factor grater than me will figure out something really neat). One possibility is to create a dummy network device and BAM, all your traffic is suddenly routed through a third party without you noticing. And the thing is, with how these devices are used, people don’t commonly check every single time that they are inserted that the correct endpoints are established. If you use windows, do you go through and check that no extra devices were added to your system each time you have used your USB device? Probably not.

Secondly there is control sequences that can be added to a USB device. These are potentially more insidious as a user has no way to detect them, pretty much at all right now, but they will require a corresponding software to become active. One can make a device log everything that device does (even a USB keyboard will likely have enough flash to cycle at least a few hundred, if not thousand or maybe million, keystrokes) and then replay that log via a control code and send it back somewhere. Yes, this needs software installed, but with autorun capabilities and social engineering it’s not impossible get that software on the system (hell, a boot sector virus on that same USB stick could manage to get the software installed).

Besides that, there’s the possibility of doing things out-of-spec. Vulnerable USB hub? Guess what, it now logs everything on that branch and reports back via control codes. It’s also entirely possible with some clever work to make a USB drive sing in RF to transmit data, albeit very weakly, such that a nearby receiver can pick it up.

I don’t think anyone is doing much of this per se now, any time soon, or even ever, but these things are all technically possible with USB devices. Don’t ever think that a security hole is not a big deal just because you personally can’t think of how to exploit it, there’s always someone more clever than you that will think of that way.

2 Likes

You say that, and then you go on to talk about a load of things that don’t disagree with me in any way - some of which I’ve already pointed out.

For the avoidance of doubt, and since this forum software doesn’t support threading, I’ll recap the discussion I was responding to:

[NB: this flagrant dickery made me pretty angry, of course.]

It is logically impossible for that statement to be incorrect, so I don’t quite understand why people want to argue with it.

Is it time to talk about open hardware?

1 Like

It is ALWAYS time to talk about open hardware.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.