Hackers can tap USB devices in new attacks, researcher warns


Userlevel 7
Comment: USB devices such as keyboards and thumb drives can be used by hackers to access your pc
=================================================================================================
By  Helen Gaskell Published  July 31, 2014  USB devices such as mice, keyboards and thumb-drives can be used to hack into personal computers Reuters reported citing a top computer researcher. Karsten Nohl, chief scientist with Berlin's SR said that the potential new class of attacks evade all known security problems as hackers could load malicious software onto tiny, low-cost computer chips that control functions of USB devices but which have no built-in shields against tampering with their code.
 
itp.net/ full read here/ http://www.itp.net/599222-hackers-can-tap-usb-devices-in-new-attacks-researcher-warns

7 replies

Userlevel 3
Badge +8
Wired.com
 
Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.
That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.
 
Entire article: http://www.wired.com/2014/07/usb-security/
 
Userlevel 7
Badge +54

Researchers devise stealthy attack that reprograms USB device firmware.

by Dan Goodin - July 31 2014
 



 
When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses.
Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.
 
Full Article
Userlevel 7
Badge +56
That's pretty scary.  I guess no USB drives until someone comes up for a fix for this one.
Userlevel 7
Comment: Flash drives with malicous code, researchers are able to reprogram the firmware.
=================================================================================================
By Iain Thomson, 31 Jul 2014
 
Researchers say they have managed to reprogram the firmware within some flash drives with malicious code – code executed by the gadget's micro-controller to ultimately install malware on a PC or redirect network traffic without a victim knowing.
Karsten Nohl and Jakob Lell, from German security skunkworks SR Labs, spent months analyzing the software and micro-controllers embedded in particular USB devices, and said they have found they could reliably hide, in the flash ROM, malware that's undetectable to today's antivirus tools – and it's very, very effective.
 We're told their software nasty, which they call BadUSB, can be installed not just in certain thumb drives, but in anything sporting a supported or compatible micro-controller. It is impossible to remove from the device, unless you too have tools and skills to reprogram the firmware.
 
The Register/ Full Article Here/ http://www.theregister.co.uk/2014/07/31/black_hat_hackers_drive_truck_through_hole_in_usb_security/
Userlevel 6

"BadUSB" - what if you could never trust a USB device again?

 
by Paul Ducklin on August 2, 2014
 
Imagine if you had to throw away your USB devices after letting someone else use them.
That USB key with the PowerPoint file on it that you loaded onto the projector at a conference?
Bin it.
 
Your mouse, selflessly lent to a fellow traveller while you both were waiting at the airport?
Might as well leave it behind with the complimentary newspaper.
The cool new outdoor action camera you plugged into your friend's laptop after a day of bike riding in the mountains?
Oh no! Not the cool new camera!
 
Well, according to a paper coming up at the BlackHat 2014 conference, that's where we might be heading if we're not careful.
 
Full story
 
Userlevel 7
@ wrote:
That's pretty scary.  I guess no USB drives until someone comes up for a fix for this one.
I couldn't agree with you more nic.  I'm just grateful that I know where all my USBs came from ( and where they've been )
Userlevel 7
Every USB Device Under Threat. New Hack Is Undetectable And Unfixable
Posted by Gordon Kelly | 8/01/2014 @ 8:37AM
 
It is well known that USB drives can be dangerous. Companies run strict screening policies and it has long been known that running unknown ‘exe’ files is a bad idea. But what if the threat was undetectable, unfixable and could be planted into any USB device be it a USB drive, keyboard, mouse, web camera, printer, even smartphone or tablet? Well this nightmare scenario just became reality.
 
The findings will be laid out in a presentation next week from security researchers Karsten Nohl and Jakob Lell who claim the security of USB devices is fundamentally broken . More to the point they said it has always been fundamentally broken, but the holes have only just been discovered.
 
Full Article... "Bad USB!"  ]

Reply