![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Hack of the Day: USB devices
Oct. 5th, 2014 10:01 amA couple of months ago I posted that security researchers had found a valid exploit to alter the microcontrollers on USB devices, making an attack vector that's almost impossible to detect or fix.
It's now in the wild, and criminals are experimenting to see what they can do with it.
A microcontroller is sort is a super-small computer, and the vulnerability is the discovery that it can be reprogrammed. It's almost impossible to detect because of the different levels that computer programs and operating systems work, they're running so far above the hardware that some things just aren't easily seen. So this is almost invisible. In the early days of MS-DOS, you were running pretty much directly on top of the hardware, which had its pluses and minuses, but when Microsoft started abstracting the operating system from the hardware to make it easier to run on variations in hardware, you now had programs talking to the operating system which talk to device drivers to access the hardware. This abstraction is really good from a system administrator standpoint, but it makes things like this really hard to detect.
Here's the most insidious part: a lot of the really nasty malware out there these days belong to Command & Control (C&C) networks and can change. The guy who controls the system can tell it 'Go update yourself' and push a new module out to make the malware capable of infecting any USB device plugged in to it. And since pretty much all personal computing hardware is either Intel architecture or compatible with it, they might be able to push malware that is platform-agnostic and can infect anything.
It might be unpatchable period. It might be that one manufacturer's cannot be, or even one particular series might or might not be fixable. It's not terribly easy to find out who made the controller on your USB device, much less fix it. One source said it could take a decade to resolve this.
Oh, and credit card readers? Those are USB devices usually.
http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/
http://hardware.slashdot.org/story/14/10/02/2154204/hacking-usb-firmware
It's now in the wild, and criminals are experimenting to see what they can do with it.
A microcontroller is sort is a super-small computer, and the vulnerability is the discovery that it can be reprogrammed. It's almost impossible to detect because of the different levels that computer programs and operating systems work, they're running so far above the hardware that some things just aren't easily seen. So this is almost invisible. In the early days of MS-DOS, you were running pretty much directly on top of the hardware, which had its pluses and minuses, but when Microsoft started abstracting the operating system from the hardware to make it easier to run on variations in hardware, you now had programs talking to the operating system which talk to device drivers to access the hardware. This abstraction is really good from a system administrator standpoint, but it makes things like this really hard to detect.
Here's the most insidious part: a lot of the really nasty malware out there these days belong to Command & Control (C&C) networks and can change. The guy who controls the system can tell it 'Go update yourself' and push a new module out to make the malware capable of infecting any USB device plugged in to it. And since pretty much all personal computing hardware is either Intel architecture or compatible with it, they might be able to push malware that is platform-agnostic and can infect anything.
It might be unpatchable period. It might be that one manufacturer's cannot be, or even one particular series might or might not be fixable. It's not terribly easy to find out who made the controller on your USB device, much less fix it. One source said it could take a decade to resolve this.
Oh, and credit card readers? Those are USB devices usually.
http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/
http://hardware.slashdot.org/story/14/10/02/2154204/hacking-usb-firmware
