A REALLY bad security threat: USB devices
Aug. 1st, 2014 11:16 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneYes, USB devices can carry malware, we all know that. This is new and different. Basically, it is not difficult to hack the hardware that controls the USB device, be it memory stick, external hard drive, or possibly smart phone or tablet. Malware injected in to the controller is pretty much undetectable, and if it can't be detected, it can't be removed.
I haven't seen reports of this problem being found in the wild, but if security researchers have found it and exploited it, there's no reason to think that bad actors such as criminals or government agencies haven't done it.
Solution? There isn't one at this time, it's too low-level of a problem like malware in hypervisors, all but impossible to detect. The best posited solution would be to apply checksums against all USB firmware, which would entail replacing all USB devices. At least you'd know if a device had been altered and was therefore untrustworthy, the question at that point would be whether the device could be remediated or should be destroyed.
http://www.wired.com/2014/07/usb-security/
https://www.schneier.com/blog/archives/2014/07/the_fundamental.html
I haven't seen reports of this problem being found in the wild, but if security researchers have found it and exploited it, there's no reason to think that bad actors such as criminals or government agencies haven't done it.
Solution? There isn't one at this time, it's too low-level of a problem like malware in hypervisors, all but impossible to detect. The best posited solution would be to apply checksums against all USB firmware, which would entail replacing all USB devices. At least you'd know if a device had been altered and was therefore untrustworthy, the question at that point would be whether the device could be remediated or should be destroyed.
http://www.wired.com/2014/07/usb-security/
https://www.schneier.com/blog/archives/2014/07/the_fundamental.html
no subject
Date: 2014-08-01 08:49 pm (UTC)Which makes it basically useless, I'm guessing.
no subject
Date: 2014-08-01 08:55 pm (UTC)no subject
Date: 2014-08-01 09:03 pm (UTC)Defend what you can, and aside from that, about all you can do is Don't Worry, Be Happy.
no subject
Date: 2014-08-01 10:19 pm (UTC)That said, something like this chain of thought should be a pretty strong reason to be as transparent as possible in your dealings with everyone. If you don't look like you have lots of secrets, and nothing of value, then nobody wants you.