Hack of the Day: USB devices
Oct. 5th, 2014 10:01 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneA couple of months ago I posted that security researchers had found a valid exploit to alter the microcontrollers on USB devices, making an attack vector that's almost impossible to detect or fix.
It's now in the wild, and criminals are experimenting to see what they can do with it.
A microcontroller is sort is a super-small computer, and the vulnerability is the discovery that it can be reprogrammed. It's almost impossible to detect because of the different levels that computer programs and operating systems work, they're running so far above the hardware that some things just aren't easily seen. So this is almost invisible. In the early days of MS-DOS, you were running pretty much directly on top of the hardware, which had its pluses and minuses, but when Microsoft started abstracting the operating system from the hardware to make it easier to run on variations in hardware, you now had programs talking to the operating system which talk to device drivers to access the hardware. This abstraction is really good from a system administrator standpoint, but it makes things like this really hard to detect.
Here's the most insidious part: a lot of the really nasty malware out there these days belong to Command & Control (C&C) networks and can change. The guy who controls the system can tell it 'Go update yourself' and push a new module out to make the malware capable of infecting any USB device plugged in to it. And since pretty much all personal computing hardware is either Intel architecture or compatible with it, they might be able to push malware that is platform-agnostic and can infect anything.
It might be unpatchable period. It might be that one manufacturer's cannot be, or even one particular series might or might not be fixable. It's not terribly easy to find out who made the controller on your USB device, much less fix it. One source said it could take a decade to resolve this.
Oh, and credit card readers? Those are USB devices usually.
http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/
http://hardware.slashdot.org/story/14/10/02/2154204/hacking-usb-firmware
It's now in the wild, and criminals are experimenting to see what they can do with it.
A microcontroller is sort is a super-small computer, and the vulnerability is the discovery that it can be reprogrammed. It's almost impossible to detect because of the different levels that computer programs and operating systems work, they're running so far above the hardware that some things just aren't easily seen. So this is almost invisible. In the early days of MS-DOS, you were running pretty much directly on top of the hardware, which had its pluses and minuses, but when Microsoft started abstracting the operating system from the hardware to make it easier to run on variations in hardware, you now had programs talking to the operating system which talk to device drivers to access the hardware. This abstraction is really good from a system administrator standpoint, but it makes things like this really hard to detect.
Here's the most insidious part: a lot of the really nasty malware out there these days belong to Command & Control (C&C) networks and can change. The guy who controls the system can tell it 'Go update yourself' and push a new module out to make the malware capable of infecting any USB device plugged in to it. And since pretty much all personal computing hardware is either Intel architecture or compatible with it, they might be able to push malware that is platform-agnostic and can infect anything.
It might be unpatchable period. It might be that one manufacturer's cannot be, or even one particular series might or might not be fixable. It's not terribly easy to find out who made the controller on your USB device, much less fix it. One source said it could take a decade to resolve this.
Oh, and credit card readers? Those are USB devices usually.
http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/
http://hardware.slashdot.org/story/14/10/02/2154204/hacking-usb-firmware
no subject
Date: 2014-10-06 03:52 am (UTC)no subject
Date: 2014-10-06 05:20 pm (UTC)no subject
Date: 2014-10-06 05:34 pm (UTC)no subject
Date: 2014-10-06 05:46 pm (UTC)no subject
Date: 2014-10-06 05:57 pm (UTC)It also seems like people lose those devices often enough that they would be purchasing new ones on about the same update schedule. That's for the cheap stuff, though - I doubt people will upgrade their tablets in a similar manner.
no subject
Date: 2014-10-06 06:01 pm (UTC)Yeah, flash drives are lost often enough that it's sort of an automatic upgrade cycle. I can't find either of my 16 gig drives right now, and one of my 1 TB drives just died.
no subject
Date: 2014-10-12 10:35 pm (UTC)Thankfully, not all devices are equal - there's a good spread of microcontrollers. And probably exploits for a fair number of them, where there's an open avenue to update the firmware remotely. It's not a USB fault as such, so much as exploiting the fact USB's so prevalent, and that any USB device necessarily has some kind of controller interpreting the protocol - and crucially, that some of these vendors have made it simple to reprogram that firmware.