Security researchers says that USBs can take over a PCs and Macs

[RedRound2]

The USB standard has a fundamental security flaw that allows an attacker to take over any device it is connected to, whether PC or Mac, say security researchers in a frightening piece by Wired.

Describing the proof-of-concept Karsten Nohl and Jakob Lell plan to present at the Black Hat conference next week, they say the weakness is fundamental to the way in which USB works. Rather than storing malicious files on a USB device, the researchers managed to hack the USB controller chip that enables a USB device to communicate with a computer, changing its firmware. That means it can allow absolutely any USB device, from a USB key to a keyboard, to be compromised.
 

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.” “You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s clean, [but] the cleaning process doesn’t even touch the files we’re talking about.”. Unlike most malware, which targets Windows, this exploit allows any USB device to emulate a keyboard or mouse, taking complete control of both PCs and Macs.

 

As it’s undetectable, the exploit could be silently added to a USB key when it is inserted into a PC, and then infect the next device it’s connected to. There is, say the researchers, no protection at all against the method of attack short of never sharing USB devices – treating them as you’d treat a hypodermic needle: only ever using one you know to be brand new, and not dreaming of allowing anyone else to share it.

 

Source: http://9to5mac.com/2014/07/31/security-researchers-say-usb-security-broken-can-take-over-macs-or-pcs/

[c3p0]

Well thats old news. 

 

Use this http://www.nirsoft.net/password_recovery_tools.html create a batch to run autoplay and tada you made your own password stealing usb. Those controllers can be overtaken in sd cards aswell. Nothing new.

[qwertywarrior]

Serial port ftw

[LAwLz]

Well thats old news. 

 

Use this http://www.nirsoft.net/password_recovery_tools.html create a batch to run autoplay and tada you made your own password stealing usb. Those controllers can be overtaken in sd cards aswell. Nothing new.

That's not the same as what OP's post is about.

You're talking about making something that auto executes a program stored on an USB memory stick

Your method only works if the computer has auto-run enabled, is running Windows and it only works with a USB memory stick. The method OP mentions works on any USB device (keyboard, mouse, web cam, memory stick, USB powered mini fridge etc) on any OS (OS X, Windows, GNU/Linux) and it will always run no matter what settings you got (even if you don't allow it to auto-run).

 

At least if what they are saying is true.

 

 

 

Edit:

Any USB device can be infected by simply plugging it into an infected computer as well. So if your buddies computer is infected and you plug in your keyboard into it, your keyboard will be infected and spread the malware to any computer you plug it into.

[Askew]

That's not the same as what OP's post is about.

You're talking about making something that auto executes a program stored on an USB memory stick

Your method only works if the computer has auto-run enabled, is running Windows and it only works with a USB memory stick. The method OP mentions works on any USB device (keyboard, mouse, web cam, memory stick, USB powered mini fridge etc) on any OS (OS X, Windows, GNU/Linux) and it will always run no matter what settings you got (even if you don't allow it to auto-run).

 

At least if what they are saying is true.

 

Seems like a pretty big 'if'.

[LAwLz]

Seems like a pretty big 'if'.

Well it's not just some anonymous guy making these statements so it's very plausible that they are speaking the truth.

[Askew]

Well it's not just some anonymous guy making these statements so it's very plausible that they are speaking the truth.

 

Indeed, I was referring more to the gravity of the exploit if factual.

[c3p0]

That's not the same as what OP's post is about.

You're talking about making something that auto executes a program stored on an USB memory stick

Your method only works if the computer has auto-run enabled, is running Windows and it only works with a USB memory stick. The method OP mentions works on any USB device (keyboard, mouse, web cam, memory stick, USB powered mini fridge etc) on any OS (OS X, Windows, GNU/Linux) and it will always run no matter what settings you got (even if you don't allow it to auto-run).

 

At least if what they are saying is true.

 

 

 

Edit:

Any USB device can be infected by simply plugging it into an infected computer as well. So if your buddies computer is infected and you plug in your keyboard into it, your keyboard will be infected and spread the malware to any computer you plug it into.

 

I know the first post was refering to hardwarecontrollers. The given scenario was only an easy sniffing scenario without fuzzing the controller. If you want to run malicous code an any controller would requiere way more planning. I'm not to much into it but it should be some very modified firmware to execute such attack on a usb device or any other device.  

[Sack]

I thought this was well known, I saw this in a demonstartion like 3-4 years ago performed by a guy from NorSIS in Norway. What I saw was the so called "unclassified" version, I usb device is in essence a micro-controller soyou can program it to do pretty much anything, and it was about the same as the old wireless usb recivers for computer mice. Took about 2-3 sec and then he had a mirror image of everything.

 

I know that hackers don't actually use a live feed of your desktop, but this was a demonstration performed for security people, and COs, so they did it for "dramatic effect" so that everypne understood the implications of just using usb-drives uncritically. They also showed a very similar exploit on a android device with the help of a text messaging app, where you could just edit you number away to something different, like your service provider telling you to update your SIM-card by following this link, poof they had absolute control... So, scary stuff all around

[AMICLG]

This is pretty old news, I forgot which security firm made it but they modified a dell mouse to have Java spyware that was FUD to all anti-virus like 2-3 years ago.

[Trik'Stari]

So there's no way to protect from this? great.

[d3sl91]

 

Like a condom for your USB drive?