This published hack could be the beginning of the end for USB

[Akolyte]

*Quoted From The Verge*

Share on Facebook (16) Tweet (1)

 

 Share Share  Pin 

In July, researchers Karsten Nohl and Jakob Lell announced that they'd found a critical security flaw they called BadUSB, allowing attackers to smuggle malware on the devices effectively undetected. Even worse, there didn't seem to be a clear fix for the attack. Anyone who plugged in a USB stick was opening themselves up to the attack, and because the bad code was residing in USB firmware, it was hard to protect against it without completely redesigning the system. The only good news was that Nohl and Lell didn't publish the code, so the industry had some time to prepare for a world without USB.

"YOU HAVE TO PROVE TO THE WORLD THAT IT'S PRACTICAL."

 

As of this week, that's no longer true. In a joint talk at DerbyCon, Adam Caudill and Brandon Wilson announced they had successfully reverse-engineered BadUSB, and they didn't share Nohl and Lell's concerns about publishing the code. The pair has published the code on GitHub, and demonstrated various uses for it, including an attack that takes over a user's keyboard input and turns control over to the attacker. According to Caudill, the motive for the release was to put pressure on manufacturers. "If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it," he told Wired's Andy Greenberg. "You have to prove to the world that it’s practical, that anyone can do it."

Still, the net effect is unlikely to be a push for USB security. As long as attackers can reprogram USB firmware, attacks like this will be a serious threat. The only way to fix the vulnerability is a new layer of security around firmware, but that would mean a full update to the USB standard itself, which mean years of insecurity. However the industry responds, we're likely to be living with it for a long, long time.

In the meantime, any time you plug a USB drive into your computer, you'll be opening up a huge vector of attack. It's easy to imagine a pile of dirty USBs being dumped onto a table at CES or desk at your local Kinko's. Unless you can track a device's provenance from the factory to your computer, the only real protection avoiding USB drives and devices at every turn — covering over your USB ports the same way you might cover your laptop camera. It's an extreme response, but not an unreasonable one. And for large portions of the peripheral hardware industry, it could be a very scary thought.

*Quoted From the verge*

 

 

 

I personally think this is the time we need to make something more secure and faster and reliable than USB, I also believe sadly this will never get much attention from the majority of the public.  

 

I think this was going to happen anyways.  I don't really have anything much else to say.  But I hope you enjoyed the post

 

Source - TheVerge 

 

For dark theme users:

 

Here is the link to the article. http://www.theverge.com/2014/10/2/6896095/this-published-hack-could-be-the-beginning-of-the-end-for-usb

[rambi36]

Might wanna set the font to automatic in the quote I can't see anything

[Thebman712]

what about usb c, maybe they can do a overhaul in more than just the connectors

[Vacsol]

didn't this happen ages ago, and even get demonstrated a couple months ago?

USB C hasn't been finalized IIRC, so there could be efforts to fix these exploits.

[qwertywarrior]

firmwares on anything has always had a security issue

hard drives / USB sticks / motherboards etc

[Darkman]

I also agree that we need a faster and better way to replace USB. It is getting quite dated.

Also just to make the rest of the night-theme users happy.

[spoiler=Fix please. ]

[mr moose]

Build a better mouse trap and they'll build a better mouse.  No one should be thinking "just ditch USB for something better" because there is no such thing as "something better" when it comes to security, there is only "better for now".

 

 

I think they did the right thing, most of us and most of the business world can implement policies to control what USB devices they use while a solution is being implemented.

[Akolyte]

I also agree that we need a faster and better way to replace USB. It is getting quite dated.

Also just to make the rest of the night-theme users happy.

[spoiler=Fix please. ]

What font is normal?  I tried to change it to Arial.  I can't find the regular font

[Akolyte]

firmwares on anything has always had a security issue

hard drives / USB sticks / motherboards etc

Yes.  

 

But I'm not sure if it will be as easy and someone just releasing a new firmware to patch a vulnerability.  I don't think it can be done.  

[Darkman]

What font is normal?  I tried to change it to Arial.  I can't find the regular font

Set the font color to automatic.

[Akolyte]

didn't this happen ages ago, and even get demonstrated a couple months ago?

USB C hasn't been finalized IIRC, so there could be efforts to fix these exploits.

There could be yeah.   

 

So, i think if USB-C gets this exploit fixed it would be awesome!  

[Akolyte]

Set the font color to automatic.

done. 

[Akolyte]

what about usb c, maybe they can do a overhaul in more than just the connectors

Yeah, that was what I was thinking too.  

[The_Strict_Nein]

These people are idiots. USB revisions are what, 5 years to do. You need to get EVERY SINGLE manufacturer of ANYTHING with USB ready to update. They're just fucking stupid and have exposed the entire world to risk for several years.

 

Plus, every fucking computer in the world will have to be updated. What they've done is shitty and they're awful human beings.

 

For fucks sake, at least expose something that can be fixed in a fucking week

[qwertywarrior]

Yes.  

 

But I'm not sure if it will be as easy and someone just releasing a new firmware to patch a vulnerability.  I don't think it can be done.  

even if it did happen it would be useless

the mass majority of  consumers dont know anything about this

[pk-man]

fix the font colour pls.

 

unreadable in night theme

[The_Strict_Nein]

Yeah, that was what I was thinking too.  

 

Good luck getting every peripheral manufacturer on the planet to change to type C overnight when every factory in the world is tooled for old standards

[Akolyte]

These people are idiots. USB revisions are what, 5 years to do. You need to get EVERY SINGLE manufacturer of ANYTHING with USB ready to update. They're just fucking stupid and have exposed the entire world to risk for several years.

 

Plus, every fucking computer in the world will have to be updated. What they've done is shitty and they're awful human beings.

 

For fucks sake, at least expose something that can be fixed in a fucking week

I guess you could put it that way.  

 

I get your point.  

[Syntaxvgm]

This has been well known for years. It's logic. 

[Akolyte]

fix the font colour pls.

 

unreadable in night theme

I keep changing the font to normal!    Its not working!!!! 

[The_Strict_Nein]

I guess you could put it that way.  

 

I get your point.  

 

It's like they're expecting manufacturers to be able to replace everyone in the world computers. People are still using the password "password". Why in the hell are they going to update this? Plus, even rolling it into an OS would do nothing for old computers as people still use system as old as Win 98 and older.

[Enderman]

Anything that needs firmware or drivers is vulnerable to low-level code attacks. ANYTHING. USB is just one interface, you can do the same on anything that needs drivers, even sata. The thing is that USB is universal, and everyone uses it, so thats why it would be targeted for stuff like this.

 

The point is, it cannot be fixed. Just like you cant prevent hackers from accessing the internet.

[The_Strict_Nein]

This has been well known for years. It's logic. 

 

The code hasn't been known to many for ages. Now it's open freaking source.

[Syntaxvgm]

The code hasn't been known to many for ages. Now it's open freaking source.

There are many ways to do malicious things with usb on the hardware/firmware side. This isn't the only way.

[Trik'Stari]

Oh, so they were worried it could be a problem for the world, so they released it.....because reasons.