Watch this from the Blackhat conference
<https://www.youtube.com/watch?v=nuruzFqMgIw>
The full video is 44 minutes long but you can get much of the gist
within the first 15 minutes. The problem described is called "BadUSB".
As it turns out all USB devices (including USB 3.0) contain a
microprocessor and *rewritable* memory whose control program contents
define the character of a particular type of USB device. But, as part
of the USB standard a particular device is allowed to change its device
type or even be more than one type of device.
If a USB device is inserted into a computer infected with appropriate
exploit code that device may be surreptitiously reprogrammed by
inserting new code into unused memory areas on the USB devices memory
chip. Then, this second bit of exploit code now exists within the
memory of the USB device as additional code. If the USB device was a
flash drive, inserting it into a second computer will visibly detect
nothing but the original flash drive behaviour. However, the hidden
exploit code may have first identified itself as a USB boot device and
taken over the initial booting of the computer ahead of the operating
system and installed itself by taking over the boot record of the
computer boot drive. It can also describe itself as a keyboard and type
whatever it wants or capture all your keytstrokes. It can even describe
itself as a network card and capture your network traffic. The
scenarios are endless... consider that someone asks you if they can
charge their Android phone (with USB) on your computer's USB port. The
USB controller on the phone may be infected and infect your computer.
As they say on their video, the authors have so far only scratched the
surface of what may be possible.
The really serious problem with the USB device as the attack vector is
that it cannot be detected in any conventional way. The malware exists
in the microcode of the USB device. Today there is no software that
read and verifies that code nor, if there was, could it even be enabled
if the malware takes over booting of the machine.
ps: This has nothing to do with Windows, iOS or Linux or any other
operating system. The infection is in the hardware and all are
vulnerable. Sorry to ruin your day (as it has mine) but we should all
be aware of what's possible.
Chuck Norcutt
--
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/
|