cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Why You May Never Trust Your USB Device Again?

1492
Moderator
Moderator
According to an article in today's Ars Technica "This thumbdrive hacks computers. โ€œBadUSBโ€ exploit makes devices turn โ€œevilโ€, a hardware vulnerability with embedded USB controller chips allows hackers access to your computers, simply by plugging-in an infected USB device. And not just limited to USB flash drives. Allowing them to install Malware or act as a network device to re-route your internet traffic to popular websites impersonating Google or Facebook. And there is no way to detect it by current security means, short of disassembling the USB device to reverse engineer the firmware. This according to security researchers Karsten Nohl & Jakob Lell who plan on demonstrating badUSB at this week's Black Hat USA Conference.

What's even more disturbing is that this exploit may be related, if not a payload mechanism for the badBIOS exploit, a rootkit virus reported by another security researcher Dragos Ruiu, which can effectively take control of any computer, and thwart efforts to remove it by blocking attempts to do so, or by healing itself. And not just limited to Windows machines, but can also infect MAC and Linux systems with no practical means of detecting or easily stopping it.

And if that was not bad enough, the rootkit is thought to be able to transmit "encrypted" data packets over high frequency sound "airgaps" to other nearby computers. Thus being able to communicate even with WiFi or Bluetooth turned off. In fact, the only way Dragos was able to stop the communication was to disconnect his speaker and mic on his Macbook Air.

It has been previously reported that computer hardware exploit based spying is already used by intelligence agencies. But considering that so much of our computer hardware devices and cables originate from overseas manufacturers, they could easily be compromised with these firmware spying exploits without ever being detected? Especially, as no organization today is actively checking these for hardware security risks for the end consumer?
3 REPLIES 3

popeyemth
Explorer
Explorer
"....Don't be afraid just be aware. "
That's what I was trying to convey in a more folksy humorous way.
Apparently I failed as it was deleted.
Sorry for the bother.
"wine is a constant proof that God loves us, and loves to see us happy" ben franklin

rwbradley
Explorer
Explorer
As an expert in IT security I can say that this is entirely accurate, however people tend to loose perspective when they read articles about exploits:
1) this exploit has been known about in IT security and in the hacking community for over a year and there are no known cases of people being compromised by its use (outside of the lab)
2) there are hundreds if not thousands (that we know of) of equally scary exploits in the wild
3) many of these exploits require very very specific circumstances to be leveraged ie Physical access to the computer
Now that you are scared... keep perspective, the world is not coming to an end.
If you:
1) trust only people you know first hand (and even than still use some caution)
2) trust NO foreign device ie a USB key, phone or camera you find on the street
3) make your passwords secure/complex and change them regularly (on all devices/services including phones)
4) encrypt whenever possible
you will limit the risk of being the low hanging fruit. Hackers typically will target people in 2 ways by going after low hanging fruit en mass. With a little common sense you can avoid being the low hanging fruit. They will also attack by targeting a specific individual, and if you are a target, there is not much you can do, but unless you are a terrorist or have spent a romantic evening with a hackers girlfriend recently there is little to worry about.

BTW, a study was done by interviewing hundreds of people serving time for various break and enter related crimes. The number one thing they said stopped them trying to break in (and thus not gaining physical access to your stuff including your computer) was not fancy locks, not alarm systems, not guns, but a barking dog.

Don't be afraid just be aware.
Rob
rvtechwithrvrob.com

wildtoad
Explorer II
Explorer II
So maybe it is a good thing my Ipad doesn't have a USB port after all.
Tom Wilds
Blythewood, SC
2016 Newmar Baystar Sport 3004
2015 Jeep Wrangler 2dr HT