> One [1] suggests that USB hardware can be used as a Trojan horse to > steal your data.
I don't know if this is flawed research or flawed reporting, but the article leaves a very misleading impression. The researcher has correctly identified that there is an explicit trust relationship between the OS and the hardware plugged into a USB port; the identifiers handed over during the handshake are trusted as true. If you're a military researcher - as these guys seem to be - then that's probably the sort of thing that warrants investigation. But what is to be gained from spoofing these identifiers? Simply that the wrong driver is used to attempt to handle the device. And here's where the article becomes misleading: USB devices do not inject driver code, they use driver code that is already on the computer. Certain OSes prompt for drivers if nothing suitable is already installed, others just ignore the problem (and the device). So to get malware onto the system, the driver installation route must be compromised, as that is the only way for code to be placed onto the machine. Spoofing identifiers does give a potential attacker a better choice of poor drivers to attempt to break - but the problem there is still in code quality, not in system security. If drivers are written well in the first place, a malfunctioning / nefarious piece of USB hardware should not be able to bring the box down. And, of course, strange devices are likely to be reported to the user - that is likely to lead to discovery of the attack. The details of their experiments are somewhat scant, but for them to have had the successes they claim, either they deliberately loaded compromised drivers, or they were running drivers that are easily compromised. The first of these is easily discounted - it's hardly a feat to compromise a box when you deliberately load the compromise yourself - and the latter is just the usual noise about shoddy driver code. Guess how much sleep I'm going to lose over this article... Vic. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --------------------------------------------------------------
