http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/



*The Unpatchable Malware That Infects USBs Is Now on the Loose*

   - By Andy Greenberg <http://www.wired.com/author/andygreenberg/>
   - 10.02.14  |

It’s been just two months since researcher Karsten Nohl demonstrated an
attack he called BadUSB <http://www.wired.com/2014/07/usb-security/> to a
standing-room-only crowd at the Black Hat security conference in Las Vegas,
showing that it’s possible to corrupt any USB device with insidious,
undetectable malware. Given the severity of that security problem—and the
lack of any easy patch—Nohl has held back on releasing the code he used to
pull off the attack. But at least two of Nohl’s fellow researchers aren’t
waiting any longer.

In a talk at the Derbycon hacker conference in Louisville, Kentucky last
week, researchers Adam Caudill and Brandon Wilson showed that they’ve
reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing
some of Nohl’s BadUSB tricks. And unlike Nohl, the hacker pair has
also published
the code for those attacks on Github
<https://github.com/adamcaudill/Psychson>, raising the stakes for USB
makers to either fix the problem or leave hundreds of millions of users
vulnerable.

“The belief we have is that all of this should be public. It shouldn’t be
held back. So we’re releasing everything we’ve got,” Caudill told the
Derbycon audience on Friday. “This was largely inspired by the fact that
[SR Labs] didn’t release their material. If you’re going to prove that
there’s a flaw, you need to release the material so people can defend
against it.”

More Threat Level:

Why the Security of USB Is Fundamentally Broken
<http://www.wired.com/2014/07/usb-security/>

Cops Are Handing Out Spyware to Parents—With Zero Oversight
<http://www.wired.com/2014/10/cops-giving-parents-spyware/>

The $1,200 Machine That Lets Anyone Make a Metal Gun at Home
<http://www.wired.com/2014/10/cody-wilson-ghost-gunner/>

The two independent security researchers, who declined to name their
employer, say that publicly releasing the USB attack code will allow
penetration testers to use the technique, all the better to prove to their
clients that USBs are nearly impossible to secure in their current form.
And they also argue that making a working exploit available is the only way
to pressure USB makers to change the tiny devices’ fundamentally broken
security scheme.

“If this is going to get fixed, it needs to be more than just a talk at
Black Hat,” Caudill told WIRED in a followup interview. He argues that the
USB trick was likely already available to highly resourced government
intelligence agencies like the NSA, who may already be using it in secret.
“If the only people who can do this are those with significant budgets, the
manufacturers will never do anything about it,” he says. “You have to prove
to the world that it’s practical, that anyone can do it…That puts pressure
on the manufactures to fix the real issue.”

Like Nohl, Caudill and Wilson reverse engineered the firmware of USB
microcontrollers sold by the Taiwanese firm Phison, one of the world’s top
USB makers. Then they reprogrammed that firmware to perform disturbing
attacks: In one case, they showed that the infected USB can impersonate a
keyboard to type any keystrokes the attacker chooses on the victim’s
machine. Because it affects the firmware of the USB’s microcontroller, that
attack program would be stored in the rewritable code that controls the
USB’s basic functions, not in its flash memory—even deleting the entire
contents of its storage wouldn’t catch the malware. Other firmware tricks
demonstrated by Caudill and Wilson would hide files in that invisible
portion of the code, or silently disable a USB’s security feature that
password-protects a certain portion of its memory.

“People look at these things and see them as nothing more than storage
devices,” says Caudill. “They don’t realize there’s a reprogrammable
computer in their hands.”

In an earlier interview with WIRED ahead of his Black Hat talk
<http://www.wired.com/2014/07/usb-security/>, Berlin-based Nohl had said
that he wouldn’t release the exploit code he’d developed because he
considered the BadUSB vulnerability practically unpatchable. (He did,
however, offer a proof-of-concept for Android devices
<https://srlabs.de/badusb/>.) To prevent USB devices’ firmware from being
rewritten, their security architecture would need to be fundamentally
redesigned, he argued, so that no code could be changed on the device
without the unforgeable signature of the manufacturer. But he warned that
even if that code-signing measure were put in place today, it could take 10
years or more to iron out the USB standard’s bugs and pull existing
vulnerable devices out of circulation. “It’s unfixable for the most part,”
Nohl said at the time. “But before even starting this arms race, USB sticks
have to *attempt* security.”

Caudill says that by publishing their code, he and Wilson are hoping to
start that security process. But even they hesitate to release every
possible attack against USB devices. They’re working on another exploit
that would invisibly inject malware into files as they are copied from a
USB device to a computer. By hiding another USB-infecting function in that
malware, Caudill says it would be possible to quickly spread the malicious
code from any USB stick that’s connected to a PC and back to any new USB
plugged into the infected computer. That two-way infection trick could
potentially enable a USB-carried malware epidemic. Caudill considers that
attack so dangerous that even he and Wilson are still debating whether to
release it.

“There’s a tough balance between proving that it’s possible and making it
easy for people to actually do it,” he says. “There’s an ethical dilemma
there. We want to make sure we’re on the right side of it.”








__._,_.___
 ------------------------------
Posted by: "Beowulf" <[email protected]>
------------------------------


 Visit Your Group
<https://groups.yahoo.com/neo/groups/grendelreport/info;_ylc=X3oDMTJmZGZsbTRwBF9TAzk3MzU5NzE0BGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDdnRsBHNsawN2Z2hwBHN0aW1lAzE0MTI3OTE3NjA->

   - New Members
   
<https://groups.yahoo.com/neo/groups/grendelreport/members/all;_ylc=X3oDMTJnZTEzMTcyBF9TAzk3MzU5NzE0BGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDdnRsBHNsawN2bWJycwRzdGltZQMxNDEyNzkxNzYw>
   1

 [image: Yahoo! Groups]
<https://groups.yahoo.com/neo;_ylc=X3oDMTJlZmM2MnFmBF9TAzk3NDc2NTkwBGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDZnRyBHNsawNnZnAEc3RpbWUDMTQxMjc5MTc2MA-->
• Privacy <https://info.yahoo.com/privacy/us/yahoo/groups/details.html> •
Unsubscribe <[email protected]?subject=Unsubscribe>
• Terms of Use <https://info.yahoo.com/legal/us/yahoo/utos/terms/>

__,_._,___

-- 
-- 
Thanks for being part of "PoliticalForum" at Google Groups.
For options & help see http://groups.google.com/group/PoliticalForum

* Visit our other community at http://www.PoliticalForum.com/  
* It's active and moderated. Register and vote in our polls. 
* Read the latest breaking news, and more.

--- 
You received this message because you are subscribed to the Google Groups 
"PoliticalForum" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to