Yottabytes: Storage and Disaster Recovery

Jul 31 2014   8:27PM GMT

Another Reason Not to Poke USB Sticks in Things

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Flash drive
Thumb drive
USB drive

Black Hat is always a fun time to find out what new security vulnerabilities there might be to keep you up at night — particularly if you attend and get your system infected while you’re there — and this year is no exception. The conference will be held in Las Vegas next week and the online world is already atwitter, so to speak, about one of the presentations.

This is all according to the German security organization SR Labs, which is offering a presentation called “Bad USB — On Accessories That Turn Evil.” The organization released a preview of its presentation on its website.

According to the presentation, it’s possible to insert malware into the microcode in USB devices — that is, any USB device, including keyboards, cameras, and mice — to reprogram them and essentially turn them into another USB device. This would allow people to:

  1. Emulate a keyboard and issue commands on behalf of the logged-in user to steal files or install malware; such malware, in turn, can infect the controller chips of other USB devices connected to the computer
  2. Spoof a network card and change the computer’s DNS setting to redirect traffic
  3. Boot a small virus on startup, which infects the computer’s operating system prior to boot
  4. Replace the computer’s BIOS
  5. Though the researchers don’t mention this one, presumably it could turn on the camera and spy on you or anything else in the room

Naturally, none of this is detectable. Virus scanners don’t work because they don’t look at microcode. Beyond that, once a computer is infected, you can basically never trust it again, SR Lab researchers say, because any USB thing that might be plugged into it could still be infected, even if you reinstall the operating system.

The organization says it will be releasing unspecified “tools” on August 7, but whether these are tools to prevent this sort of attack or enable it, they don’t say. The session description, however, does seem to indicate that the researchers will be speaking about how to protect against such attacks, at least theoretically.

A Reuters article on the presentation attributes the vulnerability to a “bug,” but the SR Labs presentation doesn’t make it sound like a bug is involved — simply that the microcode isn’t protected from such malware.

Karsten Nohl, chief scientist at SR Labs, who is one of the co-presenters, also told Reuters that he wouldn’t be surprised if organizations such as the NSA weren’t already using this technique, but the NSA wouldn’t comment to Reuters.

Reuters said Nohl had done this with Google’s Android as well as with microcode on chips from Phison; Phison representatives didn’t think it was possible. Nohl also said that he believed it would work with any vendor’s chips, not just Phison’s.

We’ve said before that it’s really not a good idea to pick up strange USB sticks and use them; it sounds like that’s particularly true now.

Particularly at Black Hat.

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Genderhayes
    NetApp helps you recover in the event of a system site outage integration boost your network storage efficiency enhances performances protects more of your critical application and data
    10,720 pointsBadges:
  • junnel

    That's a useful information.  It's possible.  That is one reason why I have a different computer for surfing, and a different computer for other online activities.  Having a virus in your computer is really a headache.  What more if you have a stealth malware, not declaring its presence because its spying on you and stealing data.  I think gone are the days when viruses are destroying programs and hardwares.  Now they found that it's more rewarding to plant a spy malware on anybody's computer and just sit there silently, gathering and sending data to somewhere on the world.

    It will be dangerous to think that such will not happen.  It will happen.


    75 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: