or Connect
AppleInsider › Forums › General › General Discussion › 'BadUSB' malware lives in USB firmware to remain undetected, unfixable
New Posts  All Forums:Forum Nav:

'BadUSB' malware lives in USB firmware to remain undetected, unfixable

post #1 of 69
Thread Starter 
A pair of researchers has discovered a flaw in the USB protocol's basic architecture that allows for malware to be programed into a device's firmware, making it nearly undetectable and impossible to patch.




To demonstrate the ubiquitous vulnerability, SR Labs security researchers Karsten Nohl and Jakob Lell created a proof-of-concept called "BadUSB" that can be installed on any universal serial bus device, including memory sticks, keyboards, smartphones and more, to take over a victim's PC, insert or change files, modify DNS settings and otherwise play havoc with host hardware, reports Wired.

BadUSB is not a common piece of malware that can simply be copied onto a USB drive's flash memory. Nohl and Lell reverse engineered the standard USB firmware in charge of transporting files on and off a device, finding that malicious code can be inserted and hidden within through a bit of reprograming.

"These problems can't be patched," Nohl said. "We're exploiting the very way that USB is designed."

Unless the tainted firmware is itself reverse engineered, the malware is protected from being discovered and will remain on a device even after a disk erasure is performed, a routine process for clearing suspected malicious software.

Further, BadUSB is bidirectional. In other words, if a malware's payload is coded to do so, a thumb drive can infect a computer's USB firmware, which in turn reprograms the firmware of yet another connected USB device, spreading the code silently across any and all systems. In testing, Nohl and Lell found that basically any USB device is vulnerable to the exploit.

As there is no easy fix to malware like BadUSB, the researchers suggest users adopt a new way of thinking about USB hardware. Instead of thoughtlessly transporting files and other data back and forth between machines, Nohl and Lell recommend connecting only to known devices that are user-owned or trusted.

"In this new way of thinking, you can't trust a USB just because its storage doesn't contain a virus. Trust must come from the fact that no one malicious has ever touched it," Nohl said. "You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer."

Nohl and Lell will present their findings, as well as proof-of-concept software, at the Black Hat conference in Las Vegas this August.
post #2 of 69
Stories like these make sense when they can show proof that a person's computer has been infected by this malware instead of some theoretic firmware re-write.

Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?

Thirdly, this doesn't apply to cable's I take it, even though there is a cable shown in the article. Personally I'd use a memory stick or something that has firmware embedded.




"proof-of-concept"

That just may work as a company name.
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
post #3 of 69
Quote:
Originally Posted by PhilBoogie View Post



Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?

I read that as impossible to patch the vulnerability, not the rewritten firmware.

post #4 of 69
Quote:
Originally Posted by hmm View Post

Quote:
Originally Posted by PhilBoogie View Post

Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?
I read that as impossible to patch the vulnerability, not the rewritten firmware.

Ah, ok. But if the malware rewrites your DNS settings, can't one simply restore their hosts file from backup or simply change their DNS settings? On second thought, I presume 'the damage' has already been done by making people go to a website they didn't intend to go to. If so, I wonder where all these hackers want people to go to. TOR? Or some sleazy weazy nudity webby site? Convincing men to use their Credit Card for a lifetime subscription of...whatever.

Yeah, whatever. Period.
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
post #5 of 69
Quote:
Originally Posted by PhilBoogie View Post

Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?

Thirdly, this doesn't apply to cable's I take it, even though there is a cable shown in the article. Personally I'd use a memory stick or something that has firmware embedded.

1. It's impossible to patch because [You don't have access firmware in normal USB access]. 
It's hide in the transportation layer, and to detect malicious code, you need to get access to it. 
Unless Windows/Mac has the same feature as iOS (iOS flash firmware to lightning accessories at every connection)

2. Have you seen the inside of lightning cable? 
It's basically a chip for proxy, and proxy means you can add/remove message by code. 
And by the way? Do you know many card readers run on USB? 

post #6 of 69
My God it's happening. Just like the old gypsy woman said.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #7 of 69
Okay, so does this mean I should no longer purchase thumb drives as I have no idea if said manufacturer decided to install said malware on the device?
post #8 of 69
This is interesting.
post #9 of 69
The virtually all statement is crap. Not all USB devices can be reprogrammed over USB.
post #10 of 69
Quote:
Originally Posted by wizard69 View Post

The virtually all statement is crap. Not all USB devices can be reprogrammed over USB.

My reading of this is that it is writing to the firmware of the USB controller which would be standard across the board no matter what the device. So in theory at least ALL devices would be vulnerable.

post #11 of 69
Quote:
Originally Posted by happywaiman View Post

Quote:
Originally Posted by PhilBoogie View Post

Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?


Thirdly, this doesn't apply to cable's I take it, even though there is a cable shown in the article. Personally I'd use a memory stick or something that has firmware embedded.
1. It's impossible to patch because [You don't have access firmware in normal USB access]. 

It's hide in the transportation layer, and to detect malicious code, you need to get access to it. 

Unless Windows/Mac has the same feature as iOS (iOS flash firmware to lightning accessories at every connection)
2. Have you seen the inside of lightning cable? 

It's basically a chip for proxy, and proxy means you can add/remove message by code. 

And by the way? Do you know many card readers run on USB? 


Hmm, interesting info, thanks. Yes, I have seen the inside of the Lightning cable over here:

http://appleinsider.com/articles/12/10/16/lightning-cables-authentication-chip-found-to-offer-just-enough-security



Also may have been reversed-engineered:

http://appleinsider.com/articles/12/10/09/apples-lightning-authentication-chip-may-have-been-reverse-engineered

As for Card Readers, can one write malicious code on a Card and thusly insert code on the Reader?
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
post #12 of 69
Perhaps a thunderbolt to USB breakout box could patch it, theoretically? Or block it, rather. More thunderbolt to the people anyways.
post #13 of 69

Last year I listened to a tech guy who is familiar with much of the things done by the covert spy agencies of the USA. He said that for more than a decade these alphabet agencies have been using programmed hardware bits installed in computers to have full access to them. This included iPhones. They grab devices before or after they are sold to certain people and install the bug. Unless somebody opened up the machines and had full knowledge of what belonged on those mother boards the device would go undetected. Whenever these devices connected to the internet they would report home. The cell phone bugs would radio home whenever they received the proper signal to transmit.

 

It is possible that this "vulnerability" was engineered into USB from the start.

post #14 of 69
This sort of thing is more likely to be exploited by government agencies but if it's easy enough to setup, I could see it being used by inexpensive USB webcams, card readers and storage pens and other things that would come from China on eBay or Amazon. Malware authors these days just want to get click revenue. They don't need to snoop on users or anything like that, the following person made millions from infecting Android devices and harvesting email addresses to invite 37 million people to a dating site, where they'd have ad banners and other revenue generating things:

http://www.androidauthority.com/millionaire-poker-player-arrested-android-malware-249838/

A DNS infection over USB could similarly send people to ad sites.

This is one area where iOS and other devices lacking these ports helps them to be more secure. The same goes for not having 3rd party runtimes like Flash, Java etc. The extra functionality is nice to have but with such a high volume of users, more people are protected without the functionality most of them don't miss. Surface's USB ports are ok as they don't have a high volume of users.
post #15 of 69
iDevices are worthless because they don't have a UBS connector like android of Surface devices. Yeah...
"That (the) world is moving so quickly that iOS is already amongst the older mobile operating systems in active development today." — The Verge
Reply
"That (the) world is moving so quickly that iOS is already amongst the older mobile operating systems in active development today." — The Verge
Reply
post #16 of 69
No, you would put the code in the firmware of the card reader.

All of this is very much true, I learned about it during security training for my job just over a year ago. I bought it was already commonplace knowledge (among security types, anyway), but maybe this is the first time someone has published a complete how-to and proof-of-concept.

Remember when that Iranian nuclear enrichment center got owned a couple years ago? It's widely believed that was accomplished through this technique.

@wizard69: you're reading it wrong. Even usb mice can be used as a vector.
post #17 of 69
Think of it this way: the usb bus is like this computer lab full of computers that have no passwords whatsoever. When you add another computer to the LAN, every computer has complete access to every other computer. There is no authentication or security system -- by design.

You might be thinking "okay but in windows it asks if I want to install drivers for [some device], can't you approve access at that point?" The device is already on the bus with full access, without that windows can't even get as far as asking if you want to deny access.

I would worry less about blank USB keys from factories than I would USB keys from strangers, but again, even a usb mouse could install a Trojan or a key logger or whatever.
post #18 of 69
[
Quote:
Originally Posted by Macky the Macky View Post

iDevices are worthless because they don't have a UBS connector like android of Surface devices. Yeah...

Although Lightning uses another connector which includes additions on top of usb it still uses USB 2.0 internally so I don't think it is exempt from this vulnerability.
Edited by Chipsy - 8/1/14 at 2:49am
post #19 of 69
Quote:
Originally Posted by Chipsy View Post

[
Quote:
Originally Posted by Macky the Macky View Post

iDevices are worthless because they don't have a UBS connector like android of Surface devices. Yeah...

Although Lightning uses another connector which includes additions on top of usb it still uses USB 2.0 internally so I don't think it is exempt from this exploit.

I have no idea if iDevices are exempt or not either. Let's hope the chip in the lightning cable disrupts the exploit. As I read the story, it appears the weakness is built into the UBS protocol which would be hard to protect against if the device meats the UBS standards.
"That (the) world is moving so quickly that iOS is already amongst the older mobile operating systems in active development today." — The Verge
Reply
"That (the) world is moving so quickly that iOS is already amongst the older mobile operating systems in active development today." — The Verge
Reply
post #20 of 69
It seems to me that the solution to this is nonwritable firmware. Since this exploit only talks to an immediately connected device, firmware that either can't be written to at all (ROM) or can only be written to from a secured connection (i.e. the OS) should insulate against this.
post #21 of 69
Quote:
Originally Posted by Macky the Macky View Post

I have no idea if iDevices are exempt or not either. Let's hope the chip in the lightning cable disrupts the exploit. As I read the story, it appears the weakness is built into the UBS protocol which would be hard to protect against if the device meats the UBS standards.

As far as I know that chip only authenticates the cable to an iDevice, but it is always possible that it has another function we aren't aware of yet. It looks indeed to be the case, as you say, if it's in the USB protocol all devices that implement it would be vulnerable.
Edit: maybe this will spur on Apple to release a Lightning to Thunderbolt cable.
Edited by Chipsy - 8/1/14 at 3:19am
post #22 of 69
Quote:
Originally Posted by Macky the Macky View Post

iDevices are worthless because they don't have a UBS connector like android of Surface devices. Yeah...

Nobody uses a 'UBS' connector. 1wink.gif
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #23 of 69
Quote:
Originally Posted by longpath View Post

It seems to me that the solution to this is nonwritable firmware. Since this exploit only talks to an immediately connected device, firmware that either can't be written to at all (ROM) or can only be written to from a secured connection (i.e. the OS) should insulate against this.

 

Yes, I thought of this, too. But the more complicated the USB device is, the less likely a ROM is appropriate. A ROM seems fine for a USB flash drive, keyboard, or mouse, but a router would need the ability for future updates.

 

But plugging in many different flash devices is a greater possibility than different routers, so the easier vulnerability path would be cut off (if flash drives with firmware in ROM were used).

post #24 of 69

These researchers have done little more than build a proof-of-concept demonstration of a vulnerability that has been well understood and discussed openly by a myriad of security researchers for many years. Here's a paper from 2011:

 

https://media.blackhat.com/bh-us-11/Davis/BH_US_11-Davis_USB_WP.pdf

 

There is nothing new here other than the increased level of sensationalism surrounding this latest reminder that the USB protocol is inherently insecure. Not a surprise and nothing new. The same exact statement can be said for many other connectivity protocols. Since USB is still in wide use in many consumer products it's obviously the one that draws the most attention. With this in mind it should come as no surprise that products built to work in secure environments not contain standard USB capability or severely limit, physically, who and what is allowed to use the USB ports.

 

Looking behind the sensationalism you have to realize that there was a time in the world when the primary objective was just getting devices to talk to one another. All we cared about was connectivity, integration, and convenience. Unfortunately, whenever humans are involved there are those who strive to exploit the things that bring productive value and enjoyment to our lives for nefarious reasons. It's the never ending struggle between the good and evil that is deeply programmed into the human DNA. 

 

The only safe assumption today is to assume that everything that was not specifically designed to counteract human evil, and in some cases human error, is vulnerable. Going forward it's important that every aspect and form of connectivity be security aware and be constantly verified and re-verified to be safe from what we know about the constantly evolving science of humans committing evil against each other. This is a tough problem to solve considering how we've gone from clubbing one another with rocks and sticks to hydrogen bombs and point-and-click-you're-dead drones. It's kind of sad that this is the reality, and it it weren't offset by the the tremendous good that is also in human DNA none of us would be here today.

 

I expect that either conventional USB will be deprecated and replaced with a secure USB protocol or it will abandoned entirely for IP based connectivity under the guise of the "Internet of Things" (IoT). Looking beyond the buzzwords this basically comes down to everything being connected using what is currently used for ethernet connectivity. Portable devices no matter how small will have a secure IP stack and have to be authenticated and authorized as if they are users logging into a secure system. This will include presenting credentials and exchanging certificates to establish a trust relationship between communicating devices. This could be done on top of a modified form of the USB protocol, but why bother patching USB to be secure when there is already a securable communication mechanism in place that will scale down to a level that is needed to support IoT?

 

In other words, it would be easy to say that USB is not dead yet, but it's definitely walking The Green Mile.

post #25 of 69
This is the beginning of the end for USB. Fortunately, we have FireWire for low latency Thunderbolt for bandwidth, and Lightning for portability. All three are heavily promoted by Apple, and none of the three is vulnerable. USB has been trying to play a competitor with all three, and now USB is going to finally get out of the way of progress and thoughtful design. Good riddance.
post #26 of 69
So now what we need is a USB device with non-writeable firmware (in ROM) that, when plugged in, will turn on a big red LED if something attempts to rewrite its firmware. Instant malware-spread detector. Other versions could, hopefully, reinject proper computer firmware or even inject a vulnerability patcher when one becomes available. Looks like a whole new class of device waiting to be born.

I wonder if Thunderbolt has a similar level of access to its bus. I guess it must have since as USB to Thunderbolt bridges exist, all the USB primitive operations must be supported over Thunderbolt - Ie, unless Thunderbolt blocks some USB primitives, Thunderbolt is likely to be a malware vector too.
Edited by softeky - 8/1/14 at 5:02am
post #27 of 69
Quote:
Originally Posted by Smallwheels View Post

 

It is possible that this "vulnerability" was engineered into USB from the start.

 

Or more likely - it is a consequence of the way in which USB was originally designed and it didn't occur to anyone that it could be exploited in this way - or if the possibility of exploit existed that it was too obscure or would require a level of knowledge or access to exploit that it was considered low risk. 

post #28 of 69
If a regular computer can rewrite the firmware of a USB device, then the firmware code is accessible to a malware scan or positive match verification by GPG signature or similar. Seems like basic logic, or am I missing something?
post #29 of 69
Quote:
Originally Posted by Macky the Macky View Post

iDevices are worthless because they don't have a UBS connector like android of Surface devices. Yeah...

LOL, yes along with Flash and USB those Android and Microsoft devices are gong to have oodles of fun!

Apple has pretty well long since reduced the use of USB to the bare minimum when you stop and think. Even my printer is now wireless. In my case the only thing left using USB is my keyboard on the nMac Pro as I cannot stand changing batteries in the keyboard, the mouse is bad enough. Everything else I am using us 100% through thunderbolt on the nMac Pro and my Mac mini, both MBPs use Firewire. I tried some USB 3 external drive set ups with the nMac Pro and was very disappointed for several reasons and switched over to all Thunderbolt.

EDIT: I forgot I also use a USB card reader to take photographs and video from my Canon DSLRs in to Aperture but it is only plugged in when needed.
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
"Google doesn't sell you anything, they just sell you!"
Reply
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
"Google doesn't sell you anything, they just sell you!"
Reply
post #30 of 69

Sensationalist article for a group who wants their 15 minutes of fame. This is basically exploitable for a very controlled setting, but not practical in the real world.

 

The first problem is that you cannot overwrite the firmware in most devices. In the few devices that do allow the firmware to be upgraded, you have to flash it with a compatible firmware. Additionally, one would have to write custom hacks to even try to write to the firmware for the specific device. Just like BIOS, you cannot willy-nilly flash whatever custom firmware you desire without bricking the device. You would have to find the exact USB hardware to target and specifically tailor your attack on them. Given there are thousands -- maybe hundreds of thousands -- of USB devices in the world, this would be completely ineffective.

 

1. Find a USB device that allows the firmware to be updated. The majority do not allow this.

2. Tailor a method to be able to write to said USB device's firmware.

3. Write a custom firmware for the specific USB device.

4. Hope to God that somebody decides to stick the USB device in every machine possible to infect them and somebody else decides to stick the exact same device into the machines, too. Yeah, probably not likely.

 

This is not practical at all.


Edited by Negafox - 8/1/14 at 5:58am
post #31 of 69

Security researchers said the world was ending with the Heartbleed bug. Didn't’t happen. Security researchers have said the apocalypse was nigh with any number of exploits and bugs. We’re still here. Now they want us to throw away USB devices we don’t ‘trust.’ 

 

If this so-called un-patchable flaw is so dangerous why would the so-called good guys release a proof of concept exploit to the world? I think most so-called security researchers are paranoid schizophrenics with delusions of grandeur anyway.

post #32 of 69
Quote:
Originally Posted by digitalclips View Post

Quote:
Originally Posted by Macky the Macky View Post

iDevices are worthless because they don't have a UBS connector like android of Surface devices. Yeah...

LOL, yes along with Flash and USB those Android and Microsoft devices are gong to have oodles of fun!

Apple has pretty well long since reduced the use of USB to the bare minimum when you stop and think. Even my printer is now wireless. In my case the only thing left using USB is my keyboard on the nMac Pro as I cannot stand changing batteries in the keyboard, the mouse is bad enough. Everything else I am using us 100% through thunderbolt on the nMac Pro and my Mac mini, both MBPs use Firewire. I tried some USB 3 external drive set ups with the nMac Pro and was very disappointed for several reasons and switched over to all Thunderbolt.

EDIT: I forgot I also use a USB card reader to take photographs and video from my Canon DSLRs in to Aperture but it is only plugged in when needed.

Funny that; I have almost the same setup as you: oMP with wired keyboard, trackpad, sometimes USB card reader. MacMini with HDMI to TV.
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
Send from my iPhone. Excuse brevity and auto-corrupt.
Reply
post #33 of 69
Quote:
Originally Posted by MoFro View Post

Okay, so does this mean I should no longer purchase thumb drives as I have no idea if said manufacturer decided to install said malware on the device?

Certainly not if you have any sensitive info.
This is the kind of attack vector usable e.g. Infiltrate malicious code into nuclear facilities.
One USB stick handed out as advertising at a tradeshow is all that's needed, after that it propagates itself...
Scary shit, just as troublesome the firmware in each Thunderbolt device.

What it boils down to is this:
Plug & play is and remains plug & pray.
If you need to install drivers manually, you can choose not to install, you can virus check the code, compare against published check sums, etc.
But since the entire industry with Apple at the forefront keeps pandering to idiot by trying to make things simple and opaque, they open the door wide for these under the radar attacks. If I have to manually install a driver, there is no "under the radar".
post #34 of 69
Quote:
Originally Posted by lkrupp View Post

Security researchers said the world was ending with the Heartbleed bug. Didn't’t happen. Security researchers have said the apocalypse was nigh with any number of exploits and bugs. We’re still here. Now they want us to throw away USB devices we don’t ‘trust.’ 

If this so-called un-patchable flaw is so dangerous why would the so-called good guys release a proof of concept exploit to the world? I think most so-called security researchers are paranoid schizophrenics with delusions of grandeur anyway.

If the world didn't end with the exploit laden, bug ridden, and malware magnet that was Win XP it's not going to end now. lol.gif
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #35 of 69
Quote:
Originally Posted by lkrupp View Post

Security researchers said the world was ending with the Heartbleed bug. Didn't’t happen. Security researchers have said the apocalypse was nigh with any number of exploits and bugs. We’re still here. Now they want us to throw away USB devices we don’t ‘trust.’ 

If this so-called un-patchable flaw is so dangerous why would the so-called good guys release a proof of concept exploit to the world? I think most so-called security researchers are paranoid schizophrenics with delusions of grandeur anyway.

No, they are not. Just most people are so poor and uninteresting schmucks that they are at best useful as click-bait.

Start owning some real assets, be in charge of industry or military secrets, be in opposition to any government, etc. and your perspective will change rapidly because ppl who are after what you have will stop at nothing to get what they want.
post #36 of 69
Fi
Quote:
Originally Posted by sirozha View Post

This is the beginning of the end for USB. Fortunately, we have FireWire for low latency Thunderbolt for bandwidth, and Lightning for portability. All three are heavily promoted by Apple, and none of the three is vulnerable. USB has been trying to play a competitor with all three, and now USB is going to finally get out of the way of progress and thoughtful design. Good riddance.

FireWire is no less vulnerable than USB. Attack vectors for FireWire have been known for nearly a decade.

Thunderbolt is believed to be vulnerable as well due to its design roots in PCI and its ability to interoperable with Ethernet adapters, which opens up another attack vector.

It is safe to assume that all connectivity mechanisms that rely on physical access to the device are vulnerable, in large part because requiring physical access provides a blanket level of security. With IoT all bets are off because we assume everything is reachable. This is why future general purpose connectivity solutions should no longer assume physical access as a protection mechanism. There will still be a need for local connectivity but the rules of the game have changed and either you have to be extraordinarily careful about what you connect to your devices or the local connections have to adhere to the same level of scrutiny as remote connections and not treat physical access as inherently secure.
post #37 of 69
Quote:
Originally Posted by AppleInsider View Post

 

Unless the tainted firmware is itself reverse engineered, the malware is protected from being discovered and will remain on a device even after a disk erasure is performed, a routine process for clearing suspected malicious software.


...Nohl and Lell recommend connecting only to known devices that are user-owned or trusted.


"In this new way of thinking, you can't trust a USB just because its storage doesn't contain a virus. Trust must come from the fact that no one malicious has ever touched it," Nohl said. "You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer."
 

 

So if "the malware is protected from being discovered," how can you trust any device? 

TechnoMinds

We are a Montreal based technology company that offers a variety of tech services such as tech support for Apple products, Drupal based website development, computer training and iCloud...

Reply

TechnoMinds

We are a Montreal based technology company that offers a variety of tech services such as tech support for Apple products, Drupal based website development, computer training and iCloud...

Reply
post #38 of 69
Quote:
Originally Posted by PhilBoogie View Post

Stories like these make sense when they can show proof that a person's computer has been infected by this malware instead of some theoretic firmware re-write.

Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?

Thirdly, this doesn't apply to cable's I take it, even though there is a cable shown in the article. Personally I'd use a memory stick or something that has firmware embedded.




"proof-of-concept"

That just may work as a company name.

These are always proof of concept, until someone takes advantage of it. The problem is that there is no way to know if they are the first ones to discover this.

And yes, a cable can't do it, only a device plugged in.

But it's also why iPads and iPhones are preferred in organizations. The lack of a standard USB interface minimizes data theft, as infected USB sticks are one of the most common way of stealing computer data.
post #39 of 69
Quote:
Originally Posted by Negafox View Post

Sensationalist article for a group who wants their 15 minutes of fame. This is basically exploitable for a very controlled setting, but not practical in the real world.

The first problem is that you cannot overwrite the firmware in most devices. In the few devices that do allow the firmware to be upgraded, you have to flash it with a compatible firmware. Additionally, one would have to write custom hacks to even try to write to the firmware for the specific device. Just like BIOS, you cannot willy-nilly flash whatever custom firmware you desire without bricking the device. You would have to find the exact USB hardware to target and specifically tailor your attack on them. Given there are thousands -- maybe hundreds of thousands -- of USB devices in the world, this would be completely ineffective.

1. Find a USB device that allows the firmware to be updated. The majority do not allow this.
2. Tailor a method to be able to write to said USB device's firmware.
3. Write a custom firmware for the specific USB device.
4. Hope to God that somebody decides to stick the USB device in every machine possible to infect them and somebody else decides to stick the exact same device into the machines, too. Yeah, probably not likely.

This is not practical at all.

Almost any computer's firmware can be overwritten. Apple updates firmware whenever they see a problem with it.
post #40 of 69
Quote:
Originally Posted by digitalclips View Post

LOL, yes along with Flash and USB those Android and Microsoft devices are gong to have oodles of fun!

Apple has pretty well long since reduced the use of USB to the bare minimum when you stop and think. Even my printer is now wireless. In my case the only thing left using USB is my keyboard on the nMac Pro as I cannot stand changing batteries in the keyboard, the mouse is bad enough. Everything else I am using us 100% through thunderbolt on the nMac Pro and my Mac mini, both MBPs use Firewire. I tried some USB 3 external drive set ups with the nMac Pro and was very disappointed for several reasons and switched over to all Thunderbolt.

EDIT: I forgot I also use a USB card reader to take photographs and video from my Canon DSLRs in to Aperture but it is only plugged in when needed.

Don't forget that Lightning, although it is another connector and has certain additions, also uses USB 2.0 internally. So it in all likelihood isn't exempt from this vulnerability.
But as I said this might finally urge Apple to launch a Lightning to Thunderbolt cable. Which would be exempt from this.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › 'BadUSB' malware lives in USB firmware to remain undetected, unfixable