It seems to me that the solution to this is nonwritable firmware. Since this exploit only talks to an immediately connected device, firmware that either can't be written to at all (ROM) or can only be written to from a secured connection (i.e. the OS) should insulate against this.
Yes, I thought of this, too. But the more complicated the USB device is, the less likely a ROM is appropriate. A ROM seems fine for a USB flash drive, keyboard, or mouse, but a router would need the ability for future updates.
But plugging in many different flash devices is a greater possibility than different routers, so the easier vulnerability path would be cut off (if flash drives with firmware in ROM were used).
These researchers have done little more than build a proof-of-concept demonstration of a vulnerability that has been well understood and discussed openly by a myriad of security researchers for many years. Here's a paper from 2011:
There is nothing new here other than the increased level of sensationalism surrounding this latest reminder that the USB protocol is inherently insecure. Not a surprise and nothing new. The same exact statement can be said for many other connectivity protocols. Since USB is still in wide use in many consumer products it's obviously the one that draws the most attention. With this in mind it should come as no surprise that products built to work in secure environments not contain standard USB capability or severely limit, physically, who and what is allowed to use the USB ports.
Looking behind the sensationalism you have to realize that there was a time in the world when the primary objective was just getting devices to talk to one another. All we cared about was connectivity, integration, and convenience. Unfortunately, whenever humans are involved there are those who strive to exploit the things that bring productive value and enjoyment to our lives for nefarious reasons. It's the never ending struggle between the good and evil that is deeply programmed into the human DNA.
The only safe assumption today is to assume that everything that was not specifically designed to counteract human evil, and in some cases human error, is vulnerable. Going forward it's important that every aspect and form of connectivity be security aware and be constantly verified and re-verified to be safe from what we know about the constantly evolving science of humans committing evil against each other. This is a tough problem to solve considering how we've gone from clubbing one another with rocks and sticks to hydrogen bombs and point-and-click-you're-dead drones. It's kind of sad that this is the reality, and it it weren't offset by the the tremendous good that is also in human DNA none of us would be here today.
I expect that either conventional USB will be deprecated and replaced with a secure USB protocol or it will abandoned entirely for IP based connectivity under the guise of the "Internet of Things" (IoT). Looking beyond the buzzwords this basically comes down to everything being connected using what is currently used for ethernet connectivity. Portable devices no matter how small will have a secure IP stack and have to be authenticated and authorized as if they are users logging into a secure system. This will include presenting credentials and exchanging certificates to establish a trust relationship between communicating devices. This could be done on top of a modified form of the USB protocol, but why bother patching USB to be secure when there is already a securable communication mechanism in place that will scale down to a level that is needed to support IoT?
In other words, it would be easy to say that USB is not dead yet, but it's definitely walking The Green Mile.
This is the beginning of the end for USB. Fortunately, we have FireWire for low latency Thunderbolt for bandwidth, and Lightning for portability. All three are heavily promoted by Apple, and none of the three is vulnerable. USB has been trying to play a competitor with all three, and now USB is going to finally get out of the way of progress and thoughtful design. Good riddance.
So now what we need is a USB device with non-writeable firmware (in ROM) that, when plugged in, will turn on a big red LED if something attempts to rewrite its firmware. Instant malware-spread detector. Other versions could, hopefully, reinject proper computer firmware or even inject a vulnerability patcher when one becomes available. Looks like a whole new class of device waiting to be born.
I wonder if Thunderbolt has a similar level of access to its bus. I guess it must have since as USB to Thunderbolt bridges exist, all the USB primitive operations must be supported over Thunderbolt - Ie, unless Thunderbolt blocks some USB primitives, Thunderbolt is likely to be a malware vector too.
It is possible that this "vulnerability" was engineered into USB from the start.
Or more likely - it is a consequence of the way in which USB was originally designed and it didn't occur to anyone that it could be exploited in this way - or if the possibility of exploit existed that it was too obscure or would require a level of knowledge or access to exploit that it was considered low risk.
If a regular computer can rewrite the firmware of a USB device, then the firmware code is accessible to a malware scan or positive match verification by GPG signature or similar. Seems like basic logic, or am I missing something?
iDevices are worthless because they don't have a UBS connector like android of Surface devices. Yeah...
LOL, yes along with Flash and USB those Android and Microsoft devices are gong to have oodles of fun!
Apple has pretty well long since reduced the use of USB to the bare minimum when you stop and think. Even my printer is now wireless. In my case the only thing left using USB is my keyboard on the nMac Pro as I cannot stand changing batteries in the keyboard, the mouse is bad enough. Everything else I am using us 100% through thunderbolt on the nMac Pro and my Mac mini, both MBPs use Firewire. I tried some USB 3 external drive set ups with the nMac Pro and was very disappointed for several reasons and switched over to all Thunderbolt.
EDIT: I forgot I also use a USB card reader to take photographs and video from my Canon DSLRs in to Aperture but it is only plugged in when needed.
Sensationalist article for a group who wants their 15 minutes of fame. This is basically exploitable for a very controlled setting, but not practical in the real world.
The first problem is that you cannot overwrite the firmware in most devices. In the few devices that do allow the firmware to be upgraded, you have to flash it with a compatible firmware. Additionally, one would have to write custom hacks to even try to write to the firmware for the specific device. Just like BIOS, you cannot willy-nilly flash whatever custom firmware you desire without bricking the device. You would have to find the exact USB hardware to target and specifically tailor your attack on them. Given there are thousands -- maybe hundreds of thousands -- of USB devices in the world, this would be completely ineffective.
1. Find a USB device that allows the firmware to be updated. The majority do not allow this.
2. Tailor a method to be able to write to said USB device's firmware.
3. Write a custom firmware for the specific USB device.
4. Hope to God that somebody decides to stick the USB device in every machine possible to infect them and somebody else decides to stick the exact same device into the machines, too. Yeah, probably not likely.
Security researchers said the world was ending with the Heartbleed bug. Didn't’t happen. Security researchers have said the apocalypse was nigh with any number of exploits and bugs. We’re still here. Now they want us to throw away USB devices we don’t ‘trust.’
If this so-called un-patchable flaw is so dangerous why would the so-called good guys release a proof of concept exploit to the world? I think most so-called security researchers are paranoid schizophrenics with delusions of grandeur anyway.
iDevices are worthless because they don't have a UBS connector like android of Surface devices. Yeah...
LOL, yes along with Flash and USB those Android and Microsoft devices are gong to have oodles of fun!
Apple has pretty well long since reduced the use of USB to the bare minimum when you stop and think. Even my printer is now wireless. In my case the only thing left using USB is my keyboard on the nMac Pro as I cannot stand changing batteries in the keyboard, the mouse is bad enough. Everything else I am using us 100% through thunderbolt on the nMac Pro and my Mac mini, both MBPs use Firewire. I tried some USB 3 external drive set ups with the nMac Pro and was very disappointed for several reasons and switched over to all Thunderbolt.
EDIT: I forgot I also use a USB card reader to take photographs and video from my Canon DSLRs in to Aperture but it is only plugged in when needed.
Funny that; I have almost the same setup as you: oMP with wired keyboard, trackpad, sometimes USB card reader. MacMini with HDMI to TV.
Okay, so does this mean I should no longer purchase thumb drives as I have no idea if said manufacturer decided to install said malware on the device?
Certainly not if you have any sensitive info.
This is the kind of attack vector usable e.g. Infiltrate malicious code into nuclear facilities.
One USB stick handed out as advertising at a tradeshow is all that's needed, after that it propagates itself...
Scary shit, just as troublesome the firmware in each Thunderbolt device.
What it boils down to is this:
Plug & play is and remains plug & pray.
If you need to install drivers manually, you can choose not to install, you can virus check the code, compare against published check sums, etc.
But since the entire industry with Apple at the forefront keeps pandering to idiot by trying to make things simple and opaque, they open the door wide for these under the radar attacks. If I have to manually install a driver, there is no "under the radar".
Security researchers said the world was ending with the Heartbleed bug. Didn't’t happen. Security researchers have said the apocalypse was nigh with any number of exploits and bugs. We’re still here. Now they want us to throw away USB devices we don’t ‘trust.’
If this so-called un-patchable flaw is so dangerous why would the so-called good guys release a proof of concept exploit to the world? I think most so-called security researchers are paranoid schizophrenics with delusions of grandeur anyway.
If the world didn't end with the exploit laden, bug ridden, and malware magnet that was Win XP it's not going to end now.
Security researchers said the world was ending with the Heartbleed bug. Didn't’t happen. Security researchers have said the apocalypse was nigh with any number of exploits and bugs. We’re still here. Now they want us to throw away USB devices we don’t ‘trust.’
If this so-called un-patchable flaw is so dangerous why would the so-called good guys release a proof of concept exploit to the world? I think most so-called security researchers are paranoid schizophrenics with delusions of grandeur anyway.
No, they are not. Just most people are so poor and uninteresting schmucks that they are at best useful as click-bait.
Start owning some real assets, be in charge of industry or military secrets, be in opposition to any government, etc. and your perspective will change rapidly because ppl who are after what you have will stop at nothing to get what they want.
This is the beginning of the end for USB. Fortunately, we have FireWire for low latency Thunderbolt for bandwidth, and Lightning for portability. All three are heavily promoted by Apple, and none of the three is vulnerable. USB has been trying to play a competitor with all three, and now USB is going to finally get out of the way of progress and thoughtful design. Good riddance.
FireWire is no less vulnerable than USB. Attack vectors for FireWire have been known for nearly a decade.
Thunderbolt is believed to be vulnerable as well due to its design roots in PCI and its ability to interoperable with Ethernet adapters, which opens up another attack vector.
It is safe to assume that all connectivity mechanisms that rely on physical access to the device are vulnerable, in large part because requiring physical access provides a blanket level of security. With IoT all bets are off because we assume everything is reachable. This is why future general purpose connectivity solutions should no longer assume physical access as a protection mechanism. There will still be a need for local connectivity but the rules of the game have changed and either you have to be extraordinarily careful about what you connect to your devices or the local connections have to adhere to the same level of scrutiny as remote connections and not treat physical access as inherently secure.
Unless the tainted firmware is itself reverse engineered, the malware is protected from being discovered and will remain on a device even after a disk erasure is performed, a routine process for clearing suspected malicious software.
...Nohl and Lell recommend connecting only to known devices that are user-owned or trusted.
"In this new way of thinking, you can't trust a USB just because its storage doesn't contain a virus. Trust must come from the fact that no one malicious has ever touched it," Nohl said. "You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer."
So if "the malware is protected from being discovered," how can you trust any device?
Stories like these make sense when they can show proof that a person's computer has been infected by this malware instead of some theoretic firmware re-write.
Secondly, I'd also like to know why they say that it's 'impossible to patch'; if one can overwrite the firmware with malicious code can't one also restore the original firmware, were it available for said product?
Thirdly, this doesn't apply to cable's I take it, even though there is a cable shown in the article. Personally I'd use a memory stick or something that has firmware embedded.
"proof-of-concept"
That just may work as a company name.
These are always proof of concept, until someone takes advantage of it. The problem is that there is no way to know if they are the first ones to discover this.
And yes, a cable can't do it, only a device plugged in.
But it's also why iPads and iPhones are preferred in organizations. The lack of a standard USB interface minimizes data theft, as infected USB sticks are one of the most common way of stealing computer data.
Sensationalist article for a group who wants their 15 minutes of fame. This is basically exploitable for a very controlled setting, but not practical in the real world.
The first problem is that you cannot overwrite the firmware in most devices. In the few devices that do allow the firmware to be upgraded, you have to flash it with a compatible firmware. Additionally, one would have to write custom hacks to even try to write to the firmware for the specific device. Just like BIOS, you cannot willy-nilly flash whatever custom firmware you desire without bricking the device. You would have to find the exact USB hardware to target and specifically tailor your attack on them. Given there are thousands -- maybe hundreds of thousands -- of USB devices in the world, this would be completely ineffective.
1. Find a USB device that allows the firmware to be updated. The majority do not allow this.
2. Tailor a method to be able to write to said USB device's firmware.
3. Write a custom firmware for the specific USB device.
4. Hope to God that somebody decides to stick the USB device in every machine possible to infect them and somebody else decides to stick the exact same device into the machines, too. Yeah, probably not likely.
This is not practical at all.
Almost any computer's firmware can be overwritten. Apple updates firmware whenever they see a problem with it.
LOL, yes along with Flash and USB those Android and Microsoft devices are gong to have oodles of fun!
Apple has pretty well long since reduced the use of USB to the bare minimum when you stop and think. Even my printer is now wireless. In my case the only thing left using USB is my keyboard on the nMac Pro as I cannot stand changing batteries in the keyboard, the mouse is bad enough. Everything else I am using us 100% through thunderbolt on the nMac Pro and my Mac mini, both MBPs use Firewire. I tried some USB 3 external drive set ups with the nMac Pro and was very disappointed for several reasons and switched over to all Thunderbolt.
EDIT: I forgot I also use a USB card reader to take photographs and video from my Canon DSLRs in to Aperture but it is only plugged in when needed.
Don't forget that Lightning, although it is another connector and has certain additions, also uses USB 2.0 internally. So it in all likelihood isn't exempt from this vulnerability.
But as I said this might finally urge Apple to launch a Lightning to Thunderbolt cable. Which would be exempt from this.
Comments
Nobody uses a 'UBS' connector.
It seems to me that the solution to this is nonwritable firmware. Since this exploit only talks to an immediately connected device, firmware that either can't be written to at all (ROM) or can only be written to from a secured connection (i.e. the OS) should insulate against this.
Yes, I thought of this, too. But the more complicated the USB device is, the less likely a ROM is appropriate. A ROM seems fine for a USB flash drive, keyboard, or mouse, but a router would need the ability for future updates.
But plugging in many different flash devices is a greater possibility than different routers, so the easier vulnerability path would be cut off (if flash drives with firmware in ROM were used).
These researchers have done little more than build a proof-of-concept demonstration of a vulnerability that has been well understood and discussed openly by a myriad of security researchers for many years. Here's a paper from 2011:
https://media.blackhat.com/bh-us-11/Davis/BH_US_11-Davis_USB_WP.pdf
There is nothing new here other than the increased level of sensationalism surrounding this latest reminder that the USB protocol is inherently insecure. Not a surprise and nothing new. The same exact statement can be said for many other connectivity protocols. Since USB is still in wide use in many consumer products it's obviously the one that draws the most attention. With this in mind it should come as no surprise that products built to work in secure environments not contain standard USB capability or severely limit, physically, who and what is allowed to use the USB ports.
Looking behind the sensationalism you have to realize that there was a time in the world when the primary objective was just getting devices to talk to one another. All we cared about was connectivity, integration, and convenience. Unfortunately, whenever humans are involved there are those who strive to exploit the things that bring productive value and enjoyment to our lives for nefarious reasons. It's the never ending struggle between the good and evil that is deeply programmed into the human DNA.
The only safe assumption today is to assume that everything that was not specifically designed to counteract human evil, and in some cases human error, is vulnerable. Going forward it's important that every aspect and form of connectivity be security aware and be constantly verified and re-verified to be safe from what we know about the constantly evolving science of humans committing evil against each other. This is a tough problem to solve considering how we've gone from clubbing one another with rocks and sticks to hydrogen bombs and point-and-click-you're-dead drones. It's kind of sad that this is the reality, and it it weren't offset by the the tremendous good that is also in human DNA none of us would be here today.
I expect that either conventional USB will be deprecated and replaced with a secure USB protocol or it will abandoned entirely for IP based connectivity under the guise of the "Internet of Things" (IoT). Looking beyond the buzzwords this basically comes down to everything being connected using what is currently used for ethernet connectivity. Portable devices no matter how small will have a secure IP stack and have to be authenticated and authorized as if they are users logging into a secure system. This will include presenting credentials and exchanging certificates to establish a trust relationship between communicating devices. This could be done on top of a modified form of the USB protocol, but why bother patching USB to be secure when there is already a securable communication mechanism in place that will scale down to a level that is needed to support IoT?
In other words, it would be easy to say that USB is not dead yet, but it's definitely walking The Green Mile.
I wonder if Thunderbolt has a similar level of access to its bus. I guess it must have since as USB to Thunderbolt bridges exist, all the USB primitive operations must be supported over Thunderbolt - Ie, unless Thunderbolt blocks some USB primitives, Thunderbolt is likely to be a malware vector too.
It is possible that this "vulnerability" was engineered into USB from the start.
Or more likely - it is a consequence of the way in which USB was originally designed and it didn't occur to anyone that it could be exploited in this way - or if the possibility of exploit existed that it was too obscure or would require a level of knowledge or access to exploit that it was considered low risk.
LOL, yes along with Flash and USB those Android and Microsoft devices are gong to have oodles of fun!
Apple has pretty well long since reduced the use of USB to the bare minimum when you stop and think. Even my printer is now wireless. In my case the only thing left using USB is my keyboard on the nMac Pro as I cannot stand changing batteries in the keyboard, the mouse is bad enough. Everything else I am using us 100% through thunderbolt on the nMac Pro and my Mac mini, both MBPs use Firewire. I tried some USB 3 external drive set ups with the nMac Pro and was very disappointed for several reasons and switched over to all Thunderbolt.
EDIT: I forgot I also use a USB card reader to take photographs and video from my Canon DSLRs in to Aperture but it is only plugged in when needed.
Sensationalist article for a group who wants their 15 minutes of fame. This is basically exploitable for a very controlled setting, but not practical in the real world.
The first problem is that you cannot overwrite the firmware in most devices. In the few devices that do allow the firmware to be upgraded, you have to flash it with a compatible firmware. Additionally, one would have to write custom hacks to even try to write to the firmware for the specific device. Just like BIOS, you cannot willy-nilly flash whatever custom firmware you desire without bricking the device. You would have to find the exact USB hardware to target and specifically tailor your attack on them. Given there are thousands -- maybe hundreds of thousands -- of USB devices in the world, this would be completely ineffective.
1. Find a USB device that allows the firmware to be updated. The majority do not allow this.
2. Tailor a method to be able to write to said USB device's firmware.
3. Write a custom firmware for the specific USB device.
4. Hope to God that somebody decides to stick the USB device in every machine possible to infect them and somebody else decides to stick the exact same device into the machines, too. Yeah, probably not likely.
This is not practical at all.
Security researchers said the world was ending with the Heartbleed bug. Didn't’t happen. Security researchers have said the apocalypse was nigh with any number of exploits and bugs. We’re still here. Now they want us to throw away USB devices we don’t ‘trust.’
If this so-called un-patchable flaw is so dangerous why would the so-called good guys release a proof of concept exploit to the world? I think most so-called security researchers are paranoid schizophrenics with delusions of grandeur anyway.
Funny that; I have almost the same setup as you: oMP with wired keyboard, trackpad, sometimes USB card reader. MacMini with HDMI to TV.
Certainly not if you have any sensitive info.
This is the kind of attack vector usable e.g. Infiltrate malicious code into nuclear facilities.
One USB stick handed out as advertising at a tradeshow is all that's needed, after that it propagates itself...
Scary shit, just as troublesome the firmware in each Thunderbolt device.
What it boils down to is this:
Plug & play is and remains plug & pray.
If you need to install drivers manually, you can choose not to install, you can virus check the code, compare against published check sums, etc.
But since the entire industry with Apple at the forefront keeps pandering to idiot by trying to make things simple and opaque, they open the door wide for these under the radar attacks. If I have to manually install a driver, there is no "under the radar".
If the world didn't end with the exploit laden, bug ridden, and malware magnet that was Win XP it's not going to end now.
No, they are not. Just most people are so poor and uninteresting schmucks that they are at best useful as click-bait.
Start owning some real assets, be in charge of industry or military secrets, be in opposition to any government, etc. and your perspective will change rapidly because ppl who are after what you have will stop at nothing to get what they want.
FireWire is no less vulnerable than USB. Attack vectors for FireWire have been known for nearly a decade.
Thunderbolt is believed to be vulnerable as well due to its design roots in PCI and its ability to interoperable with Ethernet adapters, which opens up another attack vector.
It is safe to assume that all connectivity mechanisms that rely on physical access to the device are vulnerable, in large part because requiring physical access provides a blanket level of security. With IoT all bets are off because we assume everything is reachable. This is why future general purpose connectivity solutions should no longer assume physical access as a protection mechanism. There will still be a need for local connectivity but the rules of the game have changed and either you have to be extraordinarily careful about what you connect to your devices or the local connections have to adhere to the same level of scrutiny as remote connections and not treat physical access as inherently secure.
Unless the tainted firmware is itself reverse engineered, the malware is protected from being discovered and will remain on a device even after a disk erasure is performed, a routine process for clearing suspected malicious software.
...Nohl and Lell recommend connecting only to known devices that are user-owned or trusted.
"In this new way of thinking, you can't trust a USB just because its storage doesn't contain a virus. Trust must come from the fact that no one malicious has ever touched it," Nohl said. "You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer."
So if "the malware is protected from being discovered," how can you trust any device?
These are always proof of concept, until someone takes advantage of it. The problem is that there is no way to know if they are the first ones to discover this.
And yes, a cable can't do it, only a device plugged in.
But it's also why iPads and iPhones are preferred in organizations. The lack of a standard USB interface minimizes data theft, as infected USB sticks are one of the most common way of stealing computer data.
Almost any computer's firmware can be overwritten. Apple updates firmware whenever they see a problem with it.
Don't forget that Lightning, although it is another connector and has certain additions, also uses USB 2.0 internally. So it in all likelihood isn't exempt from this vulnerability.
But as I said this might finally urge Apple to launch a Lightning to Thunderbolt cable. Which would be exempt from this.