These are always proof of concept, until someone takes advantage of it. The problem is that there is no way to know if they are the first ones to discover this.
And yes, a cable can't do it, only a device plugged in.
But it's also why iPads and iPhones are preferred in organizations. The lack of a standard USB interface minimizes data theft, as infected USB sticks are one of the most common way of stealing computer data.
But can a cable stop it? Say Apple develops a lightning to thunderbolt cable. Even though both the iPhone and the cables lightning connector support USB 2.0 the iPhone wouldn't be vulnerable anymore because it's connected via Thunderbolt? Is that a correct assessment?
Any device (chip) with (unsecured) firmware can be (maliciously) reprogramed by anybody with that capability. Any hard drive you plug in could (theoretically) have some bad voodoo programed into the hardware.
I can see thumb drives being of greatest concern due to their ubiquity, passed around frequently, etc. but… Meh.
Almost any computer's firmware can be overwritten. Apple updates firmware whenever there' sales problem with it.
Many small embedded devices do allow firmware to be overwritten, since almost all devices uses flash for firmware storage. However many of these require access to a couple of dedicated pins, usually implemented as a zero cost couple of pads accessible before its put in its enclosure.
Funny that; I have almost the same setup as you: oMP with wired keyboard, trackpad, sometimes USB card reader. MacMini with HDMI to TV.
Sorry OT a bit
Of course, smart people are bound to come to similar conclusions as to the best set ups
I'd use HDMI if I could on the Mac mini but my old VGA monitors I am using are all analog. So stuck with a TB-VGA converters (same on nMac pro extra 2 screens). By the way, I was surprised to see they sell HDMI to VGA adapters ... isn't VGA analog always and HDMI only digital? Or am I missing something? If so eh?
I do have a pretty nice X-Plane 10 set up now on my nMac Pro running three monitors. Weird thing is I get a better frame rate of 40 fps (with X-Plane almost maxed out) when using one GPU for all three than when sharing GPUs where I get about 30 fps. Perhaps there is a logical reason for this as the windows is simply stretched across all three screens. Any thoughts on that?
Conspiracy theorists would say that the EU knew about the vulnerability and that's why they mandated that all mobile devices provide a USB port for "charging" so that they could use that port to spy on their citizens. /s
But can a cable stop it? Say Apple develops a lightning to thunderbolt cable. Even though both the iPhone and the cables lightning connector support USB 2.0 the iPhone wouldn't be vulnerable anymore because it's connected via Thunderbolt? Is that a correct assessment?
The iPhone and iPad aren't connected with Thunderbolt. Apple uses the Lightning connector for that. Apple doesn t support the full USB proto call through iOS devices. You can't plug a standard USB stick in and send software down the pipe. It's designed to not allow that. That's why it's a pain to move data into, and out of an iOS device. Apple only allows certain types of data to move, and then, everything is sandboxed. As far as I know, there would be no way for this to alter firmware easily, and as Apple isn't using the entire USB firmware stack, this couldn't affect it.
Many small embedded devices do allow firmware to be overwritten, since almost all devices uses flash for firmware storage. However many of these require access to a couple of dedicated pins, usually implemented as a zero cost couple of pads accessible before its put in its enclosure.
Sure they do. The intention if to allow that. But iOS devices are different. They aren't open source, and don't have the vulnerability that open source has there. Apple doesn't publish their course code either, and everything, including firmware is sandboxed.
The iPhone and iPad aren't connected with Thunderbolt. Apple uses the Lightning connector for that. Apple doesn t support the full USB proto call through iOS devices. You can't plug a standard USB stick in and send software down the pipe. It's designed to not allow that. That's why it's a pain to move data into, and out of an iOS device. Apple only allows certain types of data to move, and then, everything is sandboxed. As far as I know, there would be no way for this to alter firmware easily, and as Apple isn't using the entire USB firmware stack, this couldn't affect it.
Conspiracy theorists would say that the EU knew about the vulnerability and that's why they mandated that all mobile devices provide a USB port for "charging" so that they could use that port to spy on their citizens. /s
I just think that the EU is stupid about a lot of things. They have some major idea, and don't consider all the consequences. That is one. They don't want new devices to include a charger. That's their major consideration, they think it's wasteful. So, instead, you'll have to use your old one, or buy a new one seperately. Dumb.
So if you have a new, bigger, phone with a bigger battery, you old charger will take a lot longer to charge. So you'll grumble about needing to buy a new, bigger, charger anyway.
Sure they do. The intention if to allow that. But iOS devices are different. They aren't open source, and don't have the vulnerability that open source has there. Apple doesn't publish their course code either, and everything, including firmware is sandboxed.
I think I may have confused the issue - my point is many embedded devices are not open sourced either, but in any case in order to reprogram firmware on a lot of embedded devices you must remove the board from its enclosure. Not all embedded devices are equipped with boot-loaders.
I didn't think the article was just about iOS, but rather, that usb devices can be re-flashed to carry some kind of computer threat.
slightly off topic - Most of Windows XP was also no open source, but it was always much more vulnerable than some open source OS.
The iPhone and iPad aren't connected with Thunderbolt. Apple uses the Lightning connector for that. Apple doesn t support the full USB proto call through iOS devices. You can't plug a standard USB stick in and send software down the pipe. It's designed to not allow that. That's why it's a pain to move data into, and out of an iOS device. Apple only allows certain types of data to move, and then, everything is sandboxed. As far as I know, there would be no way for this to alter firmware easily, and as Apple isn't using the entire USB firmware stack, this couldn't affect it.
I know it isn't connected with Thunderbolt right now, I suggested it as an alternative to the USB based Lightning connector they use now. So I suggested the possibility of a Lightning connector that supports Thunderbolt.
LOL, yes along with Flash and USB those Android and Microsoft devices are gong to have oodles of fun!
You realize Flash hasn't been supported on Android for 2 years now and that Adobe quit supporting mobile versions of Flash almost 3 years ago? The last version of Android to officially support Flash was Android 4.0 Ice Cream Sandwich. Which, according to Google, is just 11% of active devices with an additional 14% of older (Android 2.2 and 2.3) devices.
Although Lightning uses another connector which includes additions on top of usb it still uses USB 2.0 internally so I don't think it is exempt from this vulnerability.
Lightning is adaptive. It uses whatever it needs to use internally. It is incorrect to imply that it is simply USB:
FireWire is no less vulnerable than USB. Attack vectors for FireWire have been known for nearly a decade.
Thunderbolt is believed to be vulnerable as well due to its design roots in PCI and its ability to interoperable with Ethernet adapters, which opens up another attack vector.
Since when do we know anything whatsoever about the internals of Lightning?
Originally Posted by AppleInsider
…impossible to patch.
YAY. USB is dead now.
Originally Posted by tenly
Conspiracy theorists would say that the EU knew about the vulnerability and that's why they mandated that all mobile devices provide a USB port for "charging" so that they could use that port to spy on their citizens.
I don’t claim they knew, but this proves my statement that government has absolutely no business telling humanity what technology to use. There is no possible way to support the EU’s decision.
My reading of this is that it is writing to the firmware of the USB controller which would be standard across the board no matter what the device. So in theory at least ALL devices would be vulnerable.
No way. I've made some USB firmware myself. I couldn't update the firmware over USB if my life depended on it. The "ALL" is nonsense. The capability to update the firmware has to be built and included, a lot of device makers don't need it and are just not going to bother. Also there are going to be a lot different architectures the firmware runs on, LPC1700 code is just not going to run on an LPC1200 or PIC.
I just think that the EU is stupid about a lot of things. They have some major idea, and don't consider all the consequences. That is one. They don't want new devices to include a charger. That's their major consideration, they think it's wasteful. So, instead, you'll have to use your old one, or buy a new one seperately. Dumb.
I know it isn't connected with Thunderbolt right now, I suggested it as an alternative to the USB based Lightning connector they use now. So I suggested the possibility of a Lightning connector that supports Thunderbolt.
I suppose that's possible. But Thunderbold at present is a power hungry device. I don't think we'll see it in small mobile devices for some time.
You realize Flash hasn't been supported on Android for 2 years now and that Adobe quit supporting mobile versions of Flash almost 3 years ago? The last version of Android to officially support Flash was Android 4.0 Ice Cream Sandwich. Which, according to Google, is just 11% of active devices with an additional 14% of older (Android 2.2 and 2.3) devices.
First time I think I've heard low Android adoption numbers spun positively!
Comments
Nobody uses a 'UBS' connector.
Well, they seem to be connected to Apple... raising the price target to $115 just last week.
But can a cable stop it? Say Apple develops a lightning to thunderbolt cable. Even though both the iPhone and the cables lightning connector support USB 2.0 the iPhone wouldn't be vulnerable anymore because it's connected via Thunderbolt? Is that a correct assessment?
Any device (chip) with (unsecured) firmware can be (maliciously) reprogramed by anybody with that capability. Any hard drive you plug in could (theoretically) have some bad voodoo programed into the hardware.
I can see thumb drives being of greatest concern due to their ubiquity, passed around frequently, etc. but… Meh.
Almost any computer's firmware can be overwritten. Apple updates firmware whenever there' sales problem with it.
Many small embedded devices do allow firmware to be overwritten, since almost all devices uses flash for firmware storage. However many of these require access to a couple of dedicated pins, usually implemented as a zero cost couple of pads accessible before its put in its enclosure.
Sorry OT a bit
Of course, smart people are bound to come to similar conclusions as to the best set ups
I'd use HDMI if I could on the Mac mini but my old VGA monitors I am using are all analog. So stuck with a TB-VGA converters (same on nMac pro extra 2 screens). By the way, I was surprised to see they sell HDMI to VGA adapters ... isn't VGA analog always and HDMI only digital? Or am I missing something? If so eh?
I do have a pretty nice X-Plane 10 set up now on my nMac Pro running three monitors. Weird thing is I get a better frame rate of 40 fps (with X-Plane almost maxed out) when using one GPU for all three than when sharing GPUs where I get about 30 fps. Perhaps there is a logical reason for this as the windows is simply stretched across all three screens. Any thoughts on that?
The iPhone and iPad aren't connected with Thunderbolt. Apple uses the Lightning connector for that. Apple doesn t support the full USB proto call through iOS devices. You can't plug a standard USB stick in and send software down the pipe. It's designed to not allow that. That's why it's a pain to move data into, and out of an iOS device. Apple only allows certain types of data to move, and then, everything is sandboxed. As far as I know, there would be no way for this to alter firmware easily, and as Apple isn't using the entire USB firmware stack, this couldn't affect it.
Sure they do. The intention if to allow that. But iOS devices are different. They aren't open source, and don't have the vulnerability that open source has there. Apple doesn't publish their course code either, and everything, including firmware is sandboxed.
So very smart of Apple I'd say!
I just think that the EU is stupid about a lot of things. They have some major idea, and don't consider all the consequences. That is one. They don't want new devices to include a charger. That's their major consideration, they think it's wasteful. So, instead, you'll have to use your old one, or buy a new one seperately. Dumb.
So if you have a new, bigger, phone with a bigger battery, you old charger will take a lot longer to charge. So you'll grumble about needing to buy a new, bigger, charger anyway.
Sure they do. The intention if to allow that. But iOS devices are different. They aren't open source, and don't have the vulnerability that open source has there. Apple doesn't publish their course code either, and everything, including firmware is sandboxed.
I think I may have confused the issue - my point is many embedded devices are not open sourced either, but in any case in order to reprogram firmware on a lot of embedded devices you must remove the board from its enclosure. Not all embedded devices are equipped with boot-loaders.
I didn't think the article was just about iOS, but rather, that usb devices can be re-flashed to carry some kind of computer threat.
slightly off topic - Most of Windows XP was also no open source, but it was always much more vulnerable than some open source OS.
I know it isn't connected with Thunderbolt right now, I suggested it as an alternative to the USB based Lightning connector they use now. So I suggested the possibility of a Lightning connector that supports Thunderbolt.
LOL, yes along with Flash and USB those Android and Microsoft devices are gong to have oodles of fun!
You realize Flash hasn't been supported on Android for 2 years now and that Adobe quit supporting mobile versions of Flash almost 3 years ago? The last version of Android to officially support Flash was Android 4.0 Ice Cream Sandwich. Which, according to Google, is just 11% of active devices with an additional 14% of older (Android 2.2 and 2.3) devices.
[
Although Lightning uses another connector which includes additions on top of usb it still uses USB 2.0 internally so I don't think it is exempt from this vulnerability.
Lightning is adaptive. It uses whatever it needs to use internally. It is incorrect to imply that it is simply USB:
http://brockerhoff.net/blog/2012/09/23/boom-pins/
http://appleinsider.com/articles/13/05/09/apples-lightning-connector-finally-detailed-in-patent-filing
Fi
FireWire is no less vulnerable than USB. Attack vectors for FireWire have been known for nearly a decade.
Thunderbolt is believed to be vulnerable as well due to its design roots in PCI and its ability to interoperable with Ethernet adapters, which opens up another attack vector.
Citations, please.
Your mere claims are insufficient.
Since when do we know anything whatsoever about the internals of Lightning?
YAY. USB is dead now.
I don’t claim they knew, but this proves my statement that government has absolutely no business telling humanity what technology to use. There is no possible way to support the EU’s decision.
I suppose that's possible. But Thunderbold at present is a power hungry device. I don't think we'll see it in small mobile devices for some time.
First time I think I've heard low Android adoption numbers spun positively!