'BadUSB' malware lives in USB firmware to remain undetected, unfixable

13

Comments

  • Reply 41 of 68
    Quote:

    Originally Posted by dasanman69 View Post





    Nobody uses a 'UBS' connector. image

     

    Well, they seem to be connected to Apple... raising the price target to $115 just last week. image

  • Reply 42 of 68
    chipsychipsy Posts: 287member
    melgross wrote: »
    These are always proof of concept, until someone takes advantage of it. The problem is that there is no way to know if they are the first ones to discover this.

    And yes, a cable can't do it, only a device plugged in.

    But it's also why iPads and iPhones are preferred in organizations. The lack of a standard USB interface minimizes data theft, as infected USB sticks are one of the most common way of stealing computer data.

    But can a cable stop it? Say Apple develops a lightning to thunderbolt cable. Even though both the iPhone and the cables lightning connector support USB 2.0 the iPhone wouldn't be vulnerable anymore because it's connected via Thunderbolt? Is that a correct assessment?
  • Reply 43 of 68
    bobschlobbobschlob Posts: 1,074member

    Any device (chip) with (unsecured) firmware can be (maliciously) reprogramed by anybody with that capability. Any hard drive you plug in could (theoretically) have some bad voodoo programed into the hardware.

    I can see thumb drives being of greatest concern due to their ubiquity, passed around frequently, etc. but… Meh.

  • Reply 44 of 68
    Quote:

    Originally Posted by melgross View Post





    Almost any computer's firmware can be overwritten. Apple updates firmware whenever there' sales problem with it.

    Many small embedded devices do allow firmware to be overwritten, since almost all devices uses flash for firmware storage. However many of these require access to a couple of dedicated pins, usually implemented as a zero cost couple of pads accessible before its put in its enclosure.

  • Reply 45 of 68
    MacProMacPro Posts: 19,851member
    philboogie wrote: »
    Funny that; I have almost the same setup as you: oMP with wired keyboard, trackpad, sometimes USB card reader. MacMini with HDMI to TV.

    Sorry OT a bit :)

    Of course, smart people are bound to come to similar conclusions as to the best set ups :D

    I'd use HDMI if I could on the Mac mini but my old VGA monitors I am using are all analog. So stuck with a TB-VGA converters (same on nMac pro extra 2 screens). By the way, I was surprised to see they sell HDMI to VGA adapters ... isn't VGA analog always and HDMI only digital? Or am I missing something? If so eh?

    I do have a pretty nice X-Plane 10 set up now on my nMac Pro running three monitors. Weird thing is I get a better frame rate of 40 fps (with X-Plane almost maxed out) when using one GPU for all three than when sharing GPUs where I get about 30 fps. Perhaps there is a logical reason for this as the windows is simply stretched across all three screens. Any thoughts on that?
  • Reply 46 of 68
    tenlytenly Posts: 710member
    Conspiracy theorists would say that the EU knew about the vulnerability and that's why they mandated that all mobile devices provide a USB port for "charging" so that they could use that port to spy on their citizens. /s
  • Reply 47 of 68
    melgrossmelgross Posts: 33,645member
    chipsy wrote: »
    But can a cable stop it? Say Apple develops a lightning to thunderbolt cable. Even though both the iPhone and the cables lightning connector support USB 2.0 the iPhone wouldn't be vulnerable anymore because it's connected via Thunderbolt? Is that a correct assessment?

    The iPhone and iPad aren't connected with Thunderbolt. Apple uses the Lightning connector for that. Apple doesn t support the full USB proto call through iOS devices. You can't plug a standard USB stick in and send software down the pipe. It's designed to not allow that. That's why it's a pain to move data into, and out of an iOS device. Apple only allows certain types of data to move, and then, everything is sandboxed. As far as I know, there would be no way for this to alter firmware easily, and as Apple isn't using the entire USB firmware stack, this couldn't affect it.
  • Reply 48 of 68
    melgrossmelgross Posts: 33,645member
    Many small embedded devices do allow firmware to be overwritten, since almost all devices uses flash for firmware storage. However many of these require access to a couple of dedicated pins, usually implemented as a zero cost couple of pads accessible before its put in its enclosure.

    Sure they do. The intention if to allow that. But iOS devices are different. They aren't open source, and don't have the vulnerability that open source has there. Apple doesn't publish their course code either, and everything, including firmware is sandboxed.
  • Reply 49 of 68
    MacProMacPro Posts: 19,851member
    melgross wrote: »
    The iPhone and iPad aren't connected with Thunderbolt. Apple uses the Lightning connector for that. Apple doesn t support the full USB proto call through iOS devices. You can't plug a standard USB stick in and send software down the pipe. It's designed to not allow that. That's why it's a pain to move data into, and out of an iOS device. Apple only allows certain types of data to move, and then, everything is sandboxed. As far as I know, there would be no way for this to alter firmware easily, and as Apple isn't using the entire USB firmware stack, this couldn't affect it.

    So very smart of Apple I'd say!
  • Reply 50 of 68
    melgrossmelgross Posts: 33,645member
    tenly wrote: »
    Conspiracy theorists would say that the EU knew about the vulnerability and that's why they mandated that all mobile devices provide a USB port for "charging" so that they could use that port to spy on their citizens. /s

    I just think that the EU is stupid about a lot of things. They have some major idea, and don't consider all the consequences. That is one. They don't want new devices to include a charger. That's their major consideration, they think it's wasteful. So, instead, you'll have to use your old one, or buy a new one seperately. Dumb.

    So if you have a new, bigger, phone with a bigger battery, you old charger will take a lot longer to charge. So you'll grumble about needing to buy a new, bigger, charger anyway.
  • Reply 51 of 68
    Quote:

    Originally Posted by melgross View Post





    Sure they do. The intention if to allow that. But iOS devices are different. They aren't open source, and don't have the vulnerability that open source has there. Apple doesn't publish their course code either, and everything, including firmware is sandboxed.

    I think I may have confused the issue - my point is many embedded devices are not open sourced either, but in any case in order to reprogram firmware on a lot of embedded devices you must remove the board from its enclosure. Not all embedded devices are equipped with boot-loaders.

    I didn't think the article was just about iOS, but rather, that usb devices can be re-flashed to carry some kind of computer threat.

     

    slightly off topic - Most of Windows XP was also no open source, but it was always much more vulnerable than some open source OS.

  • Reply 52 of 68
    chipsychipsy Posts: 287member
    melgross wrote: »
    The iPhone and iPad aren't connected with Thunderbolt. Apple uses the Lightning connector for that. Apple doesn t support the full USB proto call through iOS devices. You can't plug a standard USB stick in and send software down the pipe. It's designed to not allow that. That's why it's a pain to move data into, and out of an iOS device. Apple only allows certain types of data to move, and then, everything is sandboxed. As far as I know, there would be no way for this to alter firmware easily, and as Apple isn't using the entire USB firmware stack, this couldn't affect it.

    I know it isn't connected with Thunderbolt right now, I suggested it as an alternative to the USB based Lightning connector they use now. So I suggested the possibility of a Lightning connector that supports Thunderbolt.
  • Reply 53 of 68
    Quote:

    Originally Posted by digitalclips View Post





    LOL, yes along with Flash and USB those Android and Microsoft devices are gong to have oodles of fun!

     

    You realize Flash hasn't been supported on Android for 2 years now and that Adobe quit supporting mobile versions of Flash almost 3 years ago? The last version of Android to officially support Flash was Android 4.0 Ice Cream Sandwich. Which, according to Google, is just 11% of active devices with an additional 14% of older (Android 2.2 and 2.3) devices.

  • Reply 54 of 68
    Quote:

    Originally Posted by Chipsy View Post



    [

    Although Lightning uses another connector which includes additions on top of usb it still uses USB 2.0 internally so I don't think it is exempt from this vulnerability.

     

    Lightning is adaptive. It uses whatever it needs to use internally. It is incorrect to imply that it is simply USB:

     

    http://brockerhoff.net/blog/2012/09/23/boom-pins/

    http://appleinsider.com/articles/13/05/09/apples-lightning-connector-finally-detailed-in-patent-filing

  • Reply 55 of 68
    Quote:

    Originally Posted by DewMe View Post



    Fi

    FireWire is no less vulnerable than USB. Attack vectors for FireWire have been known for nearly a decade.



    Thunderbolt is believed to be vulnerable as well due to its design roots in PCI and its ability to interoperable with Ethernet adapters, which opens up another attack vector.

     

    Citations, please.

     

    Your mere claims are insufficient.

  • Reply 56 of 68
    tallest skiltallest skil Posts: 43,388member
    Originally Posted by Chipsy View Post

    …Lightning uses… …USB 2.0 internally…

     

    Since when do we know anything whatsoever about the internals of Lightning?

     

    Originally Posted by AppleInsider View Post

    …impossible to patch.

     

    YAY. USB is dead now.

     

    Originally Posted by tenly View Post

    Conspiracy theorists would say that the EU knew about the vulnerability and that's why they mandated that all mobile devices provide a USB port for "charging" so that they could use that port to spy on their citizens.

     

    I don’t claim they knew, but this proves my statement that government has absolutely no business telling humanity what technology to use. There is no possible way to support the EU’s decision.

  • Reply 57 of 68
    My reading of this is that it is writing to the firmware of the USB controller which would be standard across the board no matter what the device. So in theory at least ALL devices would be vulnerable.
    No way. I've made some USB firmware myself. I couldn't update the firmware over USB if my life depended on it. The "ALL" is nonsense. The capability to update the firmware has to be built and included, a lot of device makers don't need it and are just not going to bother. Also there are going to be a lot different architectures the firmware runs on, LPC1700 code is just not going to run on an LPC1200 or PIC.
  • Reply 58 of 68
    Hmmmm wonder how that got in there? NSA spy who was put on the USB design crew? Just as their own files say they do.
  • Reply 59 of 68
    melgrossmelgross Posts: 33,645member
    melgross wrote: »
    I just think that the EU is stupid about a lot of things. They have some major idea, and don't consider all the consequences. That is one. They don't want new devices to include a charger. That's their major consideration, they think it's wasteful. So, instead, you'll have to use your old one, or buy a new one seperately. Dumb.
    chipsy wrote: »
    I know it isn't connected with Thunderbolt right now, I suggested it as an alternative to the USB based Lightning connector they use now. So I suggested the possibility of a Lightning connector that supports Thunderbolt.

    I suppose that's possible. But Thunderbold at present is a power hungry device. I don't think we'll see it in small mobile devices for some time.
  • Reply 60 of 68
    You realize Flash hasn't been supported on Android for 2 years now and that Adobe quit supporting mobile versions of Flash almost 3 years ago? The last version of Android to officially support Flash was Android 4.0 Ice Cream Sandwich. Which, according to Google, is just 11% of active devices with an additional 14% of older (Android 2.2 and 2.3) devices.

    First time I think I've heard low Android adoption numbers spun positively! ;)
Sign In or Register to comment.