Slashdot Mirror
"BadUSB" Exploit Makes Devices Turn "Evil"
An anonymous reader writes with a snippet from Ars Technica that should make you (even more) skeptical about plugging in random USB drives, or allowing persons unknown physical access to your computer's USB ports: When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses. Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.
Do I need to be concerned about this?
Here comes the digitially signed / encrypted usb dongles for USB 4.x, where every device has a firmware signature encrypted within the device and part of the usb handshake will be to read the entire firmware to re-calc the signature to make sure it matches, with a 3rd comparison via the internet to a usb device registry.
Then the criminals will figure out how to falsify the signature with the bad firmware anyway.
I thought it was common sense not to plug in untrusted devices to your computer. Especially unknown thumb drives, unless you can use them in a read only device.
And everyone said that when Hardison would program USB sticks to type stuff and send all the data back to headquarters when they just plugged it in a computer that it was not real. It turns out he was just ahead of everyone else.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
...with a 3rd comparison via the internet to a usb device registry.
That makes the whole concept dead on arrival. Anything that requires a connection is no damn good, aside from a remote terminal, I suppose
“He’s not deformed, he’s just drunk!”
From the article, it seems like this attack is done by hardware-modifying a USB stick so that the firmware can be changed. While I get that this is a major problem for organizations that have a bunch of computers that could potentially have one of these things inserted into them, for most people it doesn't seem like a problem. The most I can see happening with this is someone putting bad firmware onto a USB device and selling them on EBay or similar as a means of stealing people's data, but I think that would be pretty easy to track - when a whole bunch of people who all bought things from one person suddenly notice that their credit card numbers were stolen, law enforcement will figure out the trick pretty quickly.
Windows loves to install USB drivers for all sorts of things. A couple NSA letters later and MS is now sending NSA payloads. They do not even have to ever touch the hardware.
Sure this is the case with any hardware and MS but you would assume a secure facility would lock it down. But USB now you have the sneaker net issues.
No sir I dont like it.
Most keyboards and other such devices use PIC, or similar, USB microcontrollers (e.g. PIC18F14K50). If the developers didn't lock down the programability of the existing microcontroller they can easily be reprogrammed. Albit - usually not through the USB port - but thruogh other pins on the chip. That requires physical access to the keyboard to plant the malicious code. As long as the device uses the OS's HUD drivers - nothing needs to be changed/updated/detected on the host side.
Now, to create a new keyboard, camera, drive, etc. that has malicious code built in from the git go... is, actually, rather trivial. And, again, so long as the devlopers stick to the HUD drivers - this is not much more than an afternoon project.
In otherwords - been there - done that. Nothing to see here. Move along.
Go pickup Microchips Low Pin Count USB Development KIT for around $100 from Mouser - you get a programmer and development board. Download the compilers and have at it.
I think the reason no one reported this before is that everyone thought that someone alread did.
Of course the 3rd comparison would/could only be done *when" or "if" the device is "online"...
Perhaps something simple like a USB device checker - where any usb devices would be plugged in before they could be attached to a system that would confirm the device's firmware, signatures, etc...
just ask the user whether they want that second keyboard, network card, or mouse attached. And a malicious DNS server is also not the thing that doesn't let me sleep at night -- https was designed for that.
This kind of attack is not new, the new part are the examples of generic devices with hacked firmware to do that. This can be solved easily requesting user autorization before activating any USB device type, for example, before telling the system that there is a new USB network device, ask the user for confirmation. The trick is with input devices, where the new device could be replacing a broken one (keyboard or mouse), the confirmation can be done requesting the user to type a code displayed on screen or using the mouse to use a on screen keyboard in order to accept the input device for general usage. The other problem is with devices permanently attached, assume that any attached device at boot time is trusted, If someone replaced your USB device when you weren't present other more awful things couls have been done.
Don't forget how easy it is to program the little ARM processor on a WiFi SD card: http://haxit.blogspot.ch/2013/08/hacking-transcend-wifi-sd-cards.html
I was wondering where the AntiMS bullshit was
Yet another annoyance, necessary in this "modern" world...
While not a real solution at all, it should be easy for any OS to at least offer pop-up an approval when you plug in a USB device. E.g. "Do you want to connect this keyboard"? That would be a red flag if you didn't think it was a keyboard and give you a chance to deny it.
Maybe skip the warning for pure storage devices - but warn for anything else. It might be disconcerting to have a warning for "Connect this video camera" when you were plugging in a keyboard.
This issue is a bit more complicated than you think.
A little dab 'll do ya ...
Just another reason why you shouldn't stick foreign objects in your orifices...
Almost any hardware component can be tampered with.
What about my PS/2 keyboard ;)
sledgehammer the sumbuck into dust and buy a new computer. no problem.
if this is supposed to be a new economy, how come they still want my old fashioned money?
We need an intermediate USB reader with programmable capabilities to display the USB ROM code and display that before the system is manually allowed to connect to it.
BUILD IT!
A couple NSA letters later and MS is now sending NSA payloads.
Because they couldn't already do this with network-distributed software updates?
OK, this makes a bit more sense than the MSM version I read half an hour ago. In that article, they made it sound like USB keyboards were spreading a virus by reprogramming the USB controller chips on motherboards, which sounded a bit too far fetched to me (maybe one brand could be vulnerable - but a widespread problem?). In the Ars story it sounds more like they are reprogramming the firmware in the USB device itself to act as a different device. Cute trick, possibly useful against a carefully chosen target, but the likelyhood of a widespread attack seems minimal. And auditing your devices would be quite easy - just keep an eye on what device types are showing up in /sys/bus/usb or device manager.
Time to dig those PS/2 keyboards and mice out of the back of the closet, I guess..
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
If you had the money/resources, you could create these things by the thousand and bulk-mail these to major companies. It would stand to reason that somebody would end up plugging them into their office computer, enabling a back door.
You could go even further and create hacked 5 port switches or access points and ship them off to big company branch offices, where users may be more likely to ignore standards or be short on resources and use those kinds of things anyway. You could put a return label on it for the office supply company or even the HQ office so that users thought it was something they had gotten by accident.
I'd bet in a lot of cases people would just say "sweet" and go ahead and use them in the office, giving you a back door. A switch or access point would have enough space inside that custom hardware could be inserted giving a lot better back door, like having your own computer on their network.
Wouldn't it be much simpler to make USB device firmware not upgradeable? When have you ever updated the firmware on a mouse or keyboard? If there's a legitmate need to leave them upgradeable, put in a jumper or switch that is off by default.
It's the only OS I know that updates firmware on devices without me asking for it.
All you need to do is have the USB drive mounted by a locked down device. Example, RasPi set to read only on the OS and disable everything all it does is mounts the USB drive and then offers up the contents via the network.
I dont care what you have in the USB stick it will not auto run and infect. then your can look at the contents with another pc via the network and see the real contents or even run automated tests on it before it is available to the users machine.
It is not hard to make something that will stop this crap.
Do not look at laser with remaining good eye.
That makes the whole concept dead on arrival. Anything that requires a connection is no damn good, aside from a remote terminal, I suppose
How else do you plan to distribute a CRL? The firmware can get programmed with the updated certificate store when you have access to the CRL, but it can operate fine offline without it (accepting the enhanced risk).
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
How is this a significantly different concept from his PHUKD (Programmable HID USB Keystroke Dongle) devices from 2010?
http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
(great acronym, btw)
Add an extra pin to the device side connector. The pin is left unconnected on standard USB cables and firmware functions are disabled. Connect via a patch cable that swaps the data line for the patch line on the device side and the device will respond with firmware functions only, and disable regular operation.
This would effect an extremely cheap write protect switch. (after the chip redesign to accomodate the change)
Mom and Pop's heads would explode though, so it will never happen, but it seems technically feasible.
A usb bridge device that blocks firmware updates (via a protocol whitelist) would help in the interim. Not sure anything like that exists at the moment. (there are USB write blockers for use in forensics with mass storage devices. Presumably they could be adapted)
Then the hacker simply swaps the hardware for updatable hardware.
Which are embedded entire computers.
Whats the point of the device sending keystrokes if it has no idea where they are going? "rm -rf /" ? Won't do much if you don't have a root xterm in focus or the focus is a word processor/browser/game/whatev er. Unless it acts like a mouse too and is smart enough to navigate its way around the screen, kick off an xterm , su with the root password etc etc...
But then thats with a proper OS. I guess if you're running windows all bets are off.
Some years ago i was working at a major publicly traded company and corporate had requested a guy from our IT vendor do some maintenance on our servers. He requested access to our server room at which point I said no, but he escalated to my boss who allowed him to enter. Then he wanted access to our primary database server, to plug in a USB drive. I again said no, but the directive from corporate was to allow him to proceed. He plugged in his USB drive and I don't know why or how but the server immediately crashed and a hard drive had failed. It took us weeks to recover.
What they are talking about here infects on firmware/driver level initialization between USB device and computer when plugged in that is an inherent part of the USB standard, before and invisible to any user mode (software) inspection (and how do you plan to see/test that the usb firmware is not infected?). This is not your regular Windows auto-run type problem.
Yet he made a valid point which you did not answer. MS is compromized and we need to face that.
Then the criminals will figure out how to falsify the signature with the bad firmware anyway.
Well, it isn't exactly hard. The computer can't directly access the device firmware. You'd have to trust the device to do that.
At the point where a hacker has physical access to one of your machines, you have bigger problems than whether they're going to swap out your mouse for something more easily hackable.
Bits of code, random ramblings: jakimfett.com
Then the hacker simply swaps the hardware for updatable hardware.
Which would require the hacker to have physical access to the machine. That kind of limits the possibilities for a potential hacker.
You forgot: "And will only work with Windows Secure Computing."
Who I embedded with my cable.
"Trusted" hardware my ass! Has anyone even watched this presentation by Jacob Applebaum?:
https://www.youtube.com/watch?v=dy3-QZLTpbQ
(includes talk about USB chip replacements for spyware purposes)
And soon after that comes the USB device DLC. Out of the box it supports a single left click. $2.99 for the left and middle buttons, $4.99 for a scroll wheel, and a monthly charge of $7.99 to ensure it all stays secure.
I was reading about more capable hacks back in 2005 back when there were people doing attacks against the generic device drivers for ... well, any type of USB device driver. Plus using it to pick up the keyboard or injecting data to mess with other devices on the bus.
TFA sounds to me like a much more limited attack and not all that creative since we've had a decade+ of USB devices that spoofed multiple devices -- I'm specifically thinking of those spoofed CD-ROM drives on some of those old Flash sticks.
Keyboards? doesn't sound all that useful at 1st glance... but finding a fool proof script to open up a terminal on a mac sounds like an interesting challenge. linux? too much variety. windows... getting to the run cmd is easy.
If you don't have a locked screen saver... which has been a MUST forever... a well written script could just be run from anywhere (just post it online, type in the URL and exec the file) which does most everything you need without admin access but could later also trigger some stuff to attempt privilege escalation attacks... like the police can already buy on usb flash (and whose software is signed by the OS vendor as trusted.)
What would really be interesting are attacks that unlock the screen saver... or some generic driver exploit that allows custom error messages to pop up on the OS... "The radiation shield on your monitor has broken, please sit back 4 ft to avoid being irradiated."
Although given the huge number of exploits and flaws in drivers--- I would like to see something push for greater quality and if that means popular USB stick exploits where it spoofs crap hardware to trigger automatic installation of crap drivers... would be nice to see hardware vendor drivers getting banned/noticed for poor quality.
Democracy Now! - uncensored, anti-establishment news
Still better than Firewire's direct external access your system's memory.
...except that plenty of people, even those who should know better, are willing to accept a free flash drive.
And that flash drive also is a HID device, and it's going to sometimes send a series of keystrokes that issue command you don't like.
This entire hack depends on a device that looks like a keyboard, not being a keyboard, but being a keyboard AND a network card - or a flash drive that's ALSO a HID device - or a webcam that's also a BT receiver.
Mainly because it's the first asking for access(Windows), I just no everything out. One of the largest security holes around and it's still fully active.
Give up complete computer security because I want music to play seconds before I could do it myself.
The most obvious route for disaster is a compromised cellphone charger, at least for my usage patterns. Since it'd take me about ten minutes to make a pez-candy-sized PCB with USB-micro-M and USB-micro-F connectors with only the power lines connected between them, I'm wondering if an android phone will charge when it's getting power, regardless of whether the USB is connected, or it won't charge until it's had a USB chat. I recall older devices being able to charge at lower-power (150mA?) but having to negotiate for 500mA. I'm perfectly happy to settle for 150mA for right now, until I can program a little AVR to fake the negotiation process and make me an air-gap charger. I don't have a usb traffic sniffer at work, and am about to lose my pcb fabrication equipment for a couple of weeks, so if I could find out today if it's worth making the pcb I'd do it this afternoon. Anyone know?
Nostalgia's not what it used to be.
Okay, so, instead the blackhats break into the factory that is manufacturing the chips and modify the firmware that is being written to them. Now, every USB keyboard that the company manufactures looks to the computer as both a USB keyboard, and a USB network device.
I'm sure you remember those instances where malware was being pre-installed onto pre-formatted external drives, right?
Sure, there's a lot more to be done to turn that "Fake network device" into something that can trick the OS into treating it as a default gateway, as well as acting as a forwarding device so that modified packets can make it out the _real_ gateway, but... it only needs one weird combination of behaviours... somewhere... to be effective.
Yet he made a valid point which you did not answer. MS is compromized and we need to face that.
Valid?, really?. I don't see it. What the hell does drivers have to do with anything?.
The USB stick that thinks it’s a keyboard Read more: The USB stick that thinks it’s a keyboard PC Pro blog http://www.pcpro.co.uk/blogs/2...
Calvin:Do you believe in the devil? Hobbes:I'm not sure man needs the help.
It's the only OS I know that updates firmware on devices without me asking for it.
I think that you may be a little confused. I've been using computers for over 20 years and i still haven't seen Windows update a firmware on it's own. FIRMware?. I think you don't have a clue about what you're talking about.
I bet at least 20% of the USB devices use the same FTDI chip for USB functionality, and another 20% use Atmel AVR microcontrollers. If your malware patched or replaced the Atmel firmware, you could own a lot if systems.
It wouldn't even NEED to continue to work like the original device, so you could just replace the firmware with the Atmel firmware I wrote last night. The user plugs in their webcam or tries to turn it on. The webcam doesn't work anymore. The bad guy doesn't care, at that point he has already owned the machine, just a few seconds after the device was plugged in.
Been There Done That, discovered Ford has good opsec. 0/50 return on 512meg fobs.
Well perhaps the OS should ask the user "I see you've just plugged in a USB device that claims to be both a keyboard and a network adapter. Do you want to give this device both keyboard I/O and network access to your PC?"...
Basically, the same way that when you install an app on a mobile phone, the system prompts you for what capabilities you want to grant the app, your PC OS could do something similar for USB devices.
Will my USB Pet Rock be affected?
For example, my keyboard has exactly 256 Bytes of FLASH storage. And if you put malware in there (which it is too small for), it loses its keymap. So "most" is really "some, and in particular devices modified for this" here. In addition, this attack need to be customized for each specific device, which is expensive. And many devices are not even reprogrammable without circumventing MCU protection bits.
This is mostly a non-issue with regular devices.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
And if it's your first keyboard, how do you answer? Scream "YES" at it, or plug in the compromised mouse?
Even if you just allow HID devices without confirmation, compromised HID devices that click "yes" for you will be next.
99.9% of users will click "OK" or "Accept" see UAC....
Is this OS related?
USB Keyboard Error ... Press F1 to continue
Hell yeah you have a bigger problem! I hope you have a hiding place for your Mountain Dew and your Doritos!
Get free satoshi (Bitcoin) and Dogecoins
Last night I programmed a chip to act as a USB keyboard and automatically "press" keys. The system did as you described, identifying it as a keyboard, and creating a node in /dev. Something like /dev/keyboard1. It then proceeded to accept the keyboard events exactly as though I'd typed them, without any confirmation by the user. Confirmation by the user would be problematic in the case of a broken keyboard or mouse - the system can't let you use the new keyboard to confirm itself.
I'm using it to brute force a PIN. Some iPhones and Android devices will now accept an external keyboard. With a 4-digit PIN, it should be guessed by the end of the day.
I'll repeat.
Sure this is the case with any hardware and MS but you would assume a secure facility would lock it down. But USB now you have the sneaker net issues.
No sir I dont like it.
... at this point.
What they are talking about here infects on firmware/driver level initialization between USB device and computer when plugged in that is an inherent part of the USB standard, before and invisible to any user mode (software) inspection (and how do you plan to see/test that the usb firmware is not infected?).
Actually, this sounds like an interesting job for a Pi. I just checked the latest raspbian on my Pi and USB is compiled into the kernel (no USB modules, at least nothing obviously so). Recompile the kernel so USB is all loadable modules, then modify the base USB code to report transactions.
Plug your USB stick or disk or keyboard into the Pi, and if it reports that there's a new not-a-USB-stick/disk/keyboard, you know there's malware on the device.
On a different note, does anyone know of any modified firmware for any USB disk or stick that makes it look like a CD-R? (Preferably, a dozen at the same time.) I'd like to get around having to burn an actual CD-R when exporting audio books from Overdrive and then importing them into grip or itunes. And, unfortunately, many of the books I'm trying to write are JUST a bit larger than a CD-RW can handle.
And if it's your first keyboard, how do you answer? Scream "YES" at it, or plug in the compromised mouse?
I've lost track of the times I've had a BIOS report: "Keyboard failure. No keyboard detected. Press F1 to continue...". So no, you don't have to scream at it or plug in a mouse, just press F1. Do'h!
I just turned an ATtiny45 into a SNES gamepad USB controller.
Get free satoshi (Bitcoin) and Dogecoins
Or they could just get a job at SanDisk.
Oh, wait. I forgot. Americans...
What sneakernet issue? Be more clear. USB devices do not contain installable software, except for the obvious and well-known case of a mass-storage device happening to contain files that can be intentionally or inadvertently executed by the end user after the MSD is connected.
I've lost track of the times I've had a BIOS report: "Keyboard failure. No keyboard detected. Press F1 to continue..."
At which point you plug in a working keyboard and press F1.
There are much worse threats. Thunderbolt and Firewire give the device full access to RAM, with no protection at all. For over a decade companies have been making Firewire and now Thunderbolt devices that dump a running PC's memory for forensic analysis, complete with any encryption keys and passwords that happen to be there. Law enforcement loves them because even if the computer is locked or the user logged out when they get there most operating systems auto-configure newly plugged in devices. Thunderbolt allows pre-boot attacks as well (including cold boot key recovery).
The only way to solve this problem is to train people not plug random stuff into their computers, and to disable Thunderbolt and Firewire ports. Plugging in a random USB memory stick is a risk and many people are starting to understand that, so we just need to extend it to cover all USB devices.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Hell yeah you have a bigger problem! I hope you have a hiding place for your Mountain Dew and your Doritos!
My bottom desk drawer has a false back; it will snap a photo and tweet it with #SnackThief if opened without proper authorization.
And if it's your first keyboard, how do you answer? Scream "YES" at it, or plug in the compromised mouse?
I've lost track of the times I've had a BIOS report:
"Keyboard failure. No keyboard detected. Press F1 to continue...". So no, you don't have to scream at it or plug in a mouse, just press F1. Do'h!
I remember; it was 153 times that you have seen that message so far.
Possibly explains why the cesg guys got certain usn related chips destroyed on The Guardian kit that had held Snowdens files - perhaps they'd already done this and wanted the evidence removed
At which point you plug in a working keyboard and press F1.
No, at which point you plug in a keyboard, reboot, press DEL or Fwhatever (2?) to go into the BIOS setup, fix the stupid "stop on keyboard error" or similar setting, save and exit, and then pull the keyboard back off.
I develop embedded/standalone systems that won't have a keyboard on them. I usually remember to set the BIOS as one of the first things on any new system, but many times I've gotten the "press F1" instruction when I get to final testing in target configuration.
But mostly I would say ... "whoosh".
Uhmm...every single webcam I've had, from the crap $10 to crap $120 have had firmware updates available from the manufacturer website. Sure, the *frequency* of the update is rare, but they do exist, and it would be *insane* not to make them customer up-gradable in something as complicated as a webcam.
Bob: "We'll, we've shipped 100k of these, but apparently it won't work with the new windows update and that new version of windows. Our software team has fixed it in firmware."
Jim: "Great! Lets get it on the site and send out an email to registered folks."
Bob: "Ummm...well, Janoc, our project lead, didn't think upgradability was important...no firmware updates for our cameras. After 5 seconds of searching, I noticed we're the only ones in the market."
Jim: *slaps forehead* "Maybe we shouldn't have hired him using that single slashdot post as a reference."
Most of these devices are manufactured in China. What's to stop the government from planting a little "something extra" in the webcam's controller, or your cheap USB stick etc?
Plenty of avenues for exploit there. Given that the NSA has been known to intercept hardware and implant chips in it, I can see that too, but it's even easier for China
Keyboards plugged in during Windows Installation will be exempt.
The fake HID keyboard can type YES all day, but since the driver software for the fake HID keyboard WON'T be loaded until the user types YES on an existing keyboard we would be OK.
This type of attack could be defeated if Windows had a security setting that forced all devices to have a properly signed INF package available before Windows will install any drivers for it. That INF (and signed cataloge file, and possibly driver files) can either be available in Windows update or installed by the end user (from the net, from cd etc.)
More likely for corporate machines a set of approved device driver files would be pre-installed making it impossible to use any USB device not authorized.
If Windows does not install drivers for the device it is a useless lump of silicon plugged into your USB port (well it could still be stealing up to 100ma of power.)
Note that Windows 7 and newer already require a signed driver. But for HID devices Microsoft will use their builtin HID driver (signed by Microsoft) matching by class (HID is a class of devices.) The suggestion is that class matching be disabled and specific matching by vendor and product id be required. That means an INF file with the correct VID/PID be available. And the only way to have that available is with a digital signature.
And just a note, Windows does have some control, google "Managing Hardware Restrictions via Group Policy".
http://www.usb.org/developers/... has been around for a decade and a half. I'm sitting in front of a USB mouse that gets firmware updates. I've flashed USB keys with new firmware. USB devices can and do contain nonvolatile firmware not just flash drives and not just what is general accessed by the OS.
No sir I dont like it.
This is kind of a new version of auto-run, one implemented by all operating systems.
The problem with auto-run is that a CD might tell the computer to do anything, not just what the user would like it to do.
The same problem exists with keyboards. They'll likely just send the keystrokes you type to the computer, much like the vast majority of CDs will only tell your computer to run the game that they contain that you want to play. However, a few will do something else, and the computer will happily do whatever that keyboard tells it to do. Even if it doesn't look like a keyboard, much like those flash drives that don't at all look like CD drives.
Whadsyerproblem? Just press the Any key.
So I'll make my malware pretend to be a plain old USB stick for the first N hours. Then it will simulate an unplug and replug itself in as a keyboard that types "format c:\ncat /dev/zero > /dev/sda\necho bwah hah hah!\n"
It's a basic principle that if an attacker can compromise your hardware, you're fscked. But it looks like the new part is that the malware can go viral, reprogramming USB devices. Whoever was careless enough to release a USB controller with firmware that can be arbitrarily reprogrammed from the host computer needs to be taken out and shot.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
How about a virtual DVD drive?
Yet another in the inexhaustible stream of BENEFITS from USB and Wireless technology! Love it!
After the fifth try it locos it for 30 seconds. That's why it takes a day to try 10,000 four-digit pins. What it SHOULD do is delay die 30 seconds after the 5th try, 60 seconds after five more, 120 seconds after five more, 240 seconds ..
However, it looks like both companies had general purpose programmers design their security locks, rather than having security professionals do that. Which is a lot like having a handyman design your physical locks, without involving a locksmith. A handyman sometimes* competently INSTALLS a lock, but it should be security professionals designing them.
* very often a handyman or carpenter installs a lock upside down, resulting in early failure of the lock and making it less user-friendly.
It's also a Human Interface Device device?
But mostly I would say ... "whoosh".
Its not a 'whoosh'
The premise is that "keyboard missing, press F1 to continue" is "funny" is because you can incorrectly interpret it to mean the following contradiction:
"The keyboard is missing, now press F1 on the keyboard to continue without one"
But it never meant that, it means the far more reasonable:
"The keyboard is missing; I'm currently configured to ensure that one is attached, so please attach one, and then press F1 on it to continue"
Overdrive will only burn CD-R as audio disks. I've tried using a DVDxR (both + and -, and RW and RAM) and it will not burn to those.
Yes, devices have updateable firmware. How is this a "sneakernet issue"? The firmware update does not cause Windows to install anything. Those are orthogonal features.
Its not a 'whoosh'
It's a 'whoosh' for you because you didn't read the entire comment, which included the sentences: "So no, you don't have to scream at it or plug in a mouse, just press F1. Do'h!"
"Just press F1". Read all the words. You seem pretty clear on the idea that you can't "just press F1", you need to find a working keyboard first, and you thought you needed to lecture me on the issue because YOU DIDN'T GET THE JOKE. Admit it.
"The keyboard is missing; I'm currently configured to ensure that one is attached, so please attach one, and then press F1 on it to continue"
Had the BIOS authors intended the error to say that, they would have written the error to say that. Or to say something shorter like "Keyboard error. Attach working keyboard". They did not. You read much more into what the error says than the authors wrote into it.
YOU DIDN'T GET THE JOKE.
I got the joke. That's why it wasn't a whoosh.
Had the BIOS authors intended the error to say that
Lol, bios has some the worst english I've ever read.
Bye.
Let us not forget eSATA as well (SATA too, but that is generally inside the case and harder to mistake). There is though a well-known mitigation, IOMMUs. Many modern processors/chipsets include an IOMMU, but I'm under the impression OS support is less than universal (I'm unsure what Linux kernel versions include support). Protection against DMA attacks is improving, but you're right to still be worried about them.
One example given was a keyboard that can guess your password (watch for the first string you type) and then wakes up your pc in the wee hours to send the keylog to collections web sites. You need not install anything into the OS.
We already know that the NSA has swapped hardware in transit. This just makes it even easier. Often their is no facility to read the firmware back from these devices without physically accessing it and even then it may not be possible.
No sir I dont like it.
HID device? Seriously? You know that USB devices can access DMA, yes? Arbitrary USB devices offer a side-channel to access system memory.
Ughh, time to hard label, physically lock the USB ports and regularly audit every USB device in my Train Control System / Utility SCADA / Nuclear plant / Launch Silo
and a monthly charge of $7.99 to ensure it all stays secure
In some cases, assuming it covers secondary damage, that would be more than worth it.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
I have seen ps2 keystroke loggers and USB keystroke+screenshot loggers for years on sale in 'spyshops'. I mean this has been around for ages. Plug in an adapter in between the keyboard and pc on a IT admin and who cares about hacks or virusses, you simply log on.
Or buy off the admin....
Not that i am into this business but arent the people still the weakest link in any security chain?
IMHO there will always be technological exploits so the focus should be how to handle the fact that you ARE exploited in some way. Throwing up barriers, switching personel (in function), limiting physical acces or monitor people when working on vulnerable systems. Or be a Nice company / institution so you make yourself less of a target.
Just some thoughts:)
Nope. While these chips are common both are way too expensive for mass-produced hardware. Practically every microcontroller has a version with USB interface today and most of mass produced gear doesn't use these - an FTDI bridge is around $1/pop at quantity, that's crazy for an $20-40 end-user price item.
Anyhow, FTDI chips cannot be reprogrammed - you can modify their settings, but the are only an UART/I2C/SPI-to-USB bridge, they don't do anything by themselves. And that something uses e.g. an Atmel AVR chip (actually really rare, they are very expensive for the capabilities they have) doesn't mean that the programming pins are *actually hooked up* to something that is USB-accessible. Some may have the DFU bootloader, but typically they would have the firmware locked. You are way more likely to find various ARM micros and cheap Chinese clones of MCS'51 series these days, but again, that the chip is programmable doesn't mean it could be reprogrammed by the host system!
What they are talking about is USB devices that contain multiple interfaces, eg. a USB mass storage device that also contains a HID interface. The only new thing is that they reprogrammed the firmware of commercial devices. An operating system could well refuse to load the drivers for a HID device that was connected after boot, unless the user granted permissions.
Then the criminals will figure out how to falsify the signature with the bad firmware anyway.
Not if the user/admin gets to sign the devices (e.g. when they are initially purchased). Or... why not design the devices to carry multiple signatures (including but not limited to the manufacturer)??
I eat Cheetos, you insensitive clod!
Bits of code, random ramblings: jakimfett.com
If it's your first keyboard it should give you a countdown. "You have plugged in a keyboard devioce. If that's not what you want, unplug in 5 seconds. 4...3....2....1"
And, bonus! The user then tries the device in several other computers in an attempt to troubleshoot, spreading the infection!
If they are able to rewrite the firmware, they should already have some kind of priviledged access
Right click should work
I know tobacco is bad for you, so I smoke weed with crack.