Slashdot Mirror
"BadUSB" Exploit Makes Devices Turn "Evil"
An anonymous reader writes with a snippet from Ars Technica that should make you (even more) skeptical about plugging in random USB drives, or allowing persons unknown physical access to your computer's USB ports: When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses. Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.
Here comes the digitially signed / encrypted usb dongles for USB 4.x, where every device has a firmware signature encrypted within the device and part of the usb handshake will be to read the entire firmware to re-calc the signature to make sure it matches, with a 3rd comparison via the internet to a usb device registry.
Then the criminals will figure out how to falsify the signature with the bad firmware anyway.
I thought it was common sense not to plug in untrusted devices to your computer. Especially unknown thumb drives, unless you can use them in a read only device.
And everyone said that when Hardison would program USB sticks to type stuff and send all the data back to headquarters when they just plugged it in a computer that it was not real. It turns out he was just ahead of everyone else.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
...with a 3rd comparison via the internet to a usb device registry.
That makes the whole concept dead on arrival. Anything that requires a connection is no damn good, aside from a remote terminal, I suppose
“He’s not deformed, he’s just drunk!”
nah. dunk your computer and USB device in holy water and it's good to go again.
From the article, it seems like this attack is done by hardware-modifying a USB stick so that the firmware can be changed. While I get that this is a major problem for organizations that have a bunch of computers that could potentially have one of these things inserted into them, for most people it doesn't seem like a problem. The most I can see happening with this is someone putting bad firmware onto a USB device and selling them on EBay or similar as a means of stealing people's data, but I think that would be pretty easy to track - when a whole bunch of people who all bought things from one person suddenly notice that their credit card numbers were stolen, law enforcement will figure out the trick pretty quickly.
Windows loves to install USB drivers for all sorts of things. A couple NSA letters later and MS is now sending NSA payloads. They do not even have to ever touch the hardware.
Sure this is the case with any hardware and MS but you would assume a secure facility would lock it down. But USB now you have the sneaker net issues.
No sir I dont like it.
just ask the user whether they want that second keyboard, network card, or mouse attached. And a malicious DNS server is also not the thing that doesn't let me sleep at night -- https was designed for that.
Nah, we are already screwed beyond help.
This kind of attack is not new, the new part are the examples of generic devices with hacked firmware to do that. This can be solved easily requesting user autorization before activating any USB device type, for example, before telling the system that there is a new USB network device, ask the user for confirmation. The trick is with input devices, where the new device could be replacing a broken one (keyboard or mouse), the confirmation can be done requesting the user to type a code displayed on screen or using the mouse to use a on screen keyboard in order to accept the input device for general usage. The other problem is with devices permanently attached, assume that any attached device at boot time is trusted, If someone replaced your USB device when you weren't present other more awful things couls have been done.
Yet another annoyance, necessary in this "modern" world...
While not a real solution at all, it should be easy for any OS to at least offer pop-up an approval when you plug in a USB device. E.g. "Do you want to connect this keyboard"? That would be a red flag if you didn't think it was a keyboard and give you a chance to deny it.
Maybe skip the warning for pure storage devices - but warn for anything else. It might be disconcerting to have a warning for "Connect this video camera" when you were plugging in a keyboard.
This issue is a bit more complicated than you think.
A little dab 'll do ya ...
Just another reason why you shouldn't stick foreign objects in your orifices...
Almost any hardware component can be tampered with.
sledgehammer the sumbuck into dust and buy a new computer. no problem.
if this is supposed to be a new economy, how come they still want my old fashioned money?
A couple NSA letters later and MS is now sending NSA payloads.
Because they couldn't already do this with network-distributed software updates?
It'd probably be easier to implement a little hardware device that places restrictions on device classes that can connect through it and limits hybrid devices (e.g., keyboard+mouse = ok, keyboard+webcam = reject).
OK, this makes a bit more sense than the MSM version I read half an hour ago. In that article, they made it sound like USB keyboards were spreading a virus by reprogramming the USB controller chips on motherboards, which sounded a bit too far fetched to me (maybe one brand could be vulnerable - but a widespread problem?). In the Ars story it sounds more like they are reprogramming the firmware in the USB device itself to act as a different device. Cute trick, possibly useful against a carefully chosen target, but the likelyhood of a widespread attack seems minimal. And auditing your devices would be quite easy - just keep an eye on what device types are showing up in /sys/bus/usb or device manager.
Time to dig those PS/2 keyboards and mice out of the back of the closet, I guess..
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
If you had the money/resources, you could create these things by the thousand and bulk-mail these to major companies. It would stand to reason that somebody would end up plugging them into their office computer, enabling a back door.
You could go even further and create hacked 5 port switches or access points and ship them off to big company branch offices, where users may be more likely to ignore standards or be short on resources and use those kinds of things anyway. You could put a return label on it for the office supply company or even the HQ office so that users thought it was something they had gotten by accident.
I'd bet in a lot of cases people would just say "sweet" and go ahead and use them in the office, giving you a back door. A switch or access point would have enough space inside that custom hardware could be inserted giving a lot better back door, like having your own computer on their network.
Wouldn't it be much simpler to make USB device firmware not upgradeable? When have you ever updated the firmware on a mouse or keyboard? If there's a legitmate need to leave them upgradeable, put in a jumper or switch that is off by default.
All you need to do is have the USB drive mounted by a locked down device. Example, RasPi set to read only on the OS and disable everything all it does is mounts the USB drive and then offers up the contents via the network.
I dont care what you have in the USB stick it will not auto run and infect. then your can look at the contents with another pc via the network and see the real contents or even run automated tests on it before it is available to the users machine.
It is not hard to make something that will stop this crap.
Do not look at laser with remaining good eye.
That makes the whole concept dead on arrival. Anything that requires a connection is no damn good, aside from a remote terminal, I suppose
How else do you plan to distribute a CRL? The firmware can get programmed with the updated certificate store when you have access to the CRL, but it can operate fine offline without it (accepting the enhanced risk).
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
How is this a significantly different concept from his PHUKD (Programmable HID USB Keystroke Dongle) devices from 2010?
http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
(great acronym, btw)
Yes, the "white-hat hackers" are Karsten Nohl and his gang. That's the guy behind the GSM hack. If he wants to know the algorithm that a smart card uses for encryption, he removes layer by layer of the chip and reconstructs the algorithm from the circuits. Nohl does not kid around. If he says it can be hacked, it can.
Then the hacker simply swaps the hardware for updatable hardware.
Which are embedded entire computers.
Here is how it works on many windows computers: windows key, "command," menu key, down key, down key, down key, enter, left key, enter. You now have a command prompt you can do anything on with admin privileges on many computers.
Another option is: windows key + r, "iexplore example.com" as long as that site has some targeted output they are toast.
What they are talking about here infects on firmware/driver level initialization between USB device and computer when plugged in that is an inherent part of the USB standard, before and invisible to any user mode (software) inspection (and how do you plan to see/test that the usb firmware is not infected?). This is not your regular Windows auto-run type problem.
At the point where a hacker has physical access to one of your machines, you have bigger problems than whether they're going to swap out your mouse for something more easily hackable.
Bits of code, random ramblings: jakimfett.com
Who I embedded with my cable.
And soon after that comes the USB device DLC. Out of the box it supports a single left click. $2.99 for the left and middle buttons, $4.99 for a scroll wheel, and a monthly charge of $7.99 to ensure it all stays secure.
I was reading about more capable hacks back in 2005 back when there were people doing attacks against the generic device drivers for ... well, any type of USB device driver. Plus using it to pick up the keyboard or injecting data to mess with other devices on the bus.
TFA sounds to me like a much more limited attack and not all that creative since we've had a decade+ of USB devices that spoofed multiple devices -- I'm specifically thinking of those spoofed CD-ROM drives on some of those old Flash sticks.
Keyboards? doesn't sound all that useful at 1st glance... but finding a fool proof script to open up a terminal on a mac sounds like an interesting challenge. linux? too much variety. windows... getting to the run cmd is easy.
If you don't have a locked screen saver... which has been a MUST forever... a well written script could just be run from anywhere (just post it online, type in the URL and exec the file) which does most everything you need without admin access but could later also trigger some stuff to attempt privilege escalation attacks... like the police can already buy on usb flash (and whose software is signed by the OS vendor as trusted.)
What would really be interesting are attacks that unlock the screen saver... or some generic driver exploit that allows custom error messages to pop up on the OS... "The radiation shield on your monitor has broken, please sit back 4 ft to avoid being irradiated."
Although given the huge number of exploits and flaws in drivers--- I would like to see something push for greater quality and if that means popular USB stick exploits where it spoofs crap hardware to trigger automatic installation of crap drivers... would be nice to see hardware vendor drivers getting banned/noticed for poor quality.
Democracy Now! - uncensored, anti-establishment news
Depends.
I once worked for a company that wrote web banking software. The laptops/desktops/etc of certain employees had a 'driver' that continually monitored the USB ports. If anything plugged into it that had storage on it but not the proper corporate auth key to connect as an approved storage device? It would automatically send an email to the IT department, immediately shut off the entire USB subsystem in the OS, and it stayed that way until the device was re-imaged (in many cases making the device completely useless). It also got you immediately perp-walked out of the building and freshly unemployed, unless you could immediately give them a reasonable (and provable) explanation as to why it happened.
Now in this case, I suspect that if the bad stick presented itself to the OS as a keyboard/mouse/whatever, it may circumvent that (I say "may" because I don't know if it would be able to dump any non-keyboard/mouse-related data onto the machine w/o presenting itself as storage.)
Either way, if you're that worried about it, then epoxy the USB ports shut (well, except on the phone for obvious reasons...)
Quo usque tandem abutere, Nimbus, patientia nostra?
...except that plenty of people, even those who should know better, are willing to accept a free flash drive.
And that flash drive also is a HID device, and it's going to sometimes send a series of keystrokes that issue command you don't like.
This entire hack depends on a device that looks like a keyboard, not being a keyboard, but being a keyboard AND a network card - or a flash drive that's ALSO a HID device - or a webcam that's also a BT receiver.
Are you:
* A bank?
* A utility?
* A large corporation?
* A defense contractor?
* A military?
* A government?
* A "whistlebower" (in the figurative sense, not someone who just blows a literal whistle)?
* A journalist?
* A civil rights/government abuse/environmental/economic activist?
* Are you a member of an "anti-government" group or movement?
* Are you Muslim?
* Are you or have you ever been brown?
* Now or will you in the future travel through a customs inspection area of any country?
* Under active investigation by a law enforcement agency?
* A rabble-rouser?
* A person with opinions that are counter to those of your government?
* A sentient artificial lifeform?
If you answered yes to any of the above, then yes you need to be worried. If you did not, then no, you probably don't need to be worried.
I browse on +1 so AC's need not respond, I won't see it.
Mainly because it's the first asking for access(Windows), I just no everything out. One of the largest security holes around and it's still fully active.
Give up complete computer security because I want music to play seconds before I could do it myself.
The most obvious route for disaster is a compromised cellphone charger, at least for my usage patterns. Since it'd take me about ten minutes to make a pez-candy-sized PCB with USB-micro-M and USB-micro-F connectors with only the power lines connected between them, I'm wondering if an android phone will charge when it's getting power, regardless of whether the USB is connected, or it won't charge until it's had a USB chat. I recall older devices being able to charge at lower-power (150mA?) but having to negotiate for 500mA. I'm perfectly happy to settle for 150mA for right now, until I can program a little AVR to fake the negotiation process and make me an air-gap charger. I don't have a usb traffic sniffer at work, and am about to lose my pcb fabrication equipment for a couple of weeks, so if I could find out today if it's worth making the pcb I'd do it this afternoon. Anyone know?
Nostalgia's not what it used to be.
Okay, so, instead the blackhats break into the factory that is manufacturing the chips and modify the firmware that is being written to them. Now, every USB keyboard that the company manufactures looks to the computer as both a USB keyboard, and a USB network device.
I'm sure you remember those instances where malware was being pre-installed onto pre-formatted external drives, right?
Sure, there's a lot more to be done to turn that "Fake network device" into something that can trick the OS into treating it as a default gateway, as well as acting as a forwarding device so that modified packets can make it out the _real_ gateway, but... it only needs one weird combination of behaviours... somewhere... to be effective.
The USB stick that thinks it’s a keyboard Read more: The USB stick that thinks it’s a keyboard PC Pro blog http://www.pcpro.co.uk/blogs/2...
Calvin:Do you believe in the devil? Hobbes:I'm not sure man needs the help.
I bet at least 20% of the USB devices use the same FTDI chip for USB functionality, and another 20% use Atmel AVR microcontrollers. If your malware patched or replaced the Atmel firmware, you could own a lot if systems.
It wouldn't even NEED to continue to work like the original device, so you could just replace the firmware with the Atmel firmware I wrote last night. The user plugs in their webcam or tries to turn it on. The webcam doesn't work anymore. The bad guy doesn't care, at that point he has already owned the machine, just a few seconds after the device was plugged in.
Well perhaps the OS should ask the user "I see you've just plugged in a USB device that claims to be both a keyboard and a network adapter. Do you want to give this device both keyboard I/O and network access to your PC?"...
Basically, the same way that when you install an app on a mobile phone, the system prompts you for what capabilities you want to grant the app, your PC OS could do something similar for USB devices.
Will my USB Pet Rock be affected?
For example, my keyboard has exactly 256 Bytes of FLASH storage. And if you put malware in there (which it is too small for), it loses its keymap. So "most" is really "some, and in particular devices modified for this" here. In addition, this attack need to be customized for each specific device, which is expensive. And many devices are not even reprogrammable without circumventing MCU protection bits.
This is mostly a non-issue with regular devices.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
And if it's your first keyboard, how do you answer? Scream "YES" at it, or plug in the compromised mouse?
Even if you just allow HID devices without confirmation, compromised HID devices that click "yes" for you will be next.
99.9% of users will click "OK" or "Accept" see UAC....
You could even to do the same on a phone if it was able to charge wirelessly.
(stolen from DaBum) I am dyslexia of borg - your ass will be laminated.
I will ignore the "proper OS" taunt - it shows a lack of perspective, given that Windows is the most popular OS in use today. Every OS has keyboard shortcuts. Could you disable them? Perhaps but that's besides the point - most people won't. Ubuntu - CTRL+ALT+T = terminal OSX - COMMAND+S+terminal = terminal Windows - windowskey+r+cmd = terminal Those commands only cover around 97-99% of the desktop/laptop market share. Think that's not juicy target?
Negative, I am a meat popsicle.
Hell yeah you have a bigger problem! I hope you have a hiding place for your Mountain Dew and your Doritos!
Get free satoshi (Bitcoin) and Dogecoins
Last night I programmed a chip to act as a USB keyboard and automatically "press" keys. The system did as you described, identifying it as a keyboard, and creating a node in /dev. Something like /dev/keyboard1. It then proceeded to accept the keyboard events exactly as though I'd typed them, without any confirmation by the user. Confirmation by the user would be problematic in the case of a broken keyboard or mouse - the system can't let you use the new keyboard to confirm itself.
I'm using it to brute force a PIN. Some iPhones and Android devices will now accept an external keyboard. With a 4-digit PIN, it should be guessed by the end of the day.
I'll repeat.
Sure this is the case with any hardware and MS but you would assume a secure facility would lock it down. But USB now you have the sneaker net issues.
No sir I dont like it.
What they are talking about here infects on firmware/driver level initialization between USB device and computer when plugged in that is an inherent part of the USB standard, before and invisible to any user mode (software) inspection (and how do you plan to see/test that the usb firmware is not infected?).
Actually, this sounds like an interesting job for a Pi. I just checked the latest raspbian on my Pi and USB is compiled into the kernel (no USB modules, at least nothing obviously so). Recompile the kernel so USB is all loadable modules, then modify the base USB code to report transactions.
Plug your USB stick or disk or keyboard into the Pi, and if it reports that there's a new not-a-USB-stick/disk/keyboard, you know there's malware on the device.
On a different note, does anyone know of any modified firmware for any USB disk or stick that makes it look like a CD-R? (Preferably, a dozen at the same time.) I'd like to get around having to burn an actual CD-R when exporting audio books from Overdrive and then importing them into grip or itunes. And, unfortunately, many of the books I'm trying to write are JUST a bit larger than a CD-RW can handle.
"If anything plugged into it that had storage on it ... It also got you immediately perp-walked out of the building and freshly unemployed,"
Nice opportunity to get rid of a co-worker when he's away for a bathroom break...
Avantslash: low-bandwidth mobile slashdot.
And if it's your first keyboard, how do you answer? Scream "YES" at it, or plug in the compromised mouse?
I've lost track of the times I've had a BIOS report: "Keyboard failure. No keyboard detected. Press F1 to continue...". So no, you don't have to scream at it or plug in a mouse, just press F1. Do'h!
Command+S results in Safari asking me where I want to save this webpage.
Get free satoshi (Bitcoin) and Dogecoins
I just turned an ATtiny45 into a SNES gamepad USB controller.
Get free satoshi (Bitcoin) and Dogecoins
So what I hear you saying is that since I'm a main stream media watching, large debt carrying, cheap beer drinking, non-airplane traveling tool, I don't need to worry? Thanks!
What sneakernet issue? Be more clear. USB devices do not contain installable software, except for the obvious and well-known case of a mass-storage device happening to contain files that can be intentionally or inadvertently executed by the end user after the MSD is connected.
I've lost track of the times I've had a BIOS report: "Keyboard failure. No keyboard detected. Press F1 to continue..."
At which point you plug in a working keyboard and press F1.
There are much worse threats. Thunderbolt and Firewire give the device full access to RAM, with no protection at all. For over a decade companies have been making Firewire and now Thunderbolt devices that dump a running PC's memory for forensic analysis, complete with any encryption keys and passwords that happen to be there. Law enforcement loves them because even if the computer is locked or the user logged out when they get there most operating systems auto-configure newly plugged in devices. Thunderbolt allows pre-boot attacks as well (including cold boot key recovery).
The only way to solve this problem is to train people not plug random stuff into their computers, and to disable Thunderbolt and Firewire ports. Plugging in a random USB memory stick is a risk and many people are starting to understand that, so we just need to extend it to cover all USB devices.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Possibly explains why the cesg guys got certain usn related chips destroyed on The Guardian kit that had held Snowdens files - perhaps they'd already done this and wanted the evidence removed
At which point you plug in a working keyboard and press F1.
No, at which point you plug in a keyboard, reboot, press DEL or Fwhatever (2?) to go into the BIOS setup, fix the stupid "stop on keyboard error" or similar setting, save and exit, and then pull the keyboard back off.
I develop embedded/standalone systems that won't have a keyboard on them. I usually remember to set the BIOS as one of the first things on any new system, but many times I've gotten the "press F1" instruction when I get to final testing in target configuration.
But mostly I would say ... "whoosh".
Most of these devices are manufactured in China. What's to stop the government from planting a little "something extra" in the webcam's controller, or your cheap USB stick etc?
Plenty of avenues for exploit there. Given that the NSA has been known to intercept hardware and implant chips in it, I can see that too, but it's even easier for China
I'd imagine that if they have security at that USB-device-verification level, they've also got plenty of cameras
Keyboards plugged in during Windows Installation will be exempt.
The fake HID keyboard can type YES all day, but since the driver software for the fake HID keyboard WON'T be loaded until the user types YES on an existing keyboard we would be OK.
This type of attack could be defeated if Windows had a security setting that forced all devices to have a properly signed INF package available before Windows will install any drivers for it. That INF (and signed cataloge file, and possibly driver files) can either be available in Windows update or installed by the end user (from the net, from cd etc.)
More likely for corporate machines a set of approved device driver files would be pre-installed making it impossible to use any USB device not authorized.
If Windows does not install drivers for the device it is a useless lump of silicon plugged into your USB port (well it could still be stealing up to 100ma of power.)
Note that Windows 7 and newer already require a signed driver. But for HID devices Microsoft will use their builtin HID driver (signed by Microsoft) matching by class (HID is a class of devices.) The suggestion is that class matching be disabled and specific matching by vendor and product id be required. That means an INF file with the correct VID/PID be available. And the only way to have that available is with a digital signature.
And just a note, Windows does have some control, google "Managing Hardware Restrictions via Group Policy".
http://www.usb.org/developers/... has been around for a decade and a half. I'm sitting in front of a USB mouse that gets firmware updates. I've flashed USB keys with new firmware. USB devices can and do contain nonvolatile firmware not just flash drives and not just what is general accessed by the OS.
No sir I dont like it.
This is kind of a new version of auto-run, one implemented by all operating systems.
The problem with auto-run is that a CD might tell the computer to do anything, not just what the user would like it to do.
The same problem exists with keyboards. They'll likely just send the keystrokes you type to the computer, much like the vast majority of CDs will only tell your computer to run the game that they contain that you want to play. However, a few will do something else, and the computer will happily do whatever that keyboard tells it to do. Even if it doesn't look like a keyboard, much like those flash drives that don't at all look like CD drives.
So I'll make my malware pretend to be a plain old USB stick for the first N hours. Then it will simulate an unplug and replug itself in as a keyboard that types "format c:\ncat /dev/zero > /dev/sda\necho bwah hah hah!\n"
It's a basic principle that if an attacker can compromise your hardware, you're fscked. But it looks like the new part is that the malware can go viral, reprogramming USB devices. Whoever was careless enough to release a USB controller with firmware that can be arbitrarily reprogrammed from the host computer needs to be taken out and shot.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
>2014
>not using a computer that has an IOMMU
ISHYGDDT.jpg
After the fifth try it locos it for 30 seconds. That's why it takes a day to try 10,000 four-digit pins. What it SHOULD do is delay die 30 seconds after the 5th try, 60 seconds after five more, 120 seconds after five more, 240 seconds ..
However, it looks like both companies had general purpose programmers design their security locks, rather than having security professionals do that. Which is a lot like having a handyman design your physical locks, without involving a locksmith. A handyman sometimes* competently INSTALLS a lock, but it should be security professionals designing them.
* very often a handyman or carpenter installs a lock upside down, resulting in early failure of the lock and making it less user-friendly.
It's also a Human Interface Device device?
But mostly I would say ... "whoosh".
Its not a 'whoosh'
The premise is that "keyboard missing, press F1 to continue" is "funny" is because you can incorrectly interpret it to mean the following contradiction:
"The keyboard is missing, now press F1 on the keyboard to continue without one"
But it never meant that, it means the far more reasonable:
"The keyboard is missing; I'm currently configured to ensure that one is attached, so please attach one, and then press F1 on it to continue"
Overdrive will only burn CD-R as audio disks. I've tried using a DVDxR (both + and -, and RW and RAM) and it will not burn to those.
Yes, devices have updateable firmware. How is this a "sneakernet issue"? The firmware update does not cause Windows to install anything. Those are orthogonal features.
Its not a 'whoosh'
It's a 'whoosh' for you because you didn't read the entire comment, which included the sentences: "So no, you don't have to scream at it or plug in a mouse, just press F1. Do'h!"
"Just press F1". Read all the words. You seem pretty clear on the idea that you can't "just press F1", you need to find a working keyboard first, and you thought you needed to lecture me on the issue because YOU DIDN'T GET THE JOKE. Admit it.
"The keyboard is missing; I'm currently configured to ensure that one is attached, so please attach one, and then press F1 on it to continue"
Had the BIOS authors intended the error to say that, they would have written the error to say that. Or to say something shorter like "Keyboard error. Attach working keyboard". They did not. You read much more into what the error says than the authors wrote into it.
YOU DIDN'T GET THE JOKE.
I got the joke. That's why it wasn't a whoosh.
Had the BIOS authors intended the error to say that
Lol, bios has some the worst english I've ever read.
Bye.
One example given was a keyboard that can guess your password (watch for the first string you type) and then wakes up your pc in the wee hours to send the keylog to collections web sites. You need not install anything into the OS.
We already know that the NSA has swapped hardware in transit. This just makes it even easier. Often their is no facility to read the firmware back from these devices without physically accessing it and even then it may not be possible.
No sir I dont like it.
A USB device programmed to look like a keyboard is going to look like a keyboard to the machine. Maybe this might be redundant, but your best, or only recourse might be to learn how to sniff your network. Disabling plug and play so that you have to manually tell your computer what is being connected might work to an extent...
“He’s not deformed, he’s just drunk!”
and a monthly charge of $7.99 to ensure it all stays secure
In some cases, assuming it covers secondary damage, that would be more than worth it.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
One of the reasons why admin and user privileges should be separated. It still isn't safe, but it helps.
Now to convince managers of that.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
Nope. While these chips are common both are way too expensive for mass-produced hardware. Practically every microcontroller has a version with USB interface today and most of mass produced gear doesn't use these - an FTDI bridge is around $1/pop at quantity, that's crazy for an $20-40 end-user price item.
Anyhow, FTDI chips cannot be reprogrammed - you can modify their settings, but the are only an UART/I2C/SPI-to-USB bridge, they don't do anything by themselves. And that something uses e.g. an Atmel AVR chip (actually really rare, they are very expensive for the capabilities they have) doesn't mean that the programming pins are *actually hooked up* to something that is USB-accessible. Some may have the DFU bootloader, but typically they would have the firmware locked. You are way more likely to find various ARM micros and cheap Chinese clones of MCS'51 series these days, but again, that the chip is programmable doesn't mean it could be reprogrammed by the host system!
In addition - fingerprinting the OS based on exactly how it probes for a USB device has been done, and is not particularly hard.
This can narrow down by a lot which OS you may be connected to - and have a dozen potential exploits based on the signature outcome.
Thankfully, it is possible to secure USB in a less extreme way. An OS like Qubes that can configure devices for automatic reassignment to an unpriviliged domain (i.e. virtual machine) can protect the hypervisor, BIOS, etc. from incidental attachment of malicious USB devices.
Currently, a Qubes user/admin can do this from the GUI on a per-USB-controller basis, but in future will be able to employ Xen PVUSB functionality to manage USB on a per-device basis.
Then the criminals will figure out how to falsify the signature with the bad firmware anyway.
Not if the user/admin gets to sign the devices (e.g. when they are initially purchased). Or... why not design the devices to carry multiple signatures (including but not limited to the manufacturer)??
I eat Cheetos, you insensitive clod!
Bits of code, random ramblings: jakimfett.com
If it's your first keyboard it should give you a countdown. "You have plugged in a keyboard devioce. If that's not what you want, unplug in 5 seconds. 4...3....2....1"
I prolly fit the last category.... taken from how some other people see me...
I seriously doubt it would work against the Rubber Ducky.
If they are able to rewrite the firmware, they should already have some kind of priviledged access
Depends.
I once worked for a company that wrote web banking software. The laptops/desktops/etc of certain employees had a 'driver' that continually monitored the USB ports. If anything plugged into it that had storage on it but not the proper corporate auth key to connect as an approved storage device? It would automatically send an email to the IT department, immediately shut off the entire USB subsystem in the OS, and it stayed that way until the device was re-imaged (in many cases making the device completely useless). It also got you immediately perp-walked out of the building and freshly unemployed, unless you could immediately give them a reasonable (and provable) explanation as to why it happened.
Now in this case, I suspect that if the bad stick presented itself to the OS as a keyboard/mouse/whatever, it may circumvent that (I say "may" because I don't know if it would be able to dump any non-keyboard/mouse-related data onto the machine w/o presenting itself as storage.)
Either way, if you're that worried about it, then epoxy the USB ports shut (well, except on the phone for obvious reasons...)
Surprise, surprise, surprise, not all computer cases are locked. Had a case of user powering off the computer and rebooting with a live usb drive. Since it was standalone, the host system did not detect this action.
Also had a case of an employee opening up the computer case, unplugging the drive and replugging it into his external USB hardware adapter (cost for adapter $35.00 at NewEgg.ca) Used his laptop to download stuff from that mpw external laptop drive to his laptop, and person could upload stuff too. No, he did not insert stuff on the drive, but we do know he dl'd stuff. t'il by chance an IT guy happened by.
Leslie Satenstein Montreal Quebec Canada
Right click should work
I know tobacco is bad for you, so I smoke weed with crack.