Slashdot Mirror

← Back to Stories (view on slashdot.org)

"BadUSB" Exploit Makes Devices Turn "Evil"

Posted by timothy on from the thinkgeek-had-something-funnier-years-ago dept.

An anonymous reader writes with a snippet from Ars Technica that should make you (even more) skeptical about plugging in random USB drives, or allowing persons unknown physical access to your computer's USB ports: When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses. Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.

5 of 205 comments (clear)

  1. USB 4.x to offer signed USB device signatures??? by Anonymous Coward · · Score: 5, Interesting

    Here comes the digitially signed / encrypted usb dongles for USB 4.x, where every device has a firmware signature encrypted within the device and part of the usb handshake will be to read the entire firmware to re-calc the signature to make sure it matches, with a 3rd comparison via the internet to a usb device registry.

    Then the criminals will figure out how to falsify the signature with the bad firmware anyway.

  2. Re:and this is news why? by Canth7 · · Score: 5, Insightful

    I thought it was common sense not to plug in untrusted devices to your computer. Especially unknown thumb drives, unless you can use them in a read only device.

    The problem at hand is that you can take a trustworthy device, plug it into an infected computer and then your trustworthy device becomes compromised and not easily detectably so, infecting your formerly clean PC. So far, no comments on mitigating procedures or OS specific circumstances. Most OSes will automatically load USB devices so in theory this could affect just about every OS whereby a compromised phone decides to become a keyboard and starts typing keystrokes and sending data to a 3rd party. Scary, at least in theory.

  3. Re:Simple by stewsters · · Score: 5, Funny

    "Click OK to connect mouse"

    It leave a bit of a chicken and egg problem for normal users of systems without a keyboard built in.

  4. Safety first, kids... by blueshift_1 · · Score: 5, Funny

    Just another reason why you shouldn't stick foreign objects in your orifices...

  5. Re:How is this viable as an attack medium? by Anonymous Coward · · Score: 5, Interesting

    Smartphones is the big problem. People think it is acceptable to just plug them in everywhere to "just charge them".

    I can go to a train-station or another reasonable public spot. Look for a power outlet and plug in my "charging station" that turn a smartphone into a malicious device.
    This will infect devices from a very diverse group that will travel around and connect their devices to whatever USB-port they can find.