PANIC! Stop using USB (it's ''fundamentally broken'') #BadUSB

PANIC! Stop using USB (it's ''fundamentally broken'') #BadUSB
By Richi Jennings
August 01, 2014 6:25 AM EDT

BadUSB: Karsten Nohl and friends set up us the bomb.

USB gadgets are totally unsafe. That's the stark warning from Security Research Labs, to be given at Black Hat in Lost Wages. Basically, any USB device can do anything it wants to your PC or Mac, and there's nothing you can do to stop it, detect it, or remediate it.

tl;dr: We're screwed.

In IT Blogwatch, bloggers panic like it's 2038.
Your humble blogwatcher curated these bloggy bits for your entertainment.

Lucian Constantin reports:
Most USB devices [can] infect computers with malware in a way that cannot easily be prevented or detected. ... A malware program can replace the firmware on a USB device like a thumb drive...and make it act like some other type of device, for example, a keyboard [which] could then be used to emulate key presses and send commands to download and execute a malware program.
Researchers from Security Research Labs have developed several proof-of-concept attacks that they plan to present at the Black Hat security conference.  MORE

And Andy Greenberg adds:
The security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work. That’s the takeaway from findings [of] security researchers Karsten Nohl and Jakob Lell.
The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. ... And the two researchers say there’s no easy fix. ... They spent months reverse engineering the firmware that runs the basic communication functions of USB devices.
University of Pennsylvania computer science professor Matt Blaze...speculates that the USB attack may in fact already be common practice for the NSA. He points to a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden.  MORE

So here's Karsten Nohl, via Dan Goodin:
If you put anything into your USB [slot], it extends a lot of trust. ... Whatever it is, there could always be some code...in that device that runs maliciously. Every time anybody connects a USB device to your computer, you fully trust them. ... It's the equivalent of [saying] 'here's my computer; I'm going to walk away for 10 minutes. Please don't do anything evil.
There's no way to get the firmware without the help of the firmware, and if you ask the infected firmware, it will just lie to you. ... The next time you have a virus on your computer, you pretty much have to assume your peripherals are infected, and computers of other people who connected to those peripherals are infected.
It's the endless struggle between do you anticipate security versus making it so complex nobody will use it. ... The power of USB is that you plug it in and it just works. This simplicity is exactly what's enabling these attacks.  MORE

Oh hay, Lily Hay Newman: [You're fired -Ed.]
USB technology has a fundamental security vulnerability. ... Oh, great.
Wiping a flash drive or scanning it with anti-virus software won’t detect the malware. Only reverse-engineering the firmware...can expose the foreign code lurking in it.
There’s no patch for this problem, so the best way to defend yourself [is] don’t share your thumb drives, don’t plug them into a public or untrusted computer, and don’t plug a USB peripheral or thumb drive that isn’t yours into your computer.  MORE


http://blogs.computerworld.com/malware-and-vulnerabilities/24203/panic-usb-insecure-its-fundamentally-broken-badusb-itbwcw?source=CTWNLE_nlt_blogs_2014-08-01

Comments

Post a Comment

Popular posts from this blog

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke...
Read more

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that th...
Read more

New ATM's: withdraw money with veins in your finger

New cash machines: withdraw money with veins in your finger Cash machine technology that reads the pattern of finger veins is already available in Japan and Poland   By Telegraph Reporters 6:59PM BST 15 May 2014 Cash machines could soon be installed with devices that identify customers by reading the veins in their fingers. The technology is already being rolled out in Poland, where 1,730 cash machines will this year be installed with readers, negating the need for a debit card and Pin. Developed by Hitachi, the Japanese electronics firm, the machines read the patterns of the veins just below the surface of the skin on your finger using infra-red sensors. The light is partially absorbed by haemoglobin in the veins to capture a unique finger vein pattern profile, which is matched to a profile. The technology is used by Japanese banks and also in Turkey, offering “groundbreaking levels of accuracy and speed of authentication”, Hitachi said, which in t...
Read more