bjoernvold.com

All USB units have a flaw due to their design. This is not limited to the thumb drive but does also include your Keyboard and mouse or anything connected with USB. The reason is that the USB's have firmware of their own - needed to make them work. This firmware can be tampered with and completely take over your PC. It does not help to give your dongle to the IT guy and have him virus scan it or even reformat it. Those processes do not even touch the data in question. The problem lies in the firmware.

The USB security is fundamentally broken

To prove this point two guys, Karsten Nohl and Jakob Lell, made a piece of software called BadUSB.
This software will enable you to do mostly anything to your computer - and devices, like Android phones, connected to your computer.

This software can invisibly change all the files installed from the memory stick or even redirect your internet traffic.

This problem cannot be patched since it exploits the very way USB is designed.

So have a look at your computer now:

Is your keyboard attached with an USP plug?
Is your mouse?
Your printer?
Your Hard-disk?

Chances are that most of them are

This is not a too bright perspective so what can you do about it?
To be absolutely sure you can put superglue in all your USB ports.
That would take care of it, but that is kind of like driving from NY to LA - without using a motorized vehicle.

You can alter the USB firmware by reverse engineering like disassembling the firmware and analyze the code.
That is no way to go for most users.

The practical way of dealing with this is to buy and use USB only on your computer

Do not Accept USB - dongle giveaways, and consider your USB unit compromised as soon as it has been attached to other un-trusted PC's.

Even though the BadUSB unit can replace installed files on your computer with other files containing back-doors it should be possible to discover and repair the altered files.
So the most critical period is when the "infected" USB unit is attached.

All of this could have been avoided if the USB firmware would have code signing which would require any altering of the firmware code to be signed by the manufacturers encryption key.

So remember if you want to be safe do not transport USB dongles from PC to PC - not even Linux distributions.
If you do; be sure that you trust all the computers the dongle has been attached to.

IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.

That should keep you safe from crooks. Dongles that are modified by design by "force majeure" like governments who need to take care of fundamental basic rights like absence of terror aka national security and DRM, will continue to infect your hardware.

But that is for the good cause - so that is nothing to worry about.

A typical example of this use would be to make the USB HDD firmware report about any movies and music on it to check if Digital Rights are respected. That would catch those professional criminals who run around from house to house with a HDD and show pirated movies

It is time to change the way USB's works.

Physical Security is the weakest of all.

I wonder... Is this is a pitch to get away from the firmware to make it OS driven?

I think Winmodems were/are that way right?

I am not sure.
In theory this goes for any USB device with changeable firmware.

In the way I see it is. Firmware you have to be present most of the time but if is Software/OS driven you can do remotely.

What is your take on this one.

If it is software OS driven then it probably is part of some National security need (If they place key loggers or back doors). Remotely controlled they can hijack you PC entirely, but that is not limited to USB; they can do that with the Bios.
If hardware is prepared like that, it takes a coordinated effort and a coordinated strategy. Something like we need to access the keystrokes on potential terrorist A's PC.

Send an official order to MS who can update the software and find a nice tree to sit in close to the PC to monitor both what he is sending and what he is writing but not sending - via radio waves. Or send him a USB thumb drive.


I kind of dislike the idea of anyone remotely updating my firmware without me knowing.
But I kind of find it OK when they do it to Osama Bin Laden.

I guess I am afraid of the abuse potential...

In any case USB thumbs have been a known security risk for a long time - for other reasons.

Safer means no internet but you can have an independent local network.

We might be going that route.

I was under the impression that Winmodems had most of their functionality moved to software (Windows based drivers) but that there still needed to be some minimal firmware on the physical device. Ultimately, doesn't any peripheral (even a USB device) need at least some firmware to make it work?
S.

I guess its time for everyone to move on over to Thunderbolt https://www.apple.com/thunderbolt/ , right?

No to disrespect Apple, but I do not like to be tied up on their ecosystem. To me feels like a religious cult that once you are in you cannot get out.

My world is not "perfect" but I am free

LAWL!

Introducing iGate... a new application for iPhones, iPads, iPods, and iPuds alike. It plays a loud screeching noise, causing you to strike yourself about the head with the device until death. At which time of course the spaceship behind Hale-Bopp will pick you up and take you to the next level.

S.

Now the unpatchable Malware is out in the open, this will force the USB guys to change the system. As long as this was an exploit that only could be done by resourceful entities like governments and large companies; nobody would want to fix this.

Now that everyone can do it; the USB system must be changed - fast.
This is an unfixable and unpatchable weakness - so it is a "sure thing" for the perpetrators.

There are some things you can use to make it safer to charge your phone via the USB plug etc. But these fixes have in common that they eliminate the functions of USB:

viewtopic.php?f=21&t=3444

More here

Wow. I wasn't here for this one, but crazy thing, I'd always suspected USB as a security fail. Interesting to see those suspicions confirmed.