I get short emails (not with the standard horrible English) saying something like a purchase order is attached, or you have a Microsoft voice mail, or a shipping PO attached (okay, that one was written poorly)...but they have been slowing my delete key down, to at least read them. They're seem to be attacking the curiosity of people: "Oh. Someone else's private PO, I want to take a look!"

Although I've known him on this board since 2001, and briefly met him once, I knew he wouldn't be sending me an email at my personal address.

DELETED !

unfortunately USB has control over everything. so nobody created an eSata stick. X_X

course I assume it's just as easy to infect something on eSata. but it's harder to do this with a port multiplier requirement.. (oops) USB comes standard with it.

Yes, everything described here is true. And yes, it can be done in such a way that not only (a) reformatting the stick doesn't affect this, but (b) it can be done in such a way that the OS (windows, mac, Linux, your tv, whatever) *cannot* tell that it is even there.

That having been said, there is no reason to panic, simply because panicking won't accomplish anything. There's *nothing* you can do about this, other than to *never* use *any* USB devices again, *ever*. That this is demonstrated using a thumb drive is actually irrelevant -- it can be done via any USB device, if it is hacked accordingly. This includes: Mice, keyboards, iPhone power plugs (hey, they've got usb jacks too...), basically anything you can cram into a usb port.

So, unless you are a hacker professional, your best bet for reacting to this situation is to do exactly what you were doing before -- not worrying specifically about this particular threat, and worrying instead abut the general threat of plugging in random things you have no idea where they came from. This is essentially the same common sense rule as "if you see a half-consumed glass of something, and you don't know where it came from, don't just drink it."

Qubes OS is designed to wall-off the core of the system from untrustworthy devices (and programs, too). It does this partly by assigning components like network interfaces and USB controllers to hardened virtual machines.

https://wiki.qubes-os.org

Of course, using a computer with such restrictions on the hardware imposes the need for discipline (especially avoiding a false sense of security, because nothing is perfect). But overall Qubes is intended to be a usable desktop system and it even removes some of the security hassles found in traditional operating systems.

-

I would also like to add that this security nightmare doesn't have to be the general rule with personal computers. USB was created in an era of anything-goes design when the only things that mattered were cost and convenience. Eventually, I expect something better to replace USB, and do it in a way that leaves the user in control of his/her machine instead of Apple or Microsoft.

The problem with this hack is that it occurs at a BIOS level, prior to OS execution. At the hardware layer, the USB device is queried and initialized. If the USB device is able to determine that it is the BIOS doing the querying, then it responds that it is a keyboard, and then can inject keystrokes into the BIOS prior to the OS booting up (for example).

This allows the rogue device to make arbitrary adjustments at the BIOS level, perhaps doing something as simple as adding a hardware-level keystroke logger via a backchannel to the rogue device. Or more nefariously, installing code that examines or subtly modifies file system data. Maybe it even patches the OS (on the hard drive) before it can boot.

Once the OS boots, the rogue device identifies itself to the OS as a simple data storage device, and no-one is the wiser. The device only behaves (visibly) badly prior to the OS booting.

---------

There was an example of hacking a iPhone by creating a rogue USB device implementation and stuffing it inside a USB charger. This took advantage of a flaw in iOS that allowed code to be installed on the phone (from the charger!) even when the phone was locked. Simply plugging in the charger was enough to infect the phone, and this was happening inside a completely normal looking charger from Apple that had been secretly modified.

The problem is that the OS has to make assumptions about the state of the hardware in ways that are not always verifiable by the OS. This is why UEFI was introduced in Windows 8 -- to make the BIOS cryptographically secure -- the hardware won't run any pre-OS BIOS code that isn't properly signed. In this way, the OS can be (more) sure that the BIOS hasn't been infiltrated. But this particular USB hack doesn't have to modify the BIOS to do evil, it just has to be able to access the hard drive (for example).

----------

The problem with "something better to replace USB" has less to do with USB itself, and more to do with the idea of transient devices -- as long as you can boot your hardware from something you just stick into the machine, and that something then has access to your more permanent hardware (say, you hard drive), all bets are off. And if you disallow this from happening, you greatly restrict usability. Support for transient devices requires either that the hardware *ask* the device to self-identify (the current USB risk) or requires that all devices have cryptographically signed evidence to present to the OS to verify that it is what it claims to be -AND- that the OS have the means to validate the signature prior to allowing the device to work.

And even then, if a human can manually corrupt their own hardware, by going into the BIOS and manually adjust some setting during boot, there is nothing to stop a rogue keyboard from doing it either. The computer must *trust* the keyboard to only report what the human is actually doing, whether they are or not. Thus the fundamental flaw.

The Qubes approach, however, is to supply a secret phrase or image that is then sealed with the TPM's system measurements and so cannot un-seal the secret without the same initial conditions --- The computer essentially authenticates itself to the user. That is Qubes' Anti-Evil-Maid feature.

(Its assumed that you would lock down your BIOS with a password when using AEM -- because it makes sense in general -- but even without a BIOS password Qubes AEM could still detect changes. However, this is a different issue than casual use of insecure USB devices.)

The researchers who develop Qubes are experts in low-level system attacks (having uncovered a number of attacks themselves) that involve the BIOS and other firmware. Their position on BadUSB is that the USB controller's firmware can be compromised, but by itself its highly unlikely to stay compromised after a reboot. Therefore, an attack by USB would need to continue to infect some other component (like the BIOS flash memory or HD) in order to remain on the system... but the USB controller doesn't have privileged access to these components under Qubes.

As for keyboards, the general rule is that PS/2 keyboards are preferred. And indeed most laptops use PS/2 for their built-in keyboards, and many desktop systems still have PS/2 ports.

My comments about Qubes are based on a quick, limited reading about them.

You are correct that laptops generally use PS/2 for their built-in keyboards and touchpads, but I think this has more to do with simplicity of design than anything else. Moving them to a USB channel would consume needless resources, so why bother.

two days ago I got this notice that said my USB or software needed updating, do you know if that's normal, should I click the update button?

Thanks in advance, eggplant.

You could try contacting Sanyo customer support?

http://gethuman.com/phone-number/Sanyo/

I will look it up.

Thanks for your answer, eggplant.

yet another reason why I wish we could rec replies.

If a computer is infected with this malware, can it be "delivered" to a non-infected USB device?

For example: I teach at a college and regularly use my pin drive to tote around the powerpoint presentations, images, etc, that I use in class. I also use this pin drive on my home and work computers because I create the presentations, etc, both at home and in the office.

If someone has an infected pin drive and plugs it into the computer in the classroom - infecting the computer - then I come in after them and plug in my uninfected drive . . .

Can my drive "catch it"?

I'm not panicking - since there isn't much I can do about it - but I'm unclear about the scope of this issue.

Thanks.

Long answer:

There isn't a "this malware". What is described is a mechanism for how malware can hide itself in the firmware of an arbitrary USB device, which can then do evil to something it is plugged into. What that malware actually does could be anything -- its evilness is independent of its transmission vector.

The question you are really asking is whether malware (or any software, actually) running on your PC can be capable of modifying the firmware on an attached USB device so that such a device could then spread the joy.

And the answer is... "it depends." USB devices all share a common attribute -- they all react to particular queries from the thing they plug into in a standard way. This is what allows your computer to ask the device what it is, so it can then treat it properly. "Are you an input device? A storage device? An audio device? ..." "Yes, I'm a mass-storage device (a thumb drive)" or "Yes, I'm a pointing device (a mouse)"

There isn't one common piece of hardware in the device that does this for every USB device out there -- lots of them exist. All are likely to be able to be updated -- this is how the firmware gets on it in the first place. But it might be via a special connector to the board and done prior to the physical assembly of the device. Or it might be a feature that is exposed via the USB interface itself, so that the manufacturer then plugs the device into a special programmer and it burns the firmware onto it.

If it is the former, then your computer probably can't "infect" the device, because it has no mechanism for doing so. If it is the latter, and if the malware on your computer knows the special method required to act like a "special programmer", then it can.

This is where the "it depends" part comes into play. As malware begins to exploit this USB design flaw, it will get fancier and fancier, as more susceptible devices are discovered.

A final note: It is the discovery of the transmission vector (evil USB to host) that is what is in the news, not actual malware based on it. Inevitably it will come, but that will be a separate panic from this one.

By analogy: The discovery of compounds that are readily absorbed into the skin which could theoretically be combined with other compounds (science) led to the invention of contact poisons (CIA). The USB announcement is the discovery, not the invention.

And very much appreciate the detailed reply. Thank you.

I'm not too much of a worry-wort about these things; I take precautions as they are recommended and try to stay a step ahead of the nasty folk that spend so much quality time coming up with these exploits. That said, I was reading this thread and into my head popped the picture of one of our classroom computers with someone's pin drive stuck into a USB port (probably another instructor who forgot to remove it) and it got me wondering about the possibilities.

I will keep my eyes open for new news and continue to appreciate your thoughtful and informative reply! Thanks again.

Our overlords deliberately making every tech vulnerable so that they could snoop on us without limit is paying its very very very predictable dividends.

This one is pretty hard to blame on the NSA. Unless you have some knowledge you'd like to share?

Wasn't that long ago. Whole internet affected. NSA deliberately introduced a bug into SSL to allow them to penetrate security.

As a result, it is only prudent to suspect they have a hand in other standards with original security flaws.

fucking assholes just made my life harder. what are we going to do to share files, burn DVDs?? fuck.

I heard Germany went back to typewriters for top security requirements.

It's back to PC2 ports and 3-1/2" floppies! Don't forget, only Parallel port printers!

Oh wait????

(of course, it could have been infected too...)

I do wonder if it would be possible to modify a PS/2 keyboard to do the same thing? It would require *adding* hardware to the keyboard (or an inline coupler, like a keystroke recorder), and it wouldn't be able to perform smart attacks, and it would be pretty easy to figure out what happened after enough people got this. And if you have access to the keyboard in the first place, you could just manually perform whatever hack you were doing anyway. But it's still possible!

that the little screws that hold my motherboard in place are getting loose! I thought it was a poltergeist in my box but now I know... It's my USB... they hacked my screws! China or Russia for sure.

this is the european version and if you want to protect micro or mini usb ports you will need an adapter. Once you use this on a USB port you will never have to worry about infections again.

USBkiller


at your service,
Agony

bzzzt. >pop<

no more computer, no more problem.

In Stanislaw Lem's "Memoirs Found in a Bathtub," just such an event happens.

In the story, a space probe returns to earth with a weird virus that consumes paper. All the planet's governments and bureaucracies fall into chaos as the printed record disappears. The protagonist sets to interview someone in the Fifth-Generation Pentagon, buried deep within the earth. He discovers that he is a suspected spy by everyone he meets, who also suspect most everyone else of being a spy because they are, most of whom work for the Soviets, themselves buried deep within the earth in their own Pentagon, spying on us and each other. A great, great book.