Do you have adblock enabled?
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Wired)   Time to wrap your USB cables in tinfoil   (wired.com ) divider line
    More: Obvious, USB, flash drives, computer users, flash memory, nonprofit corporation, black hat, firmware  
•       •       •

6106 clicks; posted to Geek » on 31 Jul 2014 at 6:32 PM (1 year ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



64 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | » | Last | Show all
 
2014-07-31 02:59:52 PM  
Well, that's certainly terrifying.
 
2014-07-31 03:34:36 PM  
Are they saying you can alter the code in a the controller of a USB flash drive *without* physically getting at the electronics (i.e. "flash" it as it is plugged into a computer)?  Because if so, I didn't think that was possible with your standard USB flash drive.
 
2014-07-31 03:48:51 PM  
It would seem the  img1.fark.net tag could legitimately be used here.
 
2014-07-31 04:51:25 PM  
USB is also the first global standard plug. You can charge a USB device anywhere in the world. It's not going away easily.
 
2014-07-31 05:00:58 PM  
So... pretty much every smartphone is a USB storage device, constantly whored around whatever jack is available for charging... guess we're all farked, guys.
 
wee
2014-07-31 06:12:07 PM  

UberDave: Because if so, I didn't think that was possible with your standard USB flash drive.


Turns out that it is, I guess.  I reckoned that's how manufacturer's update the firmware on already-made devices, or something.

Weird there's not even a checksum on the firmware code.
 
2014-07-31 06:42:53 PM  
If a hacker has physical access to your computer, you've vacated any slight ounce of security you had.
 
2014-07-31 06:44:27 PM  
and has anyone ever gotten a malware infection from Flash Drives? 99% of the ones I deal with are from idiots who are either using porn downloaders, questionable file sharing options, or see a minor problem (my computer's slow!) and try to "fix" it by downloading tools that don't work.
 
2014-07-31 06:44:58 PM  
So...
www.blackmagicdesign.com
...better?

/Not a hacker, honest question
 
2014-07-31 06:49:25 PM  

saintstryfe: If a hacker has physical access to your computer, you've vacated any slight ounce of security you had.


Physical access is root access, so they say
 
2014-07-31 06:50:19 PM  

saintstryfe: and has anyone ever gotten a malware infection from Flash Drives? 99% of the ones I deal with are from idiots who are either using porn downloaders, questionable file sharing options, or see a minor problem (my computer's slow!) and try to "fix" it by downloading tools that don't work.


I never have but I could see it if someone got some cheap flash drives from a shady ebay seller.
 
2014-07-31 06:52:35 PM  
If your computer is attached to the Internet, it is not secure
 
2014-07-31 06:52:50 PM  
Still not as bad as firewire that can pown your PC using DMA as ring zero access.

/Still would like to lock down windows so USB storage is using standard storage drivers or nothing.
 
2014-07-31 07:01:35 PM  

UberDave: Are they saying you can alter the code in a the controller of a USB flash drive *without* physically getting at the electronics (i.e. "flash" it as it is plugged into a computer)?  Because if so, I didn't think that was possible with your standard USB flash drive.


Nope, the only significant difference appears to be that the new attack method affects the firmware of the flash drive itself, and that makes it significantly more difficult to detect. The old tried and true method of "don't stick it where it don't belong" still works.
 
2014-07-31 07:02:21 PM  
Just wait until the Chinese start doing this to every damned device they manufacturer.

Hold on ... someone's at the door ... delivery guy ... OH COOL! AN OFFICIAL NSA KEYBOARD! FOR FREE!
 
2014-07-31 07:06:58 PM  

saintstryfe: and has anyone ever gotten a malware infection from Flash Drives? 99% of the ones I deal with are from idiots who are either using porn downloaders, questionable file sharing options, or see a minor problem (my computer's slow!) and try to "fix" it by downloading tools that don't work.


Are you familiar with Stuxnet, by chance?

/if not, Google it
 
2014-07-31 07:07:13 PM  
So much for air gap security, right?
 
2014-07-31 07:14:42 PM  

cretinbob: If your computer is attached to the Internet, it is not secure


This

HeartBurnKid: Are you familiar with Stuxnet, by chance?


That

Kanemano: Physical access is root access, so they say


And the other thing.

static.comicvine.com
 
2014-07-31 07:18:38 PM  
I remember back in college the admins over at the computer lab started freaking out, and scanning everyone's floppy disks, as someone apparently brought a virus into the building....

Viruses on floppy disks are silly enough, let alone i doubt that there is even a need to have a building of computers anymore for people to type their term papers.
 
2014-07-31 07:20:36 PM  
Wasn't there a story a while back about thumb drives shipping from the manufacturer in China with cooties on them already?
 
2014-07-31 07:20:59 PM  

Brainsick: So...
[www.blackmagicdesign.com image 274x295]
...better?

/Not a hacker, honest question


Not really, SD cards have firmware too and it can be modified.  However, this issue strikes me as somewhat of a nonissue that they're trying to hype up to get more publicity.  Sure, you can modify the firmware on pretty much anything, but so what?  Almost every device uses a different method to modify the firmware, so unless you deploy some gargantuan virus that recognizes every potential set of hardware it can duplicate itself to, it's not going to get very far.  Even if such a virus existed, it would have to be copied to a pc before it can be copied to another usb device, and as soon as that happens it's exposed to a virus scanner.  Maybe this attack is relevant for those running very targeted attacks against very specific people for very specific information, but I'd consider it completely irrelevant for the other 99.997% of us.
 
2014-07-31 07:22:41 PM  
I worded that last sentence slightly wrong, but close enough.
 
ZAZ [TotalFark]
2014-07-31 07:24:39 PM  
So the fix is to make your computer treat USB devices as passive only unless the previously recognized keyboard says it's OK?

Passive meaning storage is OK, but input device is not.
 
2014-07-31 07:25:48 PM  

cretinbob: If your computer is attached to the Internet, it is not secure


This is why I stopped using the internet years ago.
 
2014-07-31 07:32:21 PM  

Rezurok: Brainsick: So...
[www.blackmagicdesign.com image 274x295]
...better?

/Not a hacker, honest question

Not really, SD cards have firmware too and it can be modified.  However, this issue strikes me as somewhat of a nonissue that they're trying to hype up to get more publicity.  Sure, you can modify the firmware on pretty much anything, but so what?  Almost every device uses a different method to modify the firmware, so unless you deploy some gargantuan virus that recognizes every potential set of hardware it can duplicate itself to, it's not going to get very far.  Even if such a virus existed, it would have to be copied to a pc before it can be copied to another usb device, and as soon as that happens it's exposed to a virus scanner.  Maybe this attack is relevant for those running very targeted attacks against very specific people for very specific information, but I'd consider it completely irrelevant for the other 99.997% of us.


Gracias

/I figured they probably had firmware


The best method of information security, when it really, REALLY matters:
encrypted-tbn3.gstatic.comimg.fark.neti.kinja-img.com

/though you'd have to destroy the typewriter ribbon too...hmmm
 
2014-07-31 07:34:48 PM  

T.rex: I remember back in college the admins over at the computer lab started freaking out, and scanning everyone's floppy disks, as someone apparently brought a virus into the building....

Viruses on floppy disks are silly enough, let alone i doubt that there is even a need to have a building of computers anymore for people to type their term papers.

 
2014-07-31 07:36:38 PM  

UberDave: Are they saying you can alter the code in a the controller of a USB flash drive *without* physically getting at the electronics (i.e. "flash" it as it is plugged into a computer)?  Because if so, I didn't think that was possible with your standard USB flash drive.


I think it is the opposite. You can put malware in the firmware of any USB device and nothing can change it or likely even detect it. Potentially, any USB device(mouse, keyboard, thumbdrive, etc) could be infected and you wouldn't know it.
 
2014-07-31 07:37:09 PM  

UberDave: Are they saying you can alter the code in a the controller of a USB flash drive *without* physically getting at the electronics (i.e. "flash" it as it is plugged into a computer)?  Because if so, I didn't think that was possible with your standard USB flash drive.


This, read the article off Slashdot earlier and it looks like if you want to make my KB into a vector you need my KB so, you have physical access to my computer..so...

The USB stick Keyboard or nic emulation is kind of neat though, don't plug random flash drives into your computer

/Idiots
 
2014-07-31 07:40:21 PM  
1. Find a pair of twins who have developed their own secret written language
2. Fly one to destination of your data
3. Have the other twin encrypt your data using their language
4. Send data over public channels
5. Have the remote twin decode the message
6. ???
 
2014-07-31 07:46:07 PM  
The whole article is skewed toward FUD.  There are only two scenarios that are possible for this to make any sense, either a hacked stick is given to the victim or a victim inserts their own stick into a system that somehow has the ability to overwrite the firmware on it without tipping anyone off that it's happening.

The first is a simple matter of not using one you are unsure of it's provenance.  The second is, at best, questionable in its implementation.  Rewriting the firmware of a device in use is a bit more complicated than infecting files stored on it.  Wake me when there's proof someone's been able to figure out how to do so without it being obvious to everyone involved.

What's even wackier is that all this discussion focuses on storage devices, as if hacking firmware is exclusive to them.  It is just as easy for a person to hack the firmware on a non-storage usb device to do the same thing.  That fancy programmable flight stick you got from a buddy? It's stealing your credit card info.  That webcam you picked up at a garage sale?  Yep, hacked to watch you surf for porn.

Hacking the hardware is old.  This is little more inventive than rootkitting cds or glorified vChipping a peripheral to record and report sensitive data.  Either you risk the possibility that a device was designed with malicious intent or you go back to pen and paper and avoid tech...
 
2014-07-31 07:49:25 PM  

Prophet of Loss: 1. Find a pair of twins who have developed their own secret written language
2. Fly one to destination of your data
3. Have the other twin encrypt your data using their language
4. Send data over public channels
5. Have the remote twin decode the message
6. ???


So... Navajo code talkers?

We've come a long way since then. Public key encryption would be more secure than your proposed method.
 
2014-07-31 07:54:19 PM  

Mr Tarantula: Prophet of Loss: 1. Find a pair of twins who have developed their own secret written language
2. Fly one to destination of your data
3. Have the other twin encrypt your data using their language
4. Send data over public channels
5. Have the remote twin decode the message
6. ???

So... Navajo code talkers?

We've come a long way since then. Public key encryption would be more secure than your proposed method.


There are still more than two Navajos. PKE would be more secure ... in theory. But, a lot of resources are behind ensuring all encryption algorithms publicly available are breakable by The State.
 
2014-07-31 07:59:33 PM  

UberDave: Are they saying you can alter the code in a the controller of a USB flash drive *without* physically getting at the electronics (i.e. "flash" it as it is plugged into a computer)?  Because if so, I didn't think that was possible with your standard USB flash drive.


They're claiming to have written software what will silently modify the firmware of any unknown USB device into an also silent program that can propagate to a client machine and let the client machine start making bugs as well. Anyone who has ever tried to modify firmware on ANY electronic device knows that this is:

1.) Bullsh*t, having ONE memory location off will brick the device, and the bazillion USB device manufacturers do not use universal firmware ROMs on their chips. They may have written a program that will infect a particular size USB memory stick using a chip manufactured by one company between August and November 2010.
2.) Blown out of proportion with the OMGZORRZ it's invisible!!11one! angle. If it's that easy to read/write to the firmware section, it's just as easy for every antivirus scanner manufacturer to deploy a hotfix TOMORROW to scan the firmware for bugs before accessing the device.
 
2014-07-31 08:01:07 PM  
And a $5 wrench would ensure that your twin code would be breakable.

/on mobile, so insert appropriate xkcd here
 
2014-07-31 08:02:41 PM  

Mr Tarantula: And a $5 wrench would ensure that your twin code would be breakable.

/on mobile, so insert appropriate xkcd here


Sigh... This reply meant for Prophet of Loss.

/stupid mobile site
 
2014-07-31 08:03:41 PM  

Prophet of Loss: 1. Find a pair of twins who have developed their own secret written language


img.fark.net

Wait, I forgot.   What were we doing again?
 
2014-07-31 08:08:24 PM  

saintstryfe: and has anyone ever gotten a malware infection from Flash Drives? 99% of the ones I deal with are from idiots who are either using porn downloaders, questionable file sharing options, or see a minor problem (my computer's slow!) and try to "fix" it by downloading tools that don't work.


Actually yes quite, a few people have. The problem is they aren't the type of targets you'd be providing IT support for, they'd be world powers and bankers.
 
2014-07-31 08:10:25 PM  

albatros183: UberDave: Are they saying you can alter the code in a the controller of a USB flash drive *without* physically getting at the electronics (i.e. "flash" it as it is plugged into a computer)?  Because if so, I didn't think that was possible with your standard USB flash drive.

This, read the article off Slashdot earlier and it looks like if you want to make my KB into a vector you need my KB so, you have physical access to my computer..so...

The USB stick Keyboard or nic emulation is kind of neat though, don't plug random flash drives into your computer

/Idiots


I remember reading about a social engineering scheme where a pair of men would enter the building claiming to be inspectors from the Fire Department. They even had a guy outside to provide radio chatter. They walk around with their escort put then split up. The unmonitored guy "checks the power supply fan" while secretly plugging in a USB keylogger. They follow up a couple weeks later and remove the keyloggers. Nobody in the office knows anything is up unless an IT guy find the keyloggers.
 
2014-07-31 08:27:16 PM  

Brainsick: Rezurok: Brainsick: So...
[www.blackmagicdesign.com image 274x295]
...better?

/Not a hacker, honest question

Not really, SD cards have firmware too and it can be modified.  However, this issue strikes me as somewhat of a nonissue that they're trying to hype up to get more publicity.  Sure, you can modify the firmware on pretty much anything, but so what?  Almost every device uses a different method to modify the firmware, so unless you deploy some gargantuan virus that recognizes every potential set of hardware it can duplicate itself to, it's not going to get very far.  Even if such a virus existed, it would have to be copied to a pc before it can be copied to another usb device, and as soon as that happens it's exposed to a virus scanner.  Maybe this attack is relevant for those running very targeted attacks against very specific people for very specific information, but I'd consider it completely irrelevant for the other 99.997% of us.

Gracias

/I figured they probably had firmware


The best method of information security, when it really, REALLY matters:
[encrypted-tbn3.gstatic.com image 226x223][img.fark.net image 259x194][i.kinja-img.com image 300x257]

/though you'd have to destroy the typewriter ribbon too...hmmm


pretty sure the best information security is the good 'ole spoken word
 
2014-07-31 08:30:21 PM  
'IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.'

Speaking of non-trusted, how about alleged computer experts who say 'a USB' as if it's a complete noun?

/splain to me again how a device which initially identifies itself as USB Mass Storage is going to modify the DNS settings of its host?
 
2014-07-31 08:40:59 PM  

saintstryfe: and has anyone ever gotten a malware infection from Flash Drives? 99% of the ones I deal with are from idiots who are either using porn downloaders, questionable file sharing options, or see a minor problem (my computer's slow!) and try to "fix" it by downloading tools that don't work.


Conficker/Coreflood and their ilk are rampant on flash drives. Because hurr-durr I'm an Executive and I can fire your ass, thats why.
 
2014-07-31 08:42:08 PM  

AdamK: Brainsick: Rezurok: Brainsick: So...
[www.blackmagicdesign.com image 274x295]
...better?

/Not a hacker, honest question

Not really, SD cards have firmware too and it can be modified.  However, this issue strikes me as somewhat of a nonissue that they're trying to hype up to get more publicity.  Sure, you can modify the firmware on pretty much anything, but so what?  Almost every device uses a different method to modify the firmware, so unless you deploy some gargantuan virus that recognizes every potential set of hardware it can duplicate itself to, it's not going to get very far.  Even if such a virus existed, it would have to be copied to a pc before it can be copied to another usb device, and as soon as that happens it's exposed to a virus scanner.  Maybe this attack is relevant for those running very targeted attacks against very specific people for very specific information, but I'd consider it completely irrelevant for the other 99.997% of us.

Gracias

/I figured they probably had firmware


The best method of information security, when it really, REALLY matters:
[encrypted-tbn3.gstatic.com image 226x223][img.fark.net image 259x194][i.kinja-img.com image 300x257]

/though you'd have to destroy the typewriter ribbon too...hmmm

pretty sure the best information security is the good 'ole spoken word


True
 
2014-07-31 08:53:01 PM  

Rezurok: Brainsick: So...
[www.blackmagicdesign.com image 274x295]
...better?

/Not a hacker, honest question

Not really, SD cards have firmware too and it can be modified.  However, this issue strikes me as somewhat of a nonissue that they're trying to hype up to get more publicity.  Sure, you can modify the firmware on pretty much anything, but so what?  Almost every device uses a different method to modify the firmware, so unless you deploy some gargantuan virus that recognizes every potential set of hardware it can duplicate itself to, it's not going to get very far.  Even if such a virus existed, it would have to be copied to a pc before it can be copied to another usb device, and as soon as that happens it's exposed to a virus scanner.  Maybe this attack is relevant for those running very targeted attacks against very specific people for very specific information, but I'd consider it completely irrelevant for the other 99.997% of us.


A lot of common cheap USB devices use the same chips across brands where the only difference in firmware is the brand/vendor id/model id, the rest is boilerplate. Plenty of examples of brand A firmware being flashed onto brand B because its the exact same thing in a different case. Besides, it wouldn't be difficult at all for the code to query an external site for device-specific code.
 
2014-07-31 08:59:26 PM  

Mr Tarantula: Mr Tarantula: And a $5 wrench would ensure that your twin code would be breakable.

/on mobile, so insert appropriate xkcd here

Sigh... This reply meant for Prophet of Loss.

/stupid mobile site


I think we have taken this obvious joke post as far as it can go ... in the opposite direction.

f.kulfoto.com

Good night and thanks for all the fish.
 
2014-07-31 09:02:19 PM  

poot_rootbeer: 'IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.'

Speaking of non-trusted, how about alleged computer experts who say 'a USB' as if it's a complete noun?

/splain to me again how a device which initially identifies itself as USB Mass Storage is going to modify the DNS settings of its host?


The problem is it would also identify as a network adapter, with its own DNS settings. Or it may identify itself as a keyboard, then edit your hosts file.
 
2014-07-31 09:16:26 PM  
I suspect they will be getting a call from the government...

for help in exploiting this.
 
2014-07-31 09:24:42 PM  

poot_rootbeer: Speaking of non-trusted, how about alleged computer experts who say 'a USB' as if it's a complete noun?


"Tell me of your homeworld, USuB"

photos1.blogger.com
 
2014-07-31 09:29:42 PM  

Brainsick: Rezurok: Brainsick: So...
[www.blackmagicdesign.com image 274x295]
...better?

/Not a hacker, honest question

Not really, SD cards have firmware too and it can be modified.  However, this issue strikes me as somewhat of a nonissue that they're trying to hype up to get more publicity.  Sure, you can modify the firmware on pretty much anything, but so what?  Almost every device uses a different method to modify the firmware, so unless you deploy some gargantuan virus that recognizes every potential set of hardware it can duplicate itself to, it's not going to get very far.  Even if such a virus existed, it would have to be copied to a pc before it can be copied to another usb device, and as soon as that happens it's exposed to a virus scanner.  Maybe this attack is relevant for those running very targeted attacks against very specific people for very specific information, but I'd consider it completely irrelevant for the other 99.997% of us.

Gracias

/I figured they probably had firmware


The best method of information security, when it really, REALLY matters:
[encrypted-tbn3.gstatic.com image 226x223][img.fark.net image 259x194][i.kinja-img.com image 300x257]

/though you'd have to destroy the typewriter ribbon too...hmmm


No, you just reuse an ancient cloth one for the thousandth time applying ink
 
2014-07-31 09:33:21 PM  

poot_rootbeer: /splain to me again how a device which initially identifies itself as USB Mass Storage is going to modify the DNS settings of its host?


At a guess, also register as a keyboard.  Fake a WindowsKey keycode.  Fake  tabs down to the search box (actually it seems to start there), fake key a search for cmd.exe,  then fake key enter a NETSH command to modify the DNS to an evil one.

/might be able to alter the hosts file too, but that's usually set read-only, so you'd have to include commands to make it R/W as well as know the hostname you want to spoof
 
2014-07-31 09:37:00 PM  
www.eonline.com
 
Displayed 50 of 64 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
On Twitter






In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report