TechSpot

Researchers uncover fundamental USB security flaw, no fix in sight

By Shawn Knight
Jul 31, 2014
Post New Reply
  1. A pair of security researchers from SR Labs have uncovered a fundamental flaw in the way USB devices work. It affects every single USB device out there and worst yet, there's no line of defense short of prohibiting USB stick...

    Read more
     
  2. MilwaukeeMike

    MilwaukeeMike TS Evangelist Posts: 2,133   +731

    Oh good... maybe they can include instructions on how to use it so everyone can be a crook.

    Why is the first thing these security guys do when they find a flaw is show everyone how it works. Shouldn't they quietly go to the USB commission or whatever and tell them about it so it can be fixed in the future?

    Oh, right... then we'd have never heard of Karsten and Jakob and they wouldn't get to stand on a stage and tell everyone how smart they are....
     
    JC713 likes this.
  3. I say lets just all revert to pen and paper
     
  4. madboyv1

    madboyv1 TechSpot Paladin Posts: 959   +49

  5. By letting everyone know about the problem it'll ensure that the issue is seen to quickly and not just ignored.
     
    SantistaUSA likes this.
  6. VitalyT

    VitalyT TS Evangelist Posts: 1,948   +577

    The way things are going, we all will, eventually.
     
  7. tomkaten

    tomkaten TS Enthusiast Posts: 92   +31

    Ok, so I don't understand exactly how this works. Does one need physical access to the device to corrupt it or a trojan could do that when the pen drive is plugged in ?

    In any case, it's bad news for everyone.
     
  8. "It affects every single USB device out there"... im not so sure about that,
    most USB firmware is read-only. this only affects USB devices that can receive firmware updates.
     
    snjomadurinn and EEatGDL like this.
  9. tomkaten

    tomkaten TS Enthusiast Posts: 92   +31

    Exactly what I was thinking, Guest.
     
  10. MilwaukeeMike

    MilwaukeeMike TS Evangelist Posts: 2,133   +731

    Shhhh! You're wrecking our doomsday panicking!

    Seriously though... you could corrupt a drive when it's manufactured though, right? So say a country who's government has their hands in manufacturing like *cough* CHINA *cough* could make USB devices that contained malware.
     
  11. PC EliTiST

    PC EliTiST TS Rookie Posts: 44

    What does this mean? My keyboard is safe, but my mouse isn't? My mouse is a Razer that can take firmware updates, as you might know...

    This is a mess, the entire world with any kind of USB devices can't do anything atm. Only to buy new devices when revised ones will be out, lol. In that case -well, understand it's impossible, but shouldn't the company behind USB pay? Pay for the whole world!
     
     
  12. Tharien

    Tharien TS Rookie

    like out of the kindness of their heart?

    The way some think the poor freeload is analogous to this.
     
  13. dividebyzero

    dividebyzero trainee n00b Posts: 4,915   +718

    The transformation of cycads and dinosaurs into oil was a rapid process in comparison to the speed that the USB-IF work at, so I'm guessing that (and bearing in mind just how many USB devices are in circulation) this could be some kind of public airing to light a life under the standards organization.
    The only time I've ever witnessed the organization move with any speed is when they've been threatened with competition (DisplayPort, Thunderbolt)
    The way things are going, humans will end up carving pictograms into cave walls using flint :eek:
     
  14. ---agissi---

    ---agissi--- TechSpot Paladin Posts: 2,384   +15

    USB devices havnt been allowed to be plugged into a gov. computer since Ive been in the AF.. about 4yrs. The ports have been taped over or what not on every computer.
     
  15. Some people seem to not understand the severity of this. Manufacturers can include malware in their devices. Of course the NSA would never force companies to do their bidding... The only way around this would be using an unknown operating system so the malware couldn't execute. Clearly it could affect all the major players: Microsoft, Apple, and even Linux distros (Android, Ubuntu, etc). :/
     
  16. I always hated USB...
     
  17. trgz

    trgz TS Rookie Posts: 55

    Do they still use PS2 or Din mice and keyboards?
     
  18. The bug has to be loaded physically. Once it is loaded into the firmware, any device that it is connected to, can be controlled/manipulated.
     
  19. Right letting everyone know dont prod them into fixing the flaw or anything or let you take action, there may well be machines of such importance that filling the usb port with epoxy or superglue a clean bluetooth dongle in it.
    If you were an activist in China I am sure you would want to know this.
     
  20. But someone can make their own malware USB and distribute it.
     
  21. Enigma.
     
  22. I prefer to know what NSA or anyone else can do to my systems soo I can take measures to protect myself.

    I have a home network thats NOT connected to Internet or wireless at all.

    Im not paranoid but had a severe infection moving around in my LAN almost impossible to stop.
    Had to replace lot of stuff with boxes I could control everything on.
    Using openBSD and minimum of services.

    For internet I have one computer where I can write a fresh Image to the HDD whenever I want and I administer my networks using old laptop without HDD and boot from DVD.

    Im just being realistic about controlling access to my network and my stuff!
     
  23. Wouldn't it be relatively easy for HIPS to catch the monkey business and automatically stop the USB controller?
     
  24. The researchers are quoted further on ZDNet:
    "Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as though a user has simply plugged in a new device."
     
  25. DAOWAce

    DAOWAce TS Rookie Posts: 70

    Oh, joy, just what we need, more security issues.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.