If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#11
|
|||
|
|||
BadUSB security flaw (massive undetectible USB reprogrammingvulnerability)
On 2014-07-31, bob mullen wrote:
Massive, undetectable security flaw found in USB http://www.extremetech.com/computing...ible-security- flaw-found-in-usb-its-time-to-get-your-ps2-keyboard-out-of-the-cupboard haha, my keyboard at work has an PS/2 plug, but this one here has an PC/AT style plug. -- umop apisdn --- news://freenews.netfront.net/ - complaints: --- |
#12
|
|||
|
|||
BadUSB security flaw (massive undetectible USB reprogrammingvulnerability)
On 2014-08-01, VanguardLH wrote:
William Unruh wrote: ["Followup-To:" header set to alt.os.linux.] On 2014-07-31, VanguardLH wrote: bob mullen wrote: Massive, undetectable security flaw found in USB http://www.extremetech.com/computing...f-the-cupboard "This flaw, dubbed BadUSB by Security Research Labs in Berlin, leverages the fact that every USB device has a controller chip. Whether it???s your PC, smartphone, external hard drive, or an audio breakout box, there???s a USB controller chip in every device that controls the USB connection to other devices. Every computer hardware interface has a controller. You thought the wires and foils handled the logic? Yes, And? It turns out, according to SR Labs, that these controllers have firmware that can be reprogrammed to do a whole host of malicious things ??? and, perhaps most importantly, this reprogramming is almost impossible to detect." Same for the EEPROM holding your BIOS. Yes, but someone can lend you a usb stick to stick into your computer, subverting it. They cannot stick their eeprom into your machine, nor can they install junk on your eeprom without you perhaps noticing that they have your computer. Reprogrammers have to run. That would be for EEPROM writing as well as USB controller firmware updating. USB drives have been a sore point regarding security. Smart users disable auto-run on removable media devices. Thereafter the user would have to be conned into running a program so it could reprogram the BIOS or the USB firmware, or a NIC with firmware, or anything else with reprogrammable firmware. No, the usb stick's eeprom has already been reprogrammed with the malware. You stick it into your computer and that firmware claims it is both a usbstick and a keyboard say. Your system sets it up (You already said that you wanted a memory device by plugging it in) and then types commands into your machine. Keyboards are pretty automatically recognized. I have never had to say "Yes, I want that keyboard attached" when a keyboard was plugged into my computer running Linux. |
#13
|
|||
|
|||
BadUSB security flaw (massive undetectible USB reprogrammingvulnerability)
On 2014-08-01, crankypuss wrote:
On 08/01/2014 03:41 AM, VanguardLH wrote: .... Smart users disable auto-run on removable media devices. That should never, ever, be a default setting distributed with the opsys. The user should *always* have to choose to opt-in to auto-run, there's nothing dramatically difficult about a first-time prompt to see what the user wants. For a keyboard? I have neer been asked if I want my keyboard attached. Thereafter the user would have to be conned into running a program so it could reprogram the BIOS or the USB firmware, or a NIC with firmware, or anything else with reprogrammable firmware. It isn't clear to me how the user can know that he is not being conned. Both Windows (last time I used it) and linux lack any "master console mode" so the user can tell whether a prompt is legitimately from the opsys or a spoof-dialog. It could certainly be done via a driver that gloms the last line of the display device for system status, thus making that line unavailable to any application. ??? It is a keyboard. What harm could there be in a keyboard? :-) |
#14
|
|||
|
|||
BadUSB security flaw (massive undetectible USB reprogramming vulnerability)
On Thu, 31 Jul 2014 18:44:09 -0400, Paul wrote:
[snip] The quickest solution, is to add a prompt to the "new hardware" dialog. "I think you have added a USB Mass Storage device" "This device appears to be a web cam. It claims a composite device block at the top level, with one UVC video device and one audio device underneath that top level." "Do you want to accept connection via these classes only ? Y/N" How many users will simply click Yes just as they do with so many other arcane prompts? [snip] Sincerely, Gene Wirchenko |
#15
|
|||
|
|||
BadUSB security flaw (massive undetectible USB reprogrammingvulnerability)
Gene Wirchenko wrote:
On Thu, 31 Jul 2014 18:44:09 -0400, Paul wrote: [snip] The quickest solution, is to add a prompt to the "new hardware" dialog. "I think you have added a USB Mass Storage device" "This device appears to be a web cam. It claims a composite device block at the top level, with one UVC video device and one audio device underneath that top level." "Do you want to accept connection via these classes only ? Y/N" How many users will simply click Yes just as they do with so many other arcane prompts? [snip] Sincerely, Gene Wirchenko The OS side has ultimate control. A bugged device cannot force an endpoint connection. It is up to the OS to set it up. Either the OS or AV code, could hook the routine that sets up new USB devices. If the characteristics of the devices were recorded by the manufacturers of them, an AV code could simply deny the connection entirely, then present a dialog box indicating what has happened. The only time the user sees a dialog in this case, is when the thing they plugged in, doesn't work at all. Using the user as a filter, avoided the need for a central registry. But if you wanted to do the extra work, you could simply lock out devices that don't match their hardware template (i.e. Logitech 9000 has composite+video+audio but no HID). Paul |
#16
|
|||
|
|||
BadUSB security flaw (massive undetectible USB reprogrammingvulnerability)
On 8/1/2014 5:53 AM, Jasen Betts wrote:
On 2014-07-31, bob mullen wrote: Massive, undetectable security flaw found in USB http://www.extremetech.com/computing...ible-security- flaw-found-in-usb-its-time-to-get-your-ps2-keyboard-out-of-the-cupboard haha, my keyboard at work has an PS/2 plug, but this one here has an PC/AT style plug. Get an adapter. |
#17
|
|||
|
|||
BadUSB security flaw (massive undetectible USB reprogramming vulnerability)
Gene Wirchenko writes:
How many users will simply click Yes just as they do with so many other arcane prompts? Most. That's their business. Seems reasonable to me for the OS to accept the first keyboard and mouse that offer themselves but at least ask permission before accepting any more of those. -- John Hasler Dancing Horse Hill Elmwood, WI USA |
#18
|
|||
|
|||
BadUSB security flaw (massive undetectible USB reprogrammingvulnerability)
On Fri, 01 Aug 2014 15:07:07 -0400, Paul wrote:
The OS side has ultimate control. A bugged device cannot force an endpoint connection. It is up to the OS to set it up. That is not my understanding. A usb device has access to dma, so it can read or write memory, bypassing the cpu. https://en.wikipedia.org/wiki/DMA_attack Regards, Dave Hodgins -- Change nomail.afraid.org to ody.ca to reply by email. (nomail.afraid.org has been set up specifically for use in usenet. Feel free to use it yourself.) |
#19
|
|||
|
|||
BadUSB security flaw (massive undetectible USB reprogramming vulnerability)
David W. Hodgins writes:
That is not my understanding. A usb device has access to dma, so it can read or write memory, bypassing the cpu. A built-in hub might have DMA. I don't see how an endpoint device could. On the other hand, as it would be idiotic to allow externally-pluggable devices DMA, I would not be surprised if pc manufacturers have done so. https://en.wikipedia.org/wiki/DMA_attack USB is not mentioned. -- John Hasler Dancing Horse Hill Elmwood, WI USA |
#20
|
|||
|
|||
BadUSB security flaw (massive undetectible USB reprogramming vulnerability)
On Fri, 1 Aug 2014 15:53:23 +0000 (UTC), William Unruh wrote:
On 2014-08-01, crankypuss wrote: On 08/01/2014 03:41 AM, VanguardLH wrote: ... Smart users disable auto-run on removable media devices. That should never, ever, be a default setting distributed with the opsys. The user should *always* have to choose to opt-in to auto-run, there's nothing dramatically difficult about a first-time prompt to see what the user wants. For a keyboard? I have neer been asked if I want my keyboard attached. Thereafter the user would have to be conned into running a program so it could reprogram the BIOS or the USB firmware, or a NIC with firmware, or anything else with reprogrammable firmware. It isn't clear to me how the user can know that he is not being conned. Both Windows (last time I used it) and linux lack any "master console mode" so the user can tell whether a prompt is legitimately from the opsys or a spoof-dialog. It could certainly be done via a driver that gloms the last line of the display device for system status, thus making that line unavailable to any application. ??? It is a keyboard. What harm could there be in a keyboard? :-) A keyboards is *not* a removable-media device. Optical and hard disk drives, thumb drives, & flash cards are removable media... -- Gene E. Bloch (Stumbling Bloch) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
WMF Vulnerability | Arthur Entlich | Printers | 16 | January 7th 06 04:16 PM |
Symantec Norton Antivirus Security Flaw (Personal and Corporate editions) | Christopher Muto | Dell Computers | 3 | December 24th 05 01:29 AM |
security flaw in hyper threading | Ed Zeppelin | Intel | 4 | May 27th 05 03:47 AM |
Reprogramming an Epson printer | Sion Morris | Printers | 5 | January 14th 05 04:39 PM |
Reprogramming chip on epson T29 & T28 | brane_ded | Printers | 1 | July 3rd 03 10:11 PM |