BadUSB security flaw (massive undetectible USB reprogramming vulnerability)

On 2014-07-31, bob mullen wrote:
Massive, undetectable security flaw found in USB
http://www.extremetech.com/computing...ible-security-
flaw-found-in-usb-its-time-to-get-your-ps2-keyboard-out-of-the-cupboard

haha, my keyboard at work has an PS/2 plug, but this one here has an
PC/AT style plug.



--
umop apisdn


--- news://freenews.netfront.net/ - complaints: ---

On 2014-08-01, VanguardLH wrote:
William Unruh wrote:

["Followup-To:" header set to alt.os.linux.]
On 2014-07-31, VanguardLH wrote:
bob mullen wrote:

Massive, undetectable security flaw found in USB
http://www.extremetech.com/computing...f-the-cupboard

"This flaw, dubbed BadUSB by Security Research Labs in Berlin, leverages
the fact that every USB device has a controller chip. Whether it???s your PC,
smartphone, external hard drive, or an audio breakout box, there???s a USB
controller chip in every device that controls the USB connection to other
devices.

Every computer hardware interface has a controller. You thought the
wires and foils handled the logic?

Yes, And?

It turns out, according to SR Labs, that these controllers have
firmware that can be reprogrammed to do a whole host of malicious things ???
and, perhaps most importantly, this reprogramming is almost impossible to
detect."

Same for the EEPROM holding your BIOS.

Yes, but someone can lend you a usb stick to stick into your computer,
subverting it. They cannot stick their eeprom into your machine, nor can
they install junk on your eeprom without you perhaps noticing that they
have your computer.

Reprogrammers have to run. That would be for EEPROM writing as well as
USB controller firmware updating. USB drives have been a sore point
regarding security. Smart users disable auto-run on removable media
devices. Thereafter the user would have to be conned into running a
program so it could reprogram the BIOS or the USB firmware, or a NIC
with firmware, or anything else with reprogrammable firmware.

No, the usb stick's eeprom has already been reprogrammed with the
malware. You stick it into your computer and that firmware claims it is
both a usbstick and a keyboard say. Your system sets it up (You already
said that you wanted a memory device by plugging it in) and then types
commands into your machine.
Keyboards are pretty automatically recognized. I have never had to say
"Yes, I want that keyboard attached" when a keyboard was plugged into my
computer running Linux.

On 2014-08-01, crankypuss wrote:
On 08/01/2014 03:41 AM, VanguardLH wrote:
....

Smart users disable auto-run on removable media
devices.

That should never, ever, be a default setting distributed with the
opsys. The user should *always* have to choose to opt-in to auto-run,
there's nothing dramatically difficult about a first-time prompt to see
what the user wants.

For a keyboard?
I have neer been asked if I want my keyboard attached.


Thereafter the user would have to be conned into running a
program so it could reprogram the BIOS or the USB firmware, or a NIC
with firmware, or anything else with reprogrammable firmware.

It isn't clear to me how the user can know that he is not being conned.
Both Windows (last time I used it) and linux lack any "master console
mode" so the user can tell whether a prompt is legitimately from the
opsys or a spoof-dialog. It could certainly be done via a driver that
gloms the last line of the display device for system status, thus making
that line unavailable to any application.

??? It is a keyboard. What harm could there be in a keyboard? :-)

On Thu, 31 Jul 2014 18:44:09 -0400, Paul wrote:

[snip]

The quickest solution, is to add a prompt to the "new hardware"
dialog.

"I think you have added a USB Mass Storage device"

"This device appears to be a web cam. It claims a composite
device block at the top level, with one UVC video device and
one audio device underneath that top level."

"Do you want to accept connection via these classes only ? Y/N"

How many users will simply click Yes just as they do with so many
other arcane prompts?

[snip]

Sincerely,

Gene Wirchenko

Gene Wirchenko wrote:
On Thu, 31 Jul 2014 18:44:09 -0400, Paul wrote:

[snip]

The quickest solution, is to add a prompt to the "new hardware"
dialog.

"I think you have added a USB Mass Storage device"

"This device appears to be a web cam. It claims a composite
device block at the top level, with one UVC video device and
one audio device underneath that top level."

"Do you want to accept connection via these classes only ? Y/N"

How many users will simply click Yes just as they do with so many
other arcane prompts?

[snip]

Sincerely,

Gene Wirchenko

The OS side has ultimate control. A bugged device cannot
force an endpoint connection. It is up to the OS to set it
up.

Either the OS or AV code, could hook the routine that
sets up new USB devices. If the characteristics of the
devices were recorded by the manufacturers of them,
an AV code could simply deny the connection entirely,
then present a dialog box indicating what has happened.
The only time the user sees a dialog in this case,
is when the thing they plugged in, doesn't work at all.

Using the user as a filter, avoided the need for a
central registry. But if you wanted to do the
extra work, you could simply lock out devices
that don't match their hardware template (i.e.
Logitech 9000 has composite+video+audio but no HID).

Paul

On 8/1/2014 5:53 AM, Jasen Betts wrote:
On 2014-07-31, bob mullen wrote:
Massive, undetectable security flaw found in USB
http://www.extremetech.com/computing...ible-security-
flaw-found-in-usb-its-time-to-get-your-ps2-keyboard-out-of-the-cupboard

haha, my keyboard at work has an PS/2 plug, but this one here has an
PC/AT style plug.



Get an adapter.

Gene Wirchenko writes:
How many users will simply click Yes just as they do with so many
other arcane prompts?

Most. That's their business.

Seems reasonable to me for the OS to accept the first keyboard and mouse
that offer themselves but at least ask permission before accepting any
more of those.
--
John Hasler

Dancing Horse Hill
Elmwood, WI USA

On Fri, 01 Aug 2014 15:07:07 -0400, Paul wrote:

The OS side has ultimate control. A bugged device cannot
force an endpoint connection. It is up to the OS to set it
up.

That is not my understanding. A usb device has access to dma,
so it can read or write memory, bypassing the cpu.
https://en.wikipedia.org/wiki/DMA_attack

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

David W. Hodgins writes:
That is not my understanding. A usb device has access to dma,
so it can read or write memory, bypassing the cpu.

A built-in hub might have DMA. I don't see how an endpoint device
could. On the other hand, as it would be idiotic to allow
externally-pluggable devices DMA, I would not be surprised if pc
manufacturers have done so.

https://en.wikipedia.org/wiki/DMA_attack

USB is not mentioned.
--
John Hasler

Dancing Horse Hill
Elmwood, WI USA

On Fri, 1 Aug 2014 15:53:23 +0000 (UTC), William Unruh wrote:

On 2014-08-01, crankypuss wrote:
On 08/01/2014 03:41 AM, VanguardLH wrote:
...

Smart users disable auto-run on removable media
devices.

That should never, ever, be a default setting distributed with the
opsys. The user should *always* have to choose to opt-in to auto-run,
there's nothing dramatically difficult about a first-time prompt to see
what the user wants.

For a keyboard?
I have neer been asked if I want my keyboard attached.


Thereafter the user would have to be conned into running a
program so it could reprogram the BIOS or the USB firmware, or a NIC
with firmware, or anything else with reprogrammable firmware.

It isn't clear to me how the user can know that he is not being conned.
Both Windows (last time I used it) and linux lack any "master console
mode" so the user can tell whether a prompt is legitimately from the
opsys or a spoof-dialog. It could certainly be done via a driver that
gloms the last line of the display device for system status, thus making
that line unavailable to any application.

??? It is a keyboard. What harm could there be in a keyboard? :-)

A keyboards is *not* a removable-media device.

Optical and hard disk drives, thumb drives, & flash cards are removable
media...

--
Gene E. Bloch (Stumbling Bloch)