USB MELTDOWN!
Images are sometimes not shown due to bandwidth/network limitations. Refreshing the page usually helps.
You are currently reading a thread in /g/ - Technology
You are currently reading a thread in /g/ - Technology
So you thought hartblead was bad !!!
A group of researchers have reverse engineered USB controller firmware to make USB devices run undetectable processes in the background.
Here's the kicker. The tampered USB device can infect the computer, and it can find other USB devices that have a reprogrammable controller chip and infect them to spread the mayhem.
Mouse, keyboard, HDD, flash drives, hubs. All things USB can be hijacked at a firmware level.
What do you guys think of this big security flaw in the USB standard?
>inb4 the OS this works on is only windows
>>43312417
Sauce?
>>43312468
Here you go my goon man.
http://www.wired.com/2014/07/usb-security/
>>43312509
>Here you go my goon man.
*good man (dam dyslexia)
I want to becommie a firmware virus dev
OMG!!!!!!!!!!!!
>>43312452
They state that they managed to infect an android device with this attack. This isn't an attack on an OS, Its an attack on the USB standard itself.
If it follows the standard, it can be attacked!
That's why I use floppy disks.
>>43312417
Is this news? This has been around for a while now.
Even script kiddies that use Kali are making "fake keyboards"
>mfw I use a PS2 Mouse and KB
>mfw I store my files on a NAS
Get out
>>43312417
Maybe they will finally kill this fucking piece of shit called USB. This and HDMI are the most fucking shitty problematic and unreliable connections ever conceived.
>>43312509
>wired.cum
![rapper_large[1].jpg](https://i.imgur.com/BLxHGVi.jpg "rapper_large[1].jpg")
>>43312607
DID SOMEONE SAY FLOPPY?
>>43312417
While this looks awful, I'd be inclined to say Heartbleed was worse, just because USB is much less common an attack vector than Ethernet.
I tried this and it locked my bootloader. I had to DBAN my HDD.
>>43312696
Why yes it is a much smaller risk in terms of the fact that it can't spread through the internet.
But, I would say the hidden and difficult to treat nature of this attack can make it a rather bad epidemic, especially if it is targeted on phones and flash drives.
People plug them things into anything and everything. I guess the best way to describe this is USB AIDS.
>no specific os mentioned
so this is windowbabbies only?
>>43312966
surely if it's an issue with the usb technobabble, it shouldn't be restricted to any OS?
This kills the dead drops
>>43313008
>implying osx will ever be affected by this
we both can stop pretending and agree that windows 7 will be the primary target
also thunderbolt
>>43313031
but they were already dead
>>43313074
well since os x lacks a proper USB stack, of course it won't work on it.
>>43312417
>Mouse, keyboard
Those things don't use to have writable memory, it's all ROM burned in the controller, like tamagochis.
Most programmable peripheral devices nowadays use ram instead of flash, so firmware updates and stuff like that get lost when the device is unplugged.
Additionally, the ones which are programmable and have flash memory (USB drives and SD cards, mostly) are far from standardized, with new, incompatible designs every year.
An attack based on them would have to target the most common devices, or be particularly targeted.
http://media.ccc.de/browse/congress/2013/30C3_-_5294_-_en_-_saal_1_-_201312291400_-_the_exploration_and_exploitation_of_an_sd_memory_card_-_bunnie_-_xobs.html
>>43313221
they why can I update the firmware of my G500s?
>>43313221
Almost all shit razer makes have upgradeable firmwares and you can save ricer-configs on them.
>>43313250
>don't use to
I was talking about your run of the mill office kb&mice, not ricer shit.
>>43313221
I do understand that if its a ROM then it can't be tampered with. But there are plenty of things that do have programmable controllers like razer devices.
I think the next USB standerd may have to require a TPM chip to make sure that the firmware hasn't been tampered with, along with a warning that informs the user that the device lacks protection, and will not allow the device to do anything until it is given user consent to run.
>>43312417
>>43313221
very true about the mouse and keyboard stuff, although small note: dram can still retain data when it loses power*
it's just not meant to do so and doesn't retain it for very long (I wonder how long it would hold data in liquid nitrogen)
>>43313525
The robots are leaving 4chan, moot killed /r9k/ yesterday. Not that anyone would have dated them anyway.
Coming soon: USB firewalls. Good luck clicking on "Accept" when the firewall blocks mouse and keyboard input. It's going to need its own separate display and simple 2-3 button keyboard for it that operates independently of the actual OS in the computer.
Until someone infects the firewall.
>>43313444
>Do you want to use this keyboard/mouse combo?
>Please click yes if you want to continue
>>43313444
those aren't rom, those are just ro-as-far-as-end user-and-os-is-concerned-m
just some type of flash memory, or eprom so that people can reflash if something is fucked
I think your idea has some merit though. Have some true rom in every usb device that has a sha512 sum of the device's firmware and have it just check it as soon as it's powered but have two transistors on the data pins to block all data transfer until it has hashed the current firmware and checked it against the rom
>>43313562
lel
but really you could have some kind of button on the usb controller or something for this purpose
>>43313674
sadly would make the new usb devices bulky as fuck though*
>>43312417
>hartblead
B8
>>43313562
Mice and keyboards are exempt from this, as the USB standard knows that these things only should be doing two things. sending ASCII instructions and pointer data.
If the device is trying to do anything other then that, then it is to be considered suspicious, and can be authorized with standard instruction input that is random.
###
Eg: Your USB device does not follow the USB security protocols and wants to preform actions that are not standard for this type of device.
If you know why this device needs to access non standard protocols and you trust it, please confirm by entering
Keyboard: A random string eg: (AS;]=)
Mouse : random set left and right clicks
If you do not wish to do this, then the device will still be able to preform Standard actions expected from this type of device.
###
>>43312417
Whar be the source code ?
>>43313900
standard mice and keyboards yes, but what about things like the logitech hub
So from a system standpoint, how do we fix this without rendering the last 10 years of tech worthless
I guess, we need open{hardware,firmware} usb
Apple is always right. You should have listened when they said Thunderbolt is superior.
>>43314105
apple was one of the first to go full usb back when usb was newer
>>43313948
>standard mice and keyboards yes, but what about things like the logitech hub
Well, then new devices like this will have to follow the USB security protocols if the manufacture knows it will be doing things that are non standerd.
for all past tech, the authorization will be required.
I will also like to point out that the next version of USB will change in physical design, allowing for multi directional connection.(Something that has been needed for a while) So with backwards compatibility out the window, it will be a good time to address all this in the next update.
>>43314105
>Apple is always right. You should have listened when they said Thunderbolt is superior.
As far as i know, thunderbolt has its own problems related to Firewire, especially since they both have direct access to memory.
Because DMA attacks are always fun
>>43312452
It works on anything that uses the USB standard.
>>43312966
No, it affects the firmware on the USB device itself. The host OS is fucking irrelevant.
You mean they modified an USB device that will modify other USB devices to perform the same modification?
It's nothing.
i guess i wont be pluggin random usb devices into my computer .
oh wait i don't think i have ever done that in my entire life .
>>43314288
the implications of this are that it could be used for mass spread of bad firmware which could do all sorts of nastiness
>USB
>Bandwitch: 1 bit
Top lel, why haven't we ditched this shit yet?
>>43313964
>reboot system
>process is ended
>auto SIGKILL similar processes
>disable plug & play
problem solved
>>43314306
No, it's like a riddle.
There is nothing on the USB device, so it can easily perform the same modification onto a similar device; nothing.
Hell, they can even do it wirelessly.
>>43314320
it's not a process, it's apparently written into the controller itself
>>43314305
The fact of the matter is you just need to plug your USB pendrive into an infected computer, and you will have the infection. the only way to know is if you know how to analyze the firmware and see if its infected.
And unless you have a backup and the know how on how to re flash it, your going to have to throw the device away.
>>43314229
But in order to do something it has to access the OS unless the USB protocol somehow gives direct access to all hardware. I mean, why would you want to infect an USB if all you can do is control other USB? In order to consider this dangerous it should be able to access networking devices to act as a hardware keylogger or something like that.
>>43312417
HEY GUYS I FOUND THE SOLUTION.
USB MAKES SHOULD PUT THE FIRMWARE IN ROM
WHO UPDATES USB FIRMWARE ANYWAY?
IM A FUCKING GENIOUS
>>43312452
>tfw Mac
SO GOOD OF A FEEL
>>43314416
tfw it's at least a solution, and a pretty secure one
Sky is falling everyone panic!
>>43314440
Blackhole rat
Nuton Virus
Java exploits, (thanks to apples stubbornness to have their own implementation that is far behind in updates to the platform.)
Macs are not immune.
>>43314440
The vulnerability is OS-agnostic, so your mac is just as fucked.
>>43314456
Indeed. And if they want to have updatability, a TPM chips.
>>43314338
Wrong. This isn't software you retards. You can't format the drive, disabling plug and play does nothing, there's no process to kill.
This is the equivalent of your motherboard's BIOS/UEFI being overwritten and infecting the rest of your machine. There's nothing you can do to it from the Host OS. This is the basic hardware level, you'd have to physically replace the infected hardware.
>>43314105
>>43314440
>tfw apple shills have to sport their ads in every thread ignoring relevancy to the context.
Apple's ThunderBolt bus is the answer
>>43312680
What would you replace them with?
>>43314563
You know what, just forget it. /g/ is full of tech illiterate people, they won't understand.
>>43314652
1. ThunderBolt is Intel, and is a requirement to be called an ultra book.
2. It's just PCI Express, DisplayPort and a DC power rail in one connector
3. >>43314195
>>43314803
But Apple have a design credit too.
>>43314714
sata and ps/2. that's what i use for storage and mouse+keyboard
>>43314837
It was based on Apple's Mini DisplayPort, Witch is exactly the same as DisplayPort, just smaller and with no locking connection to allow for easy ejection if yanked.
Apple registered thunderbolt TM, But it was sole property of Intel, witch then lead to it being fully transitioned to being Intel IP
>>43314929
yeah cause ps/2 is so much better then USB for keyboards
>>43315005
It is. It isn't as convenient but it is far superior for input peripherals.
>>43315005
when you use a USB keyboard your computer is actually using CPU time polling your keyboard. the higher the polling rate the more CPU time is used to perform the polling. and because of the built-in debounce rate found on any quality keyboard, any polling rate above 200Hz is simply a waste of CPU time and really just a result of pointless marketing hype. unlike shitty USB keyboards a PS/2 keyboard isn’t polled at all. The keyboard simply sends a signal to the computer as key presses are made, which causes a hardware interrupt, forcing the CPU to register the signal.
>>43315072
This is why i love /g/, You learn something new every day.
>>43315299
>learning this
>>43315072
Well you're gonna have to look pretty hard if you want a new computer with a PS/2 port on it.
Goodluckwiththat
>>43315340
My motherboard has 2 PS/2 slots. A lot do.
>>43315340
Most motherboards today that aren't in tiny form factors have unified PS/2 ports.
>>43315072
implying you can't set your polling rate.
>giving up ultra compatibility for 0.000000000001s of CPU time
>>43313535
It can retain data for up to several minutes, however it doesn't retain all the data for that long. As soon as power is cut bits of it immediately start disappearing and it gradually fades away
>>43315437
>compatibility
>pretty much all the motherboards have ps/2 slots
>legacy support
So why are there no alternatives to USB besides some shitty propietary thing only available to Apple users?
I mean if it's sooo bad, why didn't they come up with something better?
>>43315571
There's like several other standards that do similar things as USB it's just that none of them cover all the things USB does.
Anything can be theoretically be hacked it's not an issue that affects USB specifically. People just have to learn not to be retarded with their computers and stop plugging in random devices they found on the street.
this thread is so full of retarded comments holy shit
>>43315005
Interrupt-based >>>>>>>>>>>> polling-based.
>>43315748
This is true, But you have to remember the golden rule. If someone has physical access, then its game over. Everything else we can strive to make perfect.
Since USB is a type of networking interface (It allows one computer to communicate with another), then it is something we can make secure, if the attacker isn't there to provide the user intervention.
>>43315571
USB is a jack of all trades and a master of none. Except for mice, there's better things for pretty much every function of USB.
For storage, IEEE 1394, eSATA, fibre channel, etc. are superior. For keyboards, PS/2 is superior. For networking, Ethernet and PCIe are superior. For video (does anyone do this?), displayport is superior.
>>43314759
I- I understand y-you.,.. :#
>>43313948
The Logitech USB hub sends standard keyboard/mouse signals to your computer. I don't give a fuck what the device does outside from that.
>no source on how this actually works
>only link is a shitty wired article that doesn't explain anything or give any details
>>>/trash/
>>43314599
You are free to turn your back on reality, but sooner or later it will hit you right in the back of your head.
How are they exploiting the firmware?
I thought the main security vulnerability in USB was spoofing the identity of your device to use old as fuck drivers.
>>43312417
Should we switch to SD cards for storage?
I guess now would be a good time to extra PCI based SD card slots
>>43316375
It says on the article that they will show how it works at BlackHat this year.
>>43315489
>compatibility
he mean the fact almost EVERY external had usb support you person you
that and it is a standard now, unlike ps/2
USB Spreading is nothing new but the firmware
aspect is a bit concerning. Urgh.
>>43314440
>let a friend use my macbook for homework
>gives it back to me with fake antivirus malware
>literally unremovable
>ended up reinstalling
>>43317223
Reinstalling on a mac is damn near painless.
>also, letting your friend use your laptop
>not even with supervision
lel
>>43313550
>moot killed /r9k/ yesterday. Not that anyone would have dated them anyway.
I disable all my I/O ports in the BIOS when I take my netbook outside of the house
Am I still vulnerable? I'm thinking probably
Time to invest in some of these just for a little extra safety. Though, as always, if someone steals your device, consider it fucked. Do not boot it. Take the storage out and check for modifications via a single purposed airgapped computer running hardened/minimal GNU/Linux before copying your files to a new disk. Even FDE only decreases the likelihood of tampered files.
>>43317936
These.
Run up to my laptop and stick a malicious device in now, fuckers.
>>43317817
Yeah, but that's not the point. The point is that Macs can get viruses, and shitty ones at that.
>>43317958
>pull plug out
>plug device in
>>43317958
you ave´ me a giggle m8
>>43317817
>Reinstalling on a mac is damn near painless.
Dam near painless on windows too bro.
>>43312417
>inb4 every new commercial USB device next year will run signed or read-only firmware
It's about damn time.
>>43312417
http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/
Windows only
>>43318224
Any OS is if the user is stupid in enough to install trojans
>>43318848
Obviously, but it's the stupid users who always say "x OS can't get viruses/hacked!"
>>43312417
>USB controller firmware
That's not USB's problem, that's the problem with Microshit's equally shit firmware/driver programmers.
>this big security flaw in the USB standard
Fucking skiddie OP doesn't even know what he's talking about.
>>43318576
did you actually read the article?
>"Programming a brand-name USB stick to surreptitiously inject a payload into a legitimate Ubuntu installation file."
This is done in the USB stick itself when it sees Ubuntu files)
>"Transforming a brand-name USB stick into a network card. Once active, the network card causes the computer to use a domain name system server that causes computers to connect to malicious sites impersonating legitimate destinations."
Platform agnostic
>>43319044
>"The other weakness that makes BadUSB attacks possible is the lack of cryptographic signing requirements when replacing device firmware. The vast majority of USB devices will accept any firmware update they're offered."
This is known as a problem with the standard, so yes. its USB's problem.
>>43319270
>"Programming a brand-name USB stick to surreptitiously inject a payload into a legitimate Ubuntu installation file."
That has nothing to do with USB. The malicious compiler attack/trust chains are some of the oldest security topics in the book. Verify your shit against trusted sources.
>"Transforming a brand-name USB stick into a network card. Once active, the network card causes the computer to use a domain name system server that causes computers to connect to malicious sites impersonating legitimate destinations."
You'd have to configure Linux to use the DNS server. I don't know about Windows, but Linux doesn't automatically connect to some random DNS server that pops up.
>"The other weakness that makes BadUSB attacks possible is the lack of cryptographic signing requirements when replacing device firmware. The vast majority of USB devices will accept any firmware update they're offered."
No, that's not a standard problem, that's an industry problem, and shitty security isn't breaking news in proprietary software/hardware.
>>43314929
Until eSATA is powered it's not going to be able to replace USB.
>>43312607
can't hear you over the sound of your NYB
>>43319736
What about eSATAp?
>>43318987
self replicating malware!=trojan
>>43314105
thunderbolt uses DMA, the computing equivelant of dipping your unprotected cock directly into the biohazard waste box behind the AIDS clinic
About 2 years ago when someone blogged about his free uni thumbdrive automatically opening up Safari and going to his major's homepage, I did research on what USB can and can't do.
While the shenanigans about to be reported are accurate (spoofing network card, emulating keyboard and sending canned keypress sequences), USB doesn't have DMA in its standard the way FireWire and Thunderbolt do.
Anything they're about to announce is going to involve spoofing human interface devices like keyboards and mice, because USB doesn't have the ability to access your computer's memory. It's a serial bus.
Now if its canned keystrokes run system applications or malware stored on the drive itself, ok but that's an old exploit dating back years, not news.
>>43314714
Nothing, platform independent hardware standards are a cancer. We should all write our own firmware and squabble over Usenet about how our devices should work.
I bet you use noobuntu faget
>>43312417
This isn't at all limited to USB, once you have root on a machine, you can flash the firmware of just about anything.
It's not heavily in use because for the most part it's a lame way of spreading malware compared to, say, a browser exploit.
>>43317103
>Should we switch to SD cards for storage?
http://www.youtube.com/watch?v=CPEzLNh5YIo
http://www.osronline.com/showthread.cfm?link=243802#T9
http://www.osronline.com/showthread.cfm?link=243802#T14
USB != backplane bus (direct access to hardware resources: FW, TB, PCI, etc)
USB == protocol based bus (completely managed by requests and messaging: USB, serial port, etc)
The device *could* spoof the IDs of a device whose drivers have a zero-day exploit, and then craft packets which exploit it, but I'm real interested to know how this thing's going to infect a PC without "cheating" by imitating a keyboard.
>>43320411
If its an infected key board, It can run command prompt as admin (WinKey,"cmd", Ctrl+Shift+Enter) and get around UAC (leftkey, Enter) and type commands to download software and run it. It could do all this after being idle for 4 hours (Longer then any normal idle time, so you must be away or asleep).
>>43320696
yeah, i was just hoping for something sexier than infecting/emulating keyboards
>>43320766
>yeah, i was just hoping for something sexier than infecting/emulating keyboards
An emulated keyboard has access to all.
>>43320839
>An emulated keyboard has access to all.
Sure, but there's nothing new about this attack vector.
>>43312417
This technique is old as world. Nothing new, just media catching up and making a sensation out of it.
If you connect untrusted devices to your hardware, you're fucked anyway.
>>43312520
I got it too, therefore read it correctly
>>43319871
You think DMA is its largest problem? We have IOMMUs now that prevent this kind of attack. However there way well be nothing stopping you from using your physical access to the motherfucking PCIe bus and by extension, every peripheral connected to the motherboard, to flash the firmware of the DVD drive with a persistent virus, use the NIC as your personal CPU, overwrite the EFI, etc.
>>43312417
Just use a USB only on your computer and not on other computers. Simple. And anyway, USB engineers are working on it.
Control your autism.
>>43321124
Damn anon, u scary
>>43314563
Could I flash my BIOS to fix this? Asus's USB flashback... Oh. This may still be an issue know that I think about it.
>>43317171
PS/2 is used to plug your laptop keyboard and touchpad into your laptop's motherboard.
You don't see it, but that's the interface that it's using.
>>43323055
oh so thats why they show up in my USB device tree
>USB is an unreliable connector for sharing data or alike
NO SHIT, ANON!
come on, using usb connectors is like having sex without a condom. we use it because is convenient not because is safe
>>43312902
>USB AIDS
fuck you i almost choked on my chocolate milk
>>43315340
Brand new Z87-A mobo from last summer.. has PS/2 port mate.
>>43314403
>USB protocol somehow gives direct access to all hardware.
You don't know what the infection does, regardless you shouldn't blindly trust that the os knows how to protect itself from usb vectors.
>>43323761
Not who you were talking to, but does that imply you found it funny or gross?
>>43315340
My fucking 2014 made mini-ITX motherboard has a PS/2 port, dickhead.
>>43323859
The design is that the OS doesn't have to protect itself because it's an abstract communication protocol, not a direct hardware addressing connection.
It can lie about what it is which means it can either emulate a keyboard sending commands to control the computer and run software on it but if you're not running as admin then it has to work to gain elevated privileges.
It could pretend to be something that needs a driver installed which is either faulty or containing a payload.
It could pretend to be a wired network card which takes precedence over wireless and redirect DNS such that the user doesn't know they're not going to the real microsoft.com for updates.
It could do all of these because a single USB device can enumerate itself as multiple devices.
But until the presentation it's speculation.
I'm skeptical. It sounds more sensational than anything real.
>“It can do whatever you can do with a keyboard, which is basically everything a computer does,” says Nohl.
Is this just saying that they change the firmware so it pretends like a keyboard, the enters pre-determined keys? If that's all they got, it sounds like a shitty virus
>>43323964
While that's theoretically possible, how does it run undetectable processes? Does the USB device have its own processor and run processes there or does it get the computer to run the process?
>>43324051
>Does the USB device have its own processor and run processes there or does it get the computer to run the process
https://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe
Welcome to several years ago.
>>43312637
>mfw there's rootkits in your bios and the NSA knows you're storing CP on your NAS.
>>43312417
I told you faggots to stick to discs but you didn't believe me
>>43318311
you seriously going to trust that on a compromised machine?
>>43320696
>get around UAC
this is why if you're a winpleb, you make an account without administrative privileges and thus have to enter a password to get past the UAC prompt.
c'mon m8's this is winshitty security 101.
>>43312417
>>43312417
It's been done before, but this one seems to be more potent.
Detailed tutorial?
>>43312417
holly shit dude, now I'm even more hyped to learn the USB standard. Thanks!
>>43312452
>thinking linux is immune to attack
i've got news for you
does this mean we all go back to PS/2 ports now?
>>43312417
Man this is just like that airgapped bios virus!
>>43323995
Yeah, it presses windows key, selects RUN, and types in the command it wants to.
nothing new.
>>43312417
>implying I put any USB plug in my pc.
>implying I don't put USB storage device through a read only scanner that can copy files to another storage then put it in my pc.
>implying my scanner firmware can be affected by this.
>implying NSA is not already in our devices.
>implying /g/ actually cares.
>>43315340
What? I bought an MATX Z97 two weeks ago, and it has PS/2.
>>43324669
they probably arent going to release more details until they present at Black Hat
>>43314540
>Hurr super hackers are going to create a super virus that werks on all computers
Seriously?
>>43328164
That's the information that we have.
Personally, I'm going to wait until the details come out before panicking, but "super hackers are going to create a super virus" is all that has been reported.
>>43328199
Sounds like another bullshit article that will lead to nowhere.
And if it DOES exist, it will only be on windows. The amount of time creating malware for osx in a separate language (objective-c) where the userbase is very small is a lot of effort.
>coming soon thunder port USB hub for windows.
>no more USB AIDS.
>and it's only for 99.99 $
>>43318277
Not if I used supper glue
>>43328325
>Supper glue
>Supper
Didn't your parents teach you not to eat glue?
>>43328351
Hmm …mmmfh.
Mai mouse is shtuk, wats wroonk wiz eating kluo.
>>43320095
That's pretty cool.
>>43312605
Can be prevented with proper isolation.
Something like Open/FreeBSD probably isn't affected once again.
Found my ps2 adpter.
KB is safe now.
>>43328164
>Hurr super hackers are going to create a super virus that werks on all computers
At minimum they can make individual "exploit-devices" for each major OS, including OS X. Only market share can really "protect" OS X here, if anything.
Am I wrong, or is the magnitude of this not being realized?
From what I have read, every single USB device that has an unlocked controller is compromised. Malicious software (a virus) installed on a computer (regardless of OS) can rewrite the controller firmware to make the device act as it normally does as well as turn it into something else.
So, for example, your printer (which, for all intents and purposes, is always attached to your computer) will still print and scan, but it's also gathering all your personal information and sending it off to someone over the internet. Or it's acting as a keyboard and installing more viruses. Or redirecting you to malicious websites that look legitimate, like bank sites.
