Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
BadUSB - BlackHat 2014 - That's serious shit!
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
CarstenIQ
n00b
n00b


Joined: 04 Jan 2007
Posts: 44
Location: Germany

PostPosted: Thu Feb 19, 2015 2:11 pm    Post subject: BadUSB - BlackHat 2014 - That's serious shit! Reply with quote

Hi

I was researching about USB Flash Driver Controller for a project and never I thought that security would be much of an issue.
We all use some form of protection and especially in Linux/Unix but this is serious shit!
I recommend that you all take a look at this presentation given by Turn Evil by Karsten Nohl about USB devices.

BadUSB - On Accessories that Turn Evil by Karsten Nohl + Jakob Lell
http://youtu.be/nuruzFqMgIw
_________________
Gentoo Linux Rocks...!!!
Back to top
View user's profile Send private message
ManDay
Apprentice
Apprentice


Joined: 22 Jan 2008
Posts: 227

PostPosted: Thu Feb 19, 2015 4:43 pm    Post subject: Reply with quote

*disabling all CONFIG_USB*

8O

I think it's not as difficult to narrow down the list of potential risks. Keyboards are at the top, but I think they are the only risk that's really inherent to USB. For the rest, you should just generally assume that when you plug in an USB device, it could actually be any device and therefore configure computer so to not Up arbtirary network devices, etc.

Sure, this does not downplay the danger in this, since only computer experts can then protect themselves. I'm just pointing out that the keyboard seems to be ultimate danger (esp. with the BIOS) that can only very difficulty be protected from while the other risks seem, managable, at least?
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Thu Feb 19, 2015 5:10 pm    Post subject: Reply with quote

ManDay wrote:
*disabling all CONFIG_USB*

ManDay ... you should just disable booting as its far safer ;)

Besides usb, there is disk firmware and many other possible vectors for such intrusion, including uefi (pdf and youtube). Currently it's possible to bypass secure boot (pdf) and I'm sure there are no end of other viable ways around any security feature in the kernel or userland ... if you have access to source code of the firmware included in all hardware.

best ... khay
Back to top
View user's profile Send private message
ManDay
Apprentice
Apprentice


Joined: 22 Jan 2008
Posts: 227

PostPosted: Thu Feb 19, 2015 5:23 pm    Post subject: Reply with quote

khayyam wrote:
ManDay wrote:
*disabling all CONFIG_USB*

ManDay ... you should just disable booting as its far safer ;)

Besides usb, there is disk firmware and many other possible vectors for such intrusion, including uefi (pdf and youtube). Currently it's possible to bypass secure boot (pdf) and I'm sure there are no end of other viable ways around any security feature in the kernel or userland ... if you have access to source code of the firmware included in all hardware.

best ... khay


Hey khay, firmware viruses do not unsettle me. When they happen (like UEFI), they happen (and then they may be hard to impossible to get rid of). It's more dangerous with USB because, as the speaker pointed out, with USB it's not only a malicious firmware, but that firmware is automatically entitled to be your keyboard or, sometimes, network adapter.

When an arbtirary non USB device is infected (say, there is an infected SATA controller) and I plug it in, it will not have an immediate effect - only when I begin to trust the device's function, I may suffer the consequences.
When an USB device is infected, however, that will have an immediate effect because it will become a keyboard.

So though USB is not the only device class which can be firmware infected, it is one of the worst, because being connected alone causes the harm, not only operating it assumes trust.

(I believe UEFI infection may be similarly severe, since here, too, the code is executed upon connection and not only on explicit request)

And yes, the talk surprised me. I thought people as clever as to make USB thumbdrives firmware read-only because of the very risks pointed out (I never thought of the keyboard issue for general devices, though). And I'm indeed surprised that it took those two to point out the idiocy of it not being so. Had no one of the manufacturers the brains to foresee that danger? I, for one, have never witnessed a firmware-update on a thumb-drive.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Thu Feb 19, 2015 5:53 pm    Post subject: Reply with quote

ManDay wrote:
Hey khay, firmware viruses do not unsettle me. When they happen (like UEFI), they happen (and then they may be hard to impossible to get rid of). It's more dangerous with USB because, as the speaker pointed out, with USB it's not only a malicious firmware, but that firmware is automatically entitled to be your keyboard or, sometimes, network adapter.

hey MD ... did you read the link I provided, because with the disk (or other) firmware the question of a 'keyboard' doesn't particularly matter as 'eavesdroping' can supply control of the machine (login and such) or any of the data (keys, etc). OK, not everyone has access to such firmware, but I'm more inclined to see an issue here than worry about any USB devices I might connect.

best ... khay
Back to top
View user's profile Send private message
ManDay
Apprentice
Apprentice


Joined: 22 Jan 2008
Posts: 227

PostPosted: Thu Feb 19, 2015 7:17 pm    Post subject: Reply with quote

khayyam wrote:
ManDay wrote:
Hey khay, firmware viruses do not unsettle me. When they happen (like UEFI), they happen (and then they may be hard to impossible to get rid of). It's more dangerous with USB because, as the speaker pointed out, with USB it's not only a malicious firmware, but that firmware is automatically entitled to be your keyboard or, sometimes, network adapter.

hey MD ... did you read the link I provided, because with the disk (or other) firmware the question of a 'keyboard' doesn't particularly matter as 'eavesdroping' can supply control of the machine (login and such) or any of the data (keys, etc). OK, not everyone has access to such firmware, but I'm more inclined to see an issue here than worry about any USB devices I might connect.

best ... khay


Which link in particular are you referring to? I'm not entirely sure you understand my point. The USB device is, contrary to any infected firmware which does not affect the computer unless used a vector when it just connects to the computer (and yes, I'm not saying it's the only of those, but it's a class above compromised HDD controllers et al).
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Thu Feb 19, 2015 9:01 pm    Post subject: Reply with quote

ManDay wrote:
khayyam wrote:
hey MD ... did you read the link I provided [...]

Which link in particular are you referring to? I'm not entirely sure you understand my point. The USB device is, contrary to any infected firmware which does not affect the computer unless used a vector when it just connects to the computer (and yes, I'm not saying it's the only of those, but it's a class above compromised HDD controllers et al).

ManDay ... this one. Not sure I'm understanding it either, at least from the description above. I think you mean that regardless of infection a usb device is a vector (by the nature of the firmware) ... right?. Well, yes I see that, but in the above article they suggest that the method that firmware is acquired is via the relationship (contracts, etc) between the spooks and the manufacturer ... my point being that we simply don't know what any of the firmware does, and under such circumstances who knows the nature of the relationship and co-operation involved. So, in short, any of this firmware is suspect. The positive thing about the usb vector it that you do know, and so can take action of some kind.

best ... khay
Back to top
View user's profile Send private message
CarstenIQ
n00b
n00b


Joined: 04 Jan 2007
Posts: 44
Location: Germany

PostPosted: Sun Feb 22, 2015 5:13 pm    Post subject: Reply with quote

Yes, firmware is a big issue since it is closed sourced and you never see what's going on on devises. It's a seamless process and there is no tool or mechanism to validate the firmware of its correctness and correct purpose. The main problem seams to be the update features of devices which permit firmware updates. There seams to be no mechanisms of preventing updates if not desired. It's just required to know how its being done by the manufacturer. Since most devices which have firmware, are nothing more than a Micro-controller, based mostly on the same principles and architecture (8051), it facilitates the injection of malicious code. It also provides a good foundation to spread fast and is platform independent. That's some serious nasty shit.
_________________
Gentoo Linux Rocks...!!!
Back to top
View user's profile Send private message
queen
Veteran
Veteran


Joined: 19 Jul 2005
Posts: 1612

PostPosted: Wed Feb 25, 2015 8:34 am    Post subject: Reply with quote

more technical details can be found here:
http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/
Back to top
View user's profile Send private message
Navar
Guru
Guru


Joined: 20 Aug 2012
Posts: 353

PostPosted: Thu Feb 26, 2015 1:59 am    Post subject: Reply with quote

Impressive. I had not looked at this for awhile, too depressing (and yet fascinating) at times.
arstechnica.com wrote:
The stashing of malicious files in multiple branches of an infected computer's registry. By encrypting all malicious files and storing them in multiple branches of a computer's Windows registry, the infection was impossible to detect using antivirus software.

That ends a longstanding question concern I've had for over a decade. It was already there due to DRM.

While the USB issue is a concern, the overall bigger one is powerful interdiction ability in general. In other words, nothing is safe if you're targeted. I haven't looked into what outfits like UPS/FedEx had to say regarding this. It's hard to imagine being done on a large scale though.
Back to top
View user's profile Send private message
CarstenIQ
n00b
n00b


Joined: 04 Jan 2007
Posts: 44
Location: Germany

PostPosted: Thu Feb 26, 2015 9:05 pm    Post subject: Reply with quote

As it looks like it is already being exploited quite efficiently :(

The Biggest NSA "Backdoor Exploit" Ever
http://youtu.be/L8eO5BYHop8?t=5m36s
_________________
Gentoo Linux Rocks...!!!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum