The perils of USB

USB has been great.  Connect anything to your system, it’s usually auto recognized, so it fits that useful category of “stuff that just works.”

Now Wired has pointed out that from a security standpoint, USB has some serious, fundamental flaws. In other words, you may be completely and utterly screwed.

It’s not just malware may be lurking on USB memory devices, perhaps even installed at the factory.  A couple of clever lads have figured out how to reprogram the flash that controls just about any USB device.   Which is pretty much like giving them the keys to the Kingdom.  Here are some of the scary highlights from the article.

“Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted.”

I’m waiting for the standalone device that reads and reflashes USB firmware to hit the IT market at an obscene profit margin.

Wait! It gets worse.

The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed—in addition to USB memory sticks, Nohl and Lell say they’ve also tested their attack on an Android handset plugged into a PC. And once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play. It can, for example, replace software being installed with with a corrupted or backdoored version. It can even impersonate a USB keyboard to suddenly start typing commands. “It can do whatever you can do with a keyboard, which is basically everything a computer does,” says Nohl.

The malware can silently hijack internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases. Or if the code is planted on a phone or another device with an internet connection, it can act as a man-in-the-middle, secretly spying on communications as it relays them from the victim’s machine.

So the new mantra is don’t let your keys or any USB device out of your sight.



This is scary

Japan’s Daily Yomiuri Online has a very chilling story about Communist China concerning technology imported their country.

The Chinese government plans to introduce a new system requiring foreign firms to disclose secret information about digital household appliances and other products starting from May, sources said Thursday.

If a company refuses to disclose such information, the Chinese government plans to ban the firm from exporting the product to the Chinese market, as well as bar production and sales in the country, according to the sources.

Critics worry that such a system risks seeing the intellectual property of foreign firms passed onto their Chinese competitors.

In addition, the envisaged system poses security concerns if coding technology used in digital devices developed in other countries is leaked to China, they added.

There already is a serious problem with Communist China complete disregard for IP rights.  Giving them access to the source code of every IC based device that is imported to their country is only going to make that worse.

HT to Doug Ross