Security Researchers Discover Fundamental Security Flaw in USB, No Fix in Sight

28

Comments

+ Add a Comment
avatar

Leo Scott

Another NSA planted hole discovered. It just doesn't stop.

avatar

John Pombrio

Think about how many things in a modern computer that is always online gets updated automatically. Firefox, Chrome, Windows, Flash (gulp!), NVidia and AMD drivers, and many others. If one of these get compromised, we are all royally screwed. Even the BIOS sites could be spoofed and we would bake in a permanent infection. Compared to this, who cares about USB? I am not going to lose sleep over it.

avatar

John Pombrio

About the only USB device that I could imagine plugging into another computer is a thumb drive and we all know about the dangers of that. The only good use for a cloud backup for me is to avoid thumb drives and for another means to back up critical files like photos. Of course, I don't travel much any more so everything is at my fingertips.

avatar

NavarWynn

Dammit! Now I'm going to have to use CDRWs and floppy disks to transfer files to and from my ultra secure XP/SP2 isolated system (the one locked in a Faraday cage in the basement of my island lair!)... luckily I've got a Model-M keyboard hooked up to that sucker (not one of them sneaky USB ones!)

The fix seems pretty obvious to me. Simply have the interface be non-programmable (ie. ROM). For most peripherals that'd work fine. Obviously some hardware peripherals need to be able to have their FW updated, but simply having a hardcoded PW requirement to update the FW along w/ a unique sequence printed on the device (the PW) would render this threat pretty impotent.

avatar

maxeeemum

OOOOHHHHHHHHHHHHHH! NNNNNNOOOOOOOOOOOOOOO!

WE'RE ALL DOOMED!!!!!!!!!!

avatar

Volleynova

This is actually pretty scary considering nearly every computer in the world is using USB devices. My goodness.

avatar

fellowleo

Look at everything you have that has a USB plug on it. I bet you'll find the "Made in China" label on it. Think of the possibilities!

avatar

The Mac

I hate to be captain obvious, but you have to be physically at the computer to plug in a USB device.

Anyone can infect your machine with malware if they have physical access to it.

avatar

Bullwinkle J Moose

Anyone can flash your firmware with malware if they have Internet access to it.

New Zero day vulnerabilities are not even required when they are built in at the factory and your antivirus/antimalware never see's it

avatar

The Mac

I was referring specifically to this USB issue wich requires a physical device.

Lets not bring your usual tinfoil hat conspiracies into it.

Youll have plenty of time for that on other articles.

avatar

Leo Scott

You mean tin-foil hat conspiracies like the NSA modifying hardware before it is shipped to plant spy-ware on it? Gee, that could never happen.

avatar

The Mac

Clearly you havent read a lot of the Moose's posts...

avatar

Hey.That_Dude

He doesn't need the hat on for this one. There are already numerous confirmed reports of some of the USB peripherals shipping from China with hackware already installed. Right on your USB thumb drive, USB light, USB refrigerator, etc. THIS IS OLD NEWS, from at least a year or two ago.

By the way, they're not really aiming for you in particular, but they're more than happy to infect you. They're really gunning for government workers with nice sensitive information to steal.

avatar

Bullwinkle J Moose

I covered this topic several years ago when the Feds were destroying my hardware over the Internet (Both Wi-Fi Adapters at exactly the same instant) as soon as I tried posting what they were doing to me with other malware like Beta testing Stuxnet in the US beginning around 2007

My posts are still online but not in the US where they were repeatedly pulled

My favorite Wallpapers are screencaps of US Security Forums banning me for posting the truth about these topics

I still have the original "Unedited" videos of the KillSwitch that I "accidently" found in my Intel Motherboard

The press are now hyping it as a Chinese Plot to kill our machines, yet the videos clearly show that the switch I found only prevents certain machines from booting to Linux and XP or installing Linux or XP

Windows Spyware Platforms 7 and 8 still install just fine on this same computer though

Funny how those evil Chinese hackers would prevent us from installing a supposedly insecure OS but allow us to install a Government Sponsored Spyware Platform like 7 and 8 huh?

I have posts at other sites asking for a real investigation with the evidence I have and how to duplicate the activation of this one specific type of kill switch (I'm sure there are other types) but nobody wants to investigate

Isn't that odd?

...and NO, the killswitch was NOT restricted to UEFI motherboards!

It also displayed the same error messages even after the BIOS was wiped and reset to factory default after sitting for a month without the CMOS battery with RAM and CPU removed

The error is displayed by simply trying to boot to a VALID XP or Linux CD
Even when there was NO harddrive attached!

and NONE of these tech sites want to investigate....
Isn't that odd?

avatar

Bullwinkle J Moose

ERROR

It was FLAME that I found being tested in the United States around 2007

I accidentally called it Stuxnet in the above post

Wow, the propaganda shills are working overtime on this post aren't they?

The major Tech sites and Government refuse to investigate publicly, yet all the anonymous nobodies are demanding proof that they won't recognize even if I waste my time giving it to them

I expected that as well

avatar

NavarWynn

ROFLMAO! Bullwinkle, your posts are ALWAYS good for a helluva laugh!

Those cursed sites which pulled your thoroughly researched and vetted posts of PROOF of faulty security ought to be ripped off the internet!

Please post links to them, or at least links to the screenshots including the site names verifying this heinous activity (because screenshots are PROOF!), so that we can DEMAND a congressional investigation to seize the domains!

If Stephen Colbert was more into tech than mainstream politics, I think he'd gladly have you on!

avatar

acidic

But but but... I thought you had an unbreakable, impenetrable, uber leet micro, locked down XP SP2 with no updates or antivirus ? Kinda weird how the "feds" picked you out of everyone online isn't it ? I'm sure they wanted all your "important" files. It is ashamed that you single handily didn't prevent this whole NSA debacle too. Goddamn moron

avatar

Bullwinkle J Moose

I never said I don't use an antivirus and the Feds hit me "AS" they were developing new malware which I had not yet found a way to block

Goddamn Moron

But yes, My locked down XP is far more secure against Government intrusions than your Government sponsored Spyware Platform designed from the ground up to prevent "you" the end user from securing your box from Government intrusions

avatar

Sir Hobbes3

If you are so afraid of the Feds screwing up your computer over the internet, why are you here? And two, we cannot actually confirm what you are saying is true, you really just seem like another one of these paranoid nut bags who thinks the CIA is going to show up and kidnap you if you try and say "the truth"

avatar

Cleaver

Even if everything you said is 100% true, you are still too paranoid to make us believe it.

avatar

Bullwinkle J Moose

But if everything I said is 100% true, it's not paranoia

If you people are afraid of an open honest investigation where the whole world can see the evidence, who's paranoid now?

You "choose" not to believe it

Your response sounds like Paranoid Propaganda from the control freaks behind the curtain afraid of getting caught

Isn't that odd?

avatar

Whudunit

What do you mean, You people?

avatar

The Mac

The old saw "Ignorance is bliss" seems to apply here.

If what you say is true, and we all accept it, we all becomes paranoid delusionals just like yourself.

Personally, id prefer not to turn 50 and be sitting in a bomb shelter somewhere in the mid-west petting a chicken and waiting for the NSA to show up to confiscate my birthday.

avatar

fung0

Just because people are following you doesn't mean you're not paranoid...

avatar

LatiosXT

Glaring flaws in your arguments

1. You don't provide links or places where we can "confirm" your words. If a place like Wikileaks can somehow obtain and maintain data that are "severe breaches of security", I'm sure you can find some such website that will host what you're talking about.

2. You ramble about internet security and yet you're on the internet.

3. You're in a place with a severely limited audience because I guess you have no one else to ramble to.

avatar

The Mac

on #3, i think perhaps we are just more tolerant.

avatar

LatiosXT

Make the firmware ROM, like a literally baked in ROM. Not flash, not EEPROM. When was the last time you've heard anyone or anything need to update their USB controller firmware?

However, to its credit, USB was invented in the early 90s when software engineers were trusted to do no evil.

avatar

wkwilley2

Heh....you're absolutely right though. ROM would solve all these issues. But if you ever wanted to do a firmware upgrade, you'd be screwed.

I don't think I would miss it though, it's probably been 5+ years since I've done a firmware upgrade OTW.