To the skeptics here -- the problem is that malware can turn one kind of USB device into another kind of USB device, and that creates a massive attack surface given the scope of USB.

Check out all the things that a USB device can claim to be.[1] You don't just need your OS to be secure against a malicious storage device; you need it to be secure against a malicious keyboard and mouse, speaker/microphone/sound card, printer/scanner, CNC machine, webcam, ethernet or wifi adapter, bluetooth adapter, infrared adapter, RNDIS adapter (whatever the heck that is, but it's supported by BSD as well as Windows), an ActiveSync device, a smart card reader, a fingerprint reader ...

As I understand it (and I wouldn't mind being wrong), a hostile USB stick could claim to be a hub running all of these at once, and orchestrate them in an attack. Consumer-oriented OSes will happily load up standard drivers to talk to most of them in an attempt to be user-friendly, each with their own hooks into the OS. And the hostile device can detect what OS and probably specific hardware it's talking to,[2] so it can target an attack at the drivers that are likely to exist.

If that's true, I don't see how anyone could be confident that such a stack could ever be secured on the OS side. A secure bulk storage driver is one thing, but your laptop has to be secure against a hostile keyboard working with a hostile CNC machine, sound card, and ethernet device?

At a minimum it seems like devices should be locked at the hardware level to the kind of device that they are. Code signing makes a lot of sense too, although it's sad to lose the (hypothetical?) ability to install alternative drivers.

[1] http://en.wikipedia.org/wiki/USB#Device_classes [2] http://ix.cs.uoregon.edu/~butler/pubs/sadfe11.pdf

Seems the problem is basically one of "physical access to the machine is hard to secure against." Combining with "multi purpose computing device attached to your computer is dangerous."

Would it not be simple to offer up "non generic" USB port support? That is, the problem is that plugging a USB device could be plugging in a variety of things, which makes it tough. You have to assume that every stack on your machine is hardened against attack.

Instead, make it so that a user can designate that a port can only be used by mass storage devices or keyboards. A basic UI could be devised showing all of the ports and what is expected to be plugged in to them. If something different is actually plugged in, it is not allowed to connect.

That make sense? Something like this already exist?

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”

‘In this new way of thinking, you have to consider a USB infected and throw it away as soon as it touches a non-trusted computer.’

So now we need a USB abstinence campaign?

When you have a USB with someone, you are having a USB with everyone they had a USB with for the last ten years, and everyone they and their partners have had a USB with for the last ten years.

Also, we're just calling it a USB now? Not a USB thumbdrive, USB hard drive, or whatever? This article sounds like it was written by my mom.

Seems to be lacking in technical detail.

I suppose the fundamental problem is treating the thing on the other end of the wire as a "peripheral" (i.e. inside the computer's logical boundary) rather than as another computer on the end of a network (which might be expected to be hostile).

Firewire and Thunderbolt are much worse: the peripheral has potential DMA access to the whole of system memory. http://support.microsoft.com/kb/2516445

This article is severely lacking in actual information. They also make no distinction between Windows, Macs, or Linux. I seriously doubt that if I plug in an infected USB device to my Linux laptop its firmware will be able to alter the DNS settings (/etc/resolv.conf which is owned by root). That sounds like a very OS-specific (probably Windows-specific) vulnerability. My best guess is it has something to do with the "automated whether you want it to be or not" printer driver installation mechanism whereby Windows PCs inherently trust the driver that's provided by the device.

The ability to modify the data as it's copied seems like the only actual vulnerability to me. As in, I write some executable to the USB drive and the firmware modifies the executable to perform other functions. Once the file is copied off of the device though it should be pretty easy to detect such shenanigans with something as simple as a hash check.

You could also have separate flash storage on the device that isn't visible to the OS where you could store whatever data you want but that's less of a concern when you consider that a perhipheral like a keyboard can't record the keystrokes of another perhipheral (not directly, anyway--you'd have to get the user to execute some malware).

This applies to all USB devices indeed and can even be made OS-agnostic.

USB stacks have been proven to be buggy (one of the PS3 exploits iirc used a modified Android phone giving malformed USB descriptors to the host). Add DMA to the mix and you have root access...

Does USB promise any security? If so I never heard about it before. Otherwise it's not much surprise that an unsecured protocol is not secure, though.

By this logic, if "USB" (the bus) is broken, so are i2c, SPI, etc. PS/2 is equally broken, because a nefarious PS/2 keyboard or mouse can do exactly what that USB thumbdrive can do too. Also your RAM bus. And that IDE/SATA/Whatever Hard Drive. And even that sneaky VGA cable. A microcontroller in the connector could alter your display to cause you to click on dangerous things/delete files/etc. I could give you a laptop power supply cable that will destroy years' worth of your work, along with your laptop. There are lots of attack vectors involving things you stick in your computer, but I really don't think a bus protocol is the problem.

Stating the problem:

1.) You want to trust your USB device. 2.) You want to use your USB device on another non-trusted computers. 3.) Non-trusted computers can update your device's firmware behind your back.

So how can you handle firmware upgrades on your USB without trusting computers? One way to do this is to have an firmware update approval mechanism directly on the device.

For keyboards the mechanism could be the following:

- The computer initiates a firmware update. - The keyboard leds start to blink - You have to enter your keyboard's UUID (which is on the bottom)

Now you only have to make sure that you don't lend your keyboard to someone that you don't trust.

The main issue I think is having an active vs intert system as a data storage mechanism. A usb drive must interact with the computer in order to transmit data, a CD or DVD are ultimately inert disks which are read without any back and forth alterations. There is a higher degree of security inherent in that I believe.

Unfortunately, the popularity (and honestly the convenience) of USB flash drives has made it hard to switch onto safer mechanisms.

I am missing one information here (maybe one hw-hacker can give the answer):

Is it possible (for some or many) USB-sticks or USB devices to reprogram the firmware from an PC that it is connected to it?

The article plays a little with the threat, that I (I want to put it this way:) lent my USB stick to a friend, he uses it, but clears it afterwards and gives it back to me and the stick now contains an infected firmware (that I can not find out by normal means). And also the friend knows nothing, since his computer was infected before.

Of course, I know that it is possible to change a firmware by hw-means (replacing the chip or reprogram it with special hw) but when the firmware of some or all USB-devices would be alterable just by plugging them into a computer, a new kind of virus would be possible spreading more silently and dangerously as all of them before.

HW hacking the firmware of USB devices of course is possible, but would be more in the field of industrial or real espionage. Reprogramming firmware "on-the-run" would cause a new mass-threat for computers.

I'm not so sure that security should be built into peripheral connect protocols like USB. We could just as easily treat a usb device like we do a network device, and harden the drivers against attack.

First of all, I think the title has been chosen to click-bait the reader. Second, maybe the real problem is that USB was never designed to be the main way to physically share data, or not even to be used with external storage? Please correct me if I'm wrong. Maybe people should start exchanging data on media that are designed to store data, like a memory card, but maybe this medium can also be compromised.

I don't understand how code on a USB drive can be executed on a PC. I seriously thought that USB was (as a protocol) a generic data interface.

However, if it is something else (like, e.g., something that executes code from time to time), isn't it insecure by design?

And if so, why did nobody see it and was it malice or stupidity?

Protection against most attacks: The first time I connect a device, the OS should show me what type it is (keyboard, mouse, etc.) and ask me if I want to use it. Only at that time it gets activated.

Well, that certainly isn't good. As if companies needed another reason to be obnoxiously paranoid about flash drives.

undefined

Well..... duh.

if you are goign to plug unknown hardware into your machine what do you expect