[sf-lug] (forw) Re: [Felton LUG] BBC News - USB 'critically flawed' after bug discovery, researchers say

Sun Aug 10 17:06:34 PDT 2014

Useful perspective.

----- Forwarded message from Jeremy <jercos at gmail.com> -----

Date: Sat, 9 Aug 2014 14:46:41 -0700
From: Jeremy <jercos at gmail.com>
To: felton-lug at googlegroups.com
Subject: Re: [Felton LUG] BBC News - USB 'critically flawed' after bug
	discovery, researchers say

 From a computer security standpoint, this is somewhat old news... an older
version of the same concept took advantage of SanDisk "U3" USB drives,
which would pretend to be both a USB drive and a CD-ROM drive in order to
auto-run the U3 application. As it turns out, it's possible to replace the
simulated CD-ROM drive with your own CD image, which in the windows XP era
meant simply plugging in a flash drive could auto-run a piece of malware
instead. That particular hole has been closed in Windows (By always
prompting before auto-running anything), and never existed in Linux
(Auto-run? What's that? :p), but the attacks demonstrated in this BBC
article are nearly impossible to invalidate while keeping consumers
comfortable... how would you click "OK" to allow installing a new USB
mouse? Given the same problems would exist in any peripheral interface
capable of connecting both innocuous storage devices and input devices, I'd
say the title is misleading.

The article brushes against and neatly avoids an inverse point as well,
while they demonstrate a phone being used to tap a computer's network, the
opposite can be done as well, an innocous-looking public USB charger as one
might find in an airport or coffee shop could have been replaced with a
device that can connect to your phone and read any information stored on
it. If you find yourself in such places charging your phone often, or might
lend a USB port to someone needs some charge on their phone, it might be
worth investing a few bucks in a SUB "charge only" adapter, which is
inserted between a USB cable and a USB port to prevent the phone from
syncing to the port it's connected to.

A far worse exploit was found in firewire (and expanded to similar
interfaces with DMA access) a fair amount of time before that, as a
firewire hard drive was in many cases allowed unrestricted memory access,
and could thus read passwords and encryption keys right out of memory,
insert a rootkit right into the running kernel, and other frightening
things without so much as a security prompt. The device that was used to
demonstrate this in 2004? A classic iPod, physically unmodified, with a
custom firmware installed.

In either case, this article highlights an important point: if you're
concerned about your computer's security, NEVER plug random devices into
it. Plugging a device into your computer, be it Firewire, USB, Thunderbolt,
eSATA, ExpressCard, or PCMCIA means that you are trusting the device's
owner AND the device's manufacturer not to have tampered with it, and given
the scope of the attacks possible from every bus in that list *except* USB,
USB might just be the safest case. At least a USB device has to go to the
extent of simulating a keyboard and mouse or network card before it can
control your computer or steal your information.

On Sat, Aug 9, 2014 at 9:51 AM, Robert Lewis <bob.l.lewis at gmail.com> wrote:

> http://www.bbc.com/news/technology-28701124

----- End forwarded message -----