gfxgfx
 
Please login or register.

Login with username, password and session length
 
gfx gfx
gfx
75400 Posts in 13198 Topics by 2641 Members - Latest Member: lokta October 17, 2017, 01:19:56 pm
*
gfx*gfx
gfx
WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Attack code for 'unpatchable' USB flaw released
gfx
gfxgfx
 

Author Topic: Attack code for 'unpatchable' USB flaw released  (Read 2713 times)

0 Members and 1 Guest are viewing this topic.

Offline DaBees-Knees

  • WMW Team
  • *****
Attack code for 'unpatchable' USB flaw released
« on: October 08, 2014, 02:04:38 pm »
Quote
Computer code that can turn almost any device that connects via USB into a cyber-attack platform has been shared online.

Computer security researchers wrote the code following the discovery of the USB flaw earlier this year. The pair made the code public in an attempt to force electronics firms to improve defences against attack by USB. One of the experts who found the flaw said the release was a "stark reminder" of its seriousness.

Attack tools
 
Details of the BadUSB flaw were released at the Black Hat computer security conference in August by Karsten Nohl and Jakob Lell. Their work revealed how to exploit flaws in the software that helps devices connect to computers via USB. The biggest problem they discovered lurks in the onboard software, known as firmware, found on these devices.

Among other things the firmware tells a computer what kind of a device is being plugged into a USB socket but the two cybersecurity researchers found a way to subvert this and install attack code. At Black Hat, the BBC saw demonstrations using a smartphone and a USB stick that could steal data when plugged into target machines.

Mr Nohl said he and his colleague did not release code in order to give firms making USB-controlling firmware time to work out how to combat the problem.

Now researchers Adam Caudill and Brandon Wilson have done their own work on the USB flaw and produced code that can be used to exploit it. The pair unveiled their work at the DerbyCon hacker conference last week and have made their attack software freely available via code-sharing site Github.

Smartphone

"We're releasing everything we've done here, nothing is being held back," said Mr Wilson in a presentation at DerbyCon. "We believe that this information should not be limited to a select few as others have treated it," he added. "It needs to be available to the public." Mr Wilson said cybercrime groups definitely had the resources to replicate the work of Mr Nohl and Mr Lell to produce their own attack code so releasing a version to the security community was a way to redress that imbalance.

Responding to the release of the attack tools Mr Nohl told the BBC that such "full disclosure" can motivate companies to act and make products more secure. "In the case of BadUSB, however, the problem is structural," he said. "The standard itself is what enables the attack and no single vendor is in a position to change that." "It is unclear who would feel pressured to improve their products by the recent release," he added. "The release is a stark reminder to defenders, though, that BadUSB is - and always has been - in reach of attackers."

Their motives seem a little odd. Giving a hacking code away to all and sundry seems a little irresponsible to me.

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
Re: Attack code for 'unpatchable' USB flaw released
« Reply #1 on: October 08, 2014, 06:43:38 pm »
This was the most irresponsible thing they could have done, its one thing to find an exploit, its another to inform the public and the big companies that its USB standards are open to subversion, but its the work of the most naive minds to make the leap into handing out exploit code that will affect billions of unsupported machines globally.

I think this team needs to face prosecution, they have over stepped the bounds of their craft, research is research. handing out malware exploits makes them malicious hackers akin to virus writers.

Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: Attack code for 'unpatchable' USB flaw released
« Reply #2 on: October 08, 2014, 07:03:34 pm »
This was the most irresponsible thing they could have done, its one thing to find an exploit, its another to inform the public and the big companies that its USB standards are open to subversion, but its the work of the most naive minds to make the leap into handing out exploit code that will affect billions of unsupported machines globally.

I think this team needs to face prosecution, they have over stepped the bounds of their craft, research is research. handing out malware exploits makes them malicious hackers akin to virus writers.


what about the writers of nmap and similar tools? i use nmap to find which computer is where on my LAN but it could be used for much worse...

Offline RebelMX

  • Core
  • *****
  • *****
Re: Attack code for 'unpatchable' USB flaw released
« Reply #3 on: October 08, 2014, 08:37:14 pm »
Afraid I agree with Stripes on this one.  Someone creating and testing some code and publishing it is one thing.  Using it for ill gotten gains is another.  Don't forget the hasty desire for freedom of speech and copyright clauses of "for personal use".  This sites news makes me laugh, hating on copyright cartels then hating on researchers when big corporate firms have had full copies of the attack code for 2 months and done nothing with it?  Sometimes for improvements to come about global multi-national companies need to be "encouraged" to help their customers not their shareholders.

Offline DaBees-Knees

  • WMW Team
  • *****
Re: Attack code for 'unpatchable' USB flaw released
« Reply #4 on: October 08, 2014, 11:48:25 pm »
Rebel,
           Hate is a bit strong. Disagreeing with someone or a point of view doesn't infer that you hate them or it.

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
Re: Attack code for 'unpatchable' USB flaw released
« Reply #5 on: October 09, 2014, 02:22:42 am »
I think you have overlooked the simplest point here RebelMx, this is an unpatchable exploit,  theres too much equipment out there thats way past its sell by date that cannot be fixed in any meaningful way, understanding this key point puts a completely different gloss on this matter, this is not something that can be fixed being the problem is hardcoded in intergrated circuits, thus its the most irresponsible thing I have seen done in a long time.


Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: Attack code for 'unpatchable' USB flaw released
« Reply #6 on: October 09, 2014, 03:56:12 am »
the only code they have made publicly available is called 'bad android' ... it turns your smartphone into this 'hack' ... they have not released things like modified usb thumb drive firmware (thats the real hack)... ... its not a flaw in usb per say.. its a flaw in the device thats being connected... a device pretending to be something its not.... so basically for an effective attack... you would need to physically trick someone into using that thumb drive on a mission critical machine... ...for workplace computers all that needs be done is disable the usb controller in the bios... last i checked the ps2 keyboard and mouse ports are still around in one form (onboard) or another (add-on card)....

for the general populace... well... dont buy knock-off thumb drives... the 'name brands' are less likely to have a bug and more likely to get bad pr if they do and fix the problem toot sweet...

Re: Attack code for 'unpatchable' USB flaw released
« Reply #7 on: October 09, 2014, 05:30:47 am »
most antivirus would sandbox something like that wouldn't they?

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
Re: Attack code for 'unpatchable' USB flaw released
« Reply #8 on: October 09, 2014, 08:00:51 am »
So folks should ditch using their USB equipment all because a couple of yo-yo's wanted to make a name for themselves  :/

Rationalising bad judgement simply compounds the folly, there is no public benefit in what they have done.

Re: Attack code for 'unpatchable' USB flaw released
« Reply #9 on: October 09, 2014, 11:14:06 am »
it's all put there deliberately by the nsa

Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: Attack code for 'unpatchable' USB flaw released
« Reply #10 on: October 09, 2014, 02:45:51 pm »
most antivirus would sandbox something like that wouldn't they?

why would antivirus software be concerned over a usb keyboard... the virus isnt the firmware.. the firmware jumpstarts the malware.... hopefully the AV software would catch the malware

Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: Attack code for 'unpatchable' USB flaw released
« Reply #11 on: October 09, 2014, 02:53:50 pm »
So folks should ditch using their USB equipment all because a couple of yo-yo's wanted to make a name for themselves  :/

Rationalising bad judgement simply compounds the folly, there is no public benefit in what they have done.

you dont have to ditch your usb equipment... this is a physical attack.. not a remote one... in order to attack individuals they would have to hijack a load of usb devices and reprogram each one... or do the naughty at the factory.... this 'attack' is really really overblown due to just how hard it would be to pull off.... like the computerised cars that throw on their brakes with a command sent via text from a cellphone.... that car had to have custom firmware installed after months of research and reverse engineering... ...and just like cars thumb drives and other usb devices arent going to have the same controller across brands... with cheap thumb drives two 'identical' looking drives could very well have very different chips.... you are more likely to get a virus from something that has been stored on the unmodified thumb drive than a deliberately modified thumb drive...


also remember.. what they -released- is called 'bad android' ... which makes your phone pretend to be something its not.... best idea there? dont let others plug their phone into your machine... ...something you shouldnt let happen anyway...

Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: Attack code for 'unpatchable' USB flaw released
« Reply #12 on: October 09, 2014, 03:14:07 pm »
the NSA is using this of course but what would they use it for? a specific target would be the best move cos a blanket attack would quickly be uncovered...



if this image loads ... the chip labeled '2' is what the attack reprograms ... do you know what language it speaks? or how many variants there are? or how many different companies make different versions? (read: not easy to reprogram without a lot of research)

http://commons.wikimedia.org/wiki/File:Usbkey_internals.jpg (link just in case)

Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: Attack code for 'unpatchable' USB flaw released
« Reply #13 on: October 09, 2014, 03:40:42 pm »
http://int3.cc/products/usbcondoms

Quote
Have you ever plugged your phone into a strange USB port because you really needed a charge and thought: "Gee who could be stealing my data?". We all have needs and sometimes you just need to charge your phone. "Any port in a storm." as the saying goes. Well now you can be a bit safer. "USB Condoms" prevent accidental data exchange when your device is plugged in to another device with a USB cable. USB Condoms achieve this by cutting off the data pins in the USB cable and allowing only the power pins to connect through.Thus, these "USB Condoms" prevent attacks like "juice jacking".


just to add some humor to this otherwise dreary thread...

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
Re: Attack code for 'unpatchable' USB flaw released
« Reply #14 on: October 09, 2014, 08:08:29 pm »

Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: Attack code for 'unpatchable' USB flaw released
« Reply #15 on: October 09, 2014, 08:40:49 pm »
Just how dangerous can a USB hack be ..

http://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/all/



stuxnet wasnt a usb hack... it just hitched a ride on a standard unmodified mass storage device... it could have just as easily slipped in and out on a floppy disk...

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
Re: Attack code for 'unpatchable' USB flaw released
« Reply #16 on: October 09, 2014, 08:56:57 pm »
I have been watching for years the increase in stories relating to malware found in brand new items, given China is a veritable "Player" in the cyber warfare arena I suspect many of the items folks are purchasing may well be trojaned and with such researchers giving clues on ways to improve their work whats the bottom line for the rest of us, its not to use USB items in general, I havent seen anything that negates this most solid level of protective paranoia  :yes:

Now how about that USB keyboard you have .. is it contacting home ???

Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: Attack code for 'unpatchable' USB flaw released
« Reply #17 on: October 09, 2014, 09:06:51 pm »
Quote
Now how about that USB keyboard you have .. is it contacting home ???

only if it were programmed to act like a different device in addition to a keyboard... ...paranoid? fire up everest and look through usb devices... if something is there that you dont actually have plugged in then theres a problem....

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
Re: Attack code for 'unpatchable' USB flaw released
« Reply #18 on: October 09, 2014, 09:15:21 pm »
I'm pretty sure that your aware of the work of the NSA in intercepting items folks have ordered and replacing them with specialy matching products, fact is not fiction.

I also read recently about the same exact issues as regards cheap mass produced items from China, it seems no one is really safe.

Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: Attack code for 'unpatchable' USB flaw released
« Reply #19 on: October 09, 2014, 10:29:52 pm »
Quote
I'm pretty sure that your aware of the work of the NSA in intercepting items folks have ordered and replacing them with specialy matching products, fact is not fiction.

yes like routers with modified firmware.... standalone devices with their own cpu and software... USB is a much simpler creature.. since usb needs a 'host' (i cant put enough emphasis on 'host') system it needs to also be a device other than what it is in order to interact with the operating system... a keyboard alone couldnt phone home... type the wrong characters? sure.. type commands? sure... but if you plugged in a keyboard and noticed that the computer seemed to be typing on its own even a regular consumer would smell something fishy... and this keyboard has no idea where it is in the ui of the OS... so if it typed commands they may just be landing as readable text in notepad... or even more humorous if it were plugged into an OS that wasnt windows... in linux the windows key does nothing unless you map it... so windows key + 'r' to open the run box would just type the letter r....

WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Attack code for 'unpatchable' USB flaw released
 

gfxgfx
gfx
©2005-2017 WinMXWorld.com. All rights reserved.
SMF 2.0.14 | SMF © 2017, Simple Machines
Page created in 0.049 seconds with 23 queries.
Helios Multi © Bloc
gfx
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!