0 Members and 1 Guest are viewing this topic.
Computer code that can turn almost any device that connects via USB into a cyber-attack platform has been shared online.Computer security researchers wrote the code following the discovery of the USB flaw earlier this year. The pair made the code public in an attempt to force electronics firms to improve defences against attack by USB. One of the experts who found the flaw said the release was a "stark reminder" of its seriousness.Attack tools Details of the BadUSB flaw were released at the Black Hat computer security conference in August by Karsten Nohl and Jakob Lell. Their work revealed how to exploit flaws in the software that helps devices connect to computers via USB. The biggest problem they discovered lurks in the onboard software, known as firmware, found on these devices. Among other things the firmware tells a computer what kind of a device is being plugged into a USB socket but the two cybersecurity researchers found a way to subvert this and install attack code. At Black Hat, the BBC saw demonstrations using a smartphone and a USB stick that could steal data when plugged into target machines.Mr Nohl said he and his colleague did not release code in order to give firms making USB-controlling firmware time to work out how to combat the problem.Now researchers Adam Caudill and Brandon Wilson have done their own work on the USB flaw and produced code that can be used to exploit it. The pair unveiled their work at the DerbyCon hacker conference last week and have made their attack software freely available via code-sharing site Github. Smartphone "We're releasing everything we've done here, nothing is being held back," said Mr Wilson in a presentation at DerbyCon. "We believe that this information should not be limited to a select few as others have treated it," he added. "It needs to be available to the public." Mr Wilson said cybercrime groups definitely had the resources to replicate the work of Mr Nohl and Mr Lell to produce their own attack code so releasing a version to the security community was a way to redress that imbalance.Responding to the release of the attack tools Mr Nohl told the BBC that such "full disclosure" can motivate companies to act and make products more secure. "In the case of BadUSB, however, the problem is structural," he said. "The standard itself is what enables the attack and no single vendor is in a position to change that." "It is unclear who would feel pressured to improve their products by the recent release," he added. "The release is a stark reminder to defenders, though, that BadUSB is - and always has been - in reach of attackers."
This was the most irresponsible thing they could have done, its one thing to find an exploit, its another to inform the public and the big companies that its USB standards are open to subversion, but its the work of the most naive minds to make the leap into handing out exploit code that will affect billions of unsupported machines globally. I think this team needs to face prosecution, they have over stepped the bounds of their craft, research is research. handing out malware exploits makes them malicious hackers akin to virus writers.
most antivirus would sandbox something like that wouldn't they?
So folks should ditch using their USB equipment all because a couple of yo-yo's wanted to make a name for themselves Rationalising bad judgement simply compounds the folly, there is no public benefit in what they have done.
Have you ever plugged your phone into a strange USB port because you really needed a charge and thought: "Gee who could be stealing my data?". We all have needs and sometimes you just need to charge your phone. "Any port in a storm." as the saying goes. Well now you can be a bit safer. "USB Condoms" prevent accidental data exchange when your device is plugged in to another device with a USB cable. USB Condoms achieve this by cutting off the data pins in the USB cable and allowing only the power pins to connect through.Thus, these "USB Condoms" prevent attacks like "juice jacking".
Just how dangerous can a USB hack be .. http://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/all/
Now how about that USB keyboard you have .. is it contacting home ???
I'm pretty sure that your aware of the work of the NSA in intercepting items folks have ordered and replacing them with specialy matching products, fact is not fiction.
