Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researcher Details USB-Based Attack That Circumvents All Known Protective Security Measures
- Thread starter MacRumors
- Start date
- Sort by reaction score
Yup. Firewire in particular is a bad one. Bad enough that I compiled my kernel without Firewire support and blacklisted Firewire modules on Fedora.
Basically it works this way:
1. A tampered USB disk contains invisible drive with a virus inside and the virus enter the system. Trying to clean the USB disk does not remove the virus nor the hidden drive
2. A tampered USB disk declares itself as a keyboard and/or a mouse to the OS, it then sends commands to the OS as if it were you
3. A combination of 1 and 2 where 2 instructs the OS to load a program in 1
4. A USB disk declares itself as a network interface and the OS elects it as the main network interface, then all traffic is logged and redirected to the main network interface, possibly injecting packets
A good OS (linux, for example) prevents 1, 2 will appear on your screen and, if you do not run as administrator, even injected commands cannot do much harm and 4 may be disabled if the OS does not automatically adds network interfaces and give them the capability to set DNS or to divert traffic
It seems that, as always, spreding viruses and the likes needs some sort of cooperation from the OS and/or the user...
----------
And I would be much more worried by firmware in SSD, that can inject malware inside files, and backdoors inside microprocessors
And I would be much more worried by firmware in SSD, that can inject malware inside files, and backdoors inside microprocessors
I don't know about you, but I plug in USB devices way more often than I swap SSDs.
Basically it works this way:
1. A tampered USB disk contains invisible drive with a virus inside and the virus enter the system. Trying to clean the USB disk does not remove the virus nor the hidden drive
2. A tampered USB disk declares itself as a keyboard and/or a mouse to the OS, it then sends commands to the OS as if it were you
3. A combination of 1 and 2 where 2 instructs the OS to load a program in 1
4. A USB disk declares itself as a network interface and the OS elects it as the main network interface, then all traffic is logged and redirected to the main network interface, possibly injecting packets
A good OS (linux, for example) prevents 1, 2 will appear on your screen and, if you do not run as administrator, even injected commands cannot do much harm and 4 may be disabled if the OS does not automatically adds network interfaces and give them the capability to set DNS or to divert traffic
It seems that, as always, spreding viruses and the likes needs some sort of cooperation from the OS and/or the user...
----------
And I would be much more worried by firmware in SSD, that can inject malware inside files, and backdoors inside microprocessors
Linux is actually very vulnerable to this due to X11's awful insecurity. There's no isolation between applications running on the same X server, so it is extremely easy to sniff keystrokes. If you run "xinput list" you will get a list of input devices, including the keyboard. Then run "xinput test [id of keyboard]" and you will now be able to see all keystrokes from the user, including root passwords, passwords entered for sudo, etc. This can be done as a normal, unprivileged user. More info: http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html
This makes it easy for an attack vector such as this to allow the attacker to monitor keystrokes. No root access or installation required. There's also a host of tricks that can be done by writing hidden files to take advantage of system scripts by passing the hidden file in as an option to the shell command run by the script. Some of those can be nasty.
According to the docs Snowden released, the NSA had several USB exploits they used - based on the absolute trust of the USB connection functionality, I would have been very disappointed if they hadn't already been using this for years.
Course, USB was conceived when security like we need here wasn't thought of, FireWire was conceived around the same time and is probably just as open to attack. I wouldn't be surprised if Thunderbolt wasn't open as well, at this level, but we'll find out about that as time goes on.
Penetration-testing companies either randomly mail USB-sticks with malware to employees of their client or they "accidentally" lose a couple of them at the bus-station or the car-park in vicinity of the corporate building.
People usually try and see what's on the device and plug it in - bang, the malware infects the mark and installs a remote administration tool (RAT) that allows the pen-tester to control the PC of the employee.
I know of a case where one of the mailed USB-sticks (sent from a fake address) didn't reach the intended target and was routed to the central post office. The letter was opened and the post-office employee - charged with the task to find clues as to the sender of the letter - dutifully inserted the USB-stick in his PC.
Suddenly, the pen-testers found themselves browsing the PC of an employee of a company they didn't have a contract with....
I think it would be pretty naive at this point to believe that certain 3-letter acronym government agencies and/or their 3rd-party contractors who develop software for them didn't get the idea (firmware is the trojan) earlier.
People usually try and see what's on the device and plug it in - bang, the malware infects the mark and installs a remote administration tool (RAT) that allows the pen-tester to control the PC of the employee.
I know of a case where one of the mailed USB-sticks (sent from a fake address) didn't reach the intended target and was routed to the central post office. The letter was opened and the post-office employee - charged with the task to find clues as to the sender of the letter - dutifully inserted the USB-stick in his PC.
Suddenly, the pen-testers found themselves browsing the PC of an employee of a company they didn't have a contract with....
I think it would be pretty naive at this point to believe that certain 3-letter acronym government agencies and/or their 3rd-party contractors who develop software for them didn't get the idea (firmware is the trojan) earlier.
Sounds to me that the whole was enforced by NSA into the original USB design. I've been always complaining Apple for not moving directly to USB when it said it had to give up its 30-pin connector, but with this news, it seems to be a wise decision now!
(Well, on a second thought, who knows whether this is another backup plan NSA enforced Apple into!)
(Well, on a second thought, who knows whether this is another backup plan NSA enforced Apple into!)
USBs were the carrier for Stuxnet too. Great attack vector because people just can't keep from plugging in a random USB to see what's on it. I know of a company that filled its USB ports full of epoxy to prevent that.
they probably discovered this 10+ years ago. and they probably put the virus in every USB 3rd party device before it went out. and now they can spy on every single computer that uses these accessories.
Gee, thanks "researchers" for REVEALING to all the criminals out there a good way to screw people's devices up. I mean researching vulnerabilities is all fine and good, but they shouldn't be announced to the general public until a FIX is available. Otherwise, they're only helping the "bad guys". Here, it's made clear there is no possible fix in sight and therefore shouting it to the world helps no one and may hurt many.
This has been a problem for a long time. Rubber Duckies have been for sale since 2010 that let you exploit it and the problem was known long before that.
Made me think of this article I saw a little while back:
Your USB cable, the spy: Inside the NSAs catalog of surveillance magic
Your USB cable, the spy: Inside the NSAs catalog of surveillance magic
We have banned the use of thumb drives. We still use USB connected mice and printers to name a few items. This article is definitely not good news.
So, I'm guessing that this virus attack primarily hits the windows platform? Or are Macs actually affected in a big way with this one?
All my drives are used in-house by me and only me, so I think I'm safe. Hopefully.
All my drives are used in-house by me and only me, so I think I'm safe. Hopefully.
It's not NSA we should be worried about.
It's the companies who make the USB sticks, probably mostly in China.
Remember about six years ago, when it was discovered that a commonly used credit card payment terminal (made in China), had been modified before they were packaged up, and then installed at hundreds of stores in Europe?
These terminals had extra circuitry installed to skim the card numbers and PINs and transmit them to another gang in Pakistan. They got tens of millions of dollars before the scheme was figured out.
(Since they were sealed, the only non-destructive way to tell if your store had one, was to weigh it, as the modified units weighed about 3 ounces more.)
The same kind of so-called "supply chain" scheme could be done by a company selling cheap USB sticks.
It's the companies who make the USB sticks, probably mostly in China.
Remember about six years ago, when it was discovered that a commonly used credit card payment terminal (made in China), had been modified before they were packaged up, and then installed at hundreds of stores in Europe?
These terminals had extra circuitry installed to skim the card numbers and PINs and transmit them to another gang in Pakistan. They got tens of millions of dollars before the scheme was figured out.
(Since they were sealed, the only non-destructive way to tell if your store had one, was to weigh it, as the modified units weighed about 3 ounces more.)
The same kind of so-called "supply chain" scheme could be done by a company selling cheap USB sticks.
It's not a virus; it's an exploit. Any platform can be a target depending on the payload used. Keystroke injection is a threat regardless of OS. The only ways to defend against it are to either keep physical security of your computer at all times, physically disable the USB ports, or disable them via software.