Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I don't understand how they're getting it onto the firmware of a USB cable. And if they're getting it on there, why couldn't it be taken off then.
 
At the end of the day, any malware that happens to be on a USB device has to be able to make it into the target computer. The article talks a lot about PCs which, historically, have been quite easy to compromise.

Just suppose I stuck one of these nasty devices in my Mac. OK, it's fiendish, it's an empty gadget. And then its bad firmware kicks into life and tries to persuade my Mac that files are available. That file still has to make it onto my Mac and has to be an executable to do any harm.

I believe OS X's inbuilt defences against malicious files - wherever they come from - would not be circumvented by a gadget like this.

My PC on the other hand...
Unfortunately, but without knowing anything too much in detail, this "virus" will not present itself as a file but rather more gets injected into the core of the system (the I/O layer) and will explicitely be executed "by design". Even worse, it is by design executed in kernel mode. As firmware is basically a driver, the computer MUST load and execute it before it can even access the device on any useful level other than probing.

So, any computer running a specific type of CPU (addressed by the firmware) can be vulnerable, no matter what operating system.
 
#badBIOS

I'm pretty sure @dragosr has been talking about this for a long time now. I think he found something in the wild that he called #badBIOS quite some time ago that uses this style among its attacks.
 
I don't understand how they're getting it onto the firmware of a USB cable.

Does it even have firmware? I think thats just a picture, its more the USB device thats connected to it that will have the payload.

I wonder if lightning provides a barrier to this? As its not a USB protocol at the Apple end?
 
Isn't this attack one of the projects outed by Edward Snowden? Sounds like something that NSA would cook up at least.
 
Yep....

When talking about computer security, restricting physical access to the box is always considered the first line of defense. That's why you put your servers behind a locked door in a special, climate controlled room.

I remember years ago, several of the big employers where I lived had a procedure of gluing all USB ports shut on the user's workstations and banning USB storage devices from being carried on or off the property. Extreme measures? Probably, but also understandable if you work with a lot of classified information -- and shows that USB has been a known vulnerability for quite a while now.



At the end of the day, any malware that happens to be on a USB device has to be able to make it into the target computer. The article talks a lot about PCs which, historically, have been quite easy to compromise.

Just suppose I stuck one of these nasty devices in my Mac. OK, it's fiendish, it's an empty gadget. And then its bad firmware kicks into life and tries to persuade my Mac that files are available. That file still has to make it onto my Mac and has to be an executable to do any harm.

I believe OS X's inbuilt defences against malicious files - wherever they come from - would not be circumvented by a gadget like this.

My PC on the other hand...
 
I don't understand how they're getting it onto the firmware of a USB cable. And if they're getting it on there, why couldn't it be taken off then.

The cable is just wire, and sometimes a resistor; it's not on the cable. It's on the firmware of something like a USB flash drive. This makes it difficult to detect and remove because usually you would figure that if you erase, or reformat, the flash drive then everything is off of it; but with this the malware will stay there. The malware cannot be removed by erasing the flash drive because erasing the drive does not erase the firmware.
 
so, if the firmware is a problem, patch it.

Either that, or everyone stop using usb. Switch to TB.


Either this would have to be physical product purchased *fake* to good genuine, or on existing physical access..

Very few stuff these days rarely used remote access, just you must have control to begin with and or allow access by the OS.

if all that can by by-passed, then beneath the OS ...then, maybe.
 
I don't understand how they're getting it onto the firmware of a USB cable. And if they're getting it on there, why couldn't it be taken off then.

If I understand correctly, it's written into the ROM of the device itself, not rewritable memory -- sort of like how each USB device has a firmware/driver/hardware ID written for it (which you'll be more than familiar with if you use Windows).

So potentially, the device will still work fine, but transmit the virus while using it. Theoretically, it's an entirely plausible prospect. Practically, however, it will be ridiculously difficult, if not impossible, to pull off. I imagine you'd have to be an OEM for a hardware company and have it written in the code somehow. And then dispensing the virus would depend on how many people bought your product.

Then you'd have to figure out how to make it self-propagating. It's not like all USB vendors use a certain firmware base which has an exploitation in it, which can be written to. It's ROM, it's already written. You'd have more luck trying to write to a burnt CD-R.

Yes, if a virus is written into the firmware, it will circumvent all known protective measures. Theoretically. Also theoretically, somebody can write a virus that wipes out every single bank account. Doesn't matter how difficult it is, theoretically where there's computer software, there's some way to eventually hack it. But it won't happen. Getting the USB virus written in there requires some extremely clever skills, and I can't see how the virus could then write to other vendors' firmware. With that in mind, IMHO this is a 'vapourware virus'.
 
Its like saying, every single Mac you buy is infected in the hardware. :eek:

Good god... This is the end.

I guess, much like how BIOS viuses work.
 
It seems to me that so long as you're not using any USB connectors that you didn't buy new yourself it won't be an issue.

Alternately, I think Thunderbolt and Lightning connectors may be the way to go moving forward.
 
Before anyone panics, just remember, almost any device can be hacked/cracked/whatever if someone has physical access to it. The point is to not let people have access to your devices. If a friend is at your house, don't let him plug his devices into your computer. In the business world, some of the companies I have worked for have disabled USB access on networked computers. I remember having to call the help desk just to install a new keyboard.
 
Yea it sounds like in order to do this, you would have to be either a device manufacturer, or somehow able to insert code into the device manufacturer's code copy that they write to each device.

If the firmware isn't rewritable, I don't see how even some hacker would be able to take a store bought USB device and put it on there, it wouldn't be able to be written to. Maybe if you just bought raw parts and had the right equipment to flash your own ROM onto chips. Seems difficult though.
 
If I understand correctly, it's written into the ROM of the device itself, not rewritable memory -- sort of like how each USB device has a firmware/driver/hardware ID written for it (which you'll be more than familiar with if you use Windows).

So potentially, the device will still work fine, but transmit the virus while using it. Theoretically, it's an entirely plausible prospect. Practically, however, it will be ridiculously difficult, if not impossible, to pull off. I imagine you'd have to be an OEM for a hardware company and have it written in the code somehow. And then dispensing the virus would depend on how many people bought your product.

Then you'd have to figure out how to make it self-propagating. It's not like all USB vendors use a certain firmware base which has an exploitation in it, which can be written to. It's ROM, it's already written. You'd have more luck trying to write to a burnt CD-R.

Yes, if a virus is written into the firmware, it will circumvent all known protective measures. Theoretically. Also theoretically, somebody can write a virus that wipes out every single bank account. Doesn't matter how difficult it is, theoretically where there's computer software, there's some way to eventually hack it. But it won't happen. Getting the USB virus written in there requires some extremely clever skills, and I can't see how the virus could then write to other vendors' firmware. With that in mind, IMHO this is a 'vapourware virus'.

Exactly.
THis is a "proof of concept" type attack.
You would need to know the device USB controller and be able to install firmware on the device. Devices with upgradeable firmware would be easier but still not easy.

This reminds me of Sony's root kit.
Some OEM might use this to install crapware.
it's not a virus in the true sense of the word because you can't replicate this on any USB device. What it could do though is install another virus or key logger on a system, but we have known you can do that from a USB device for years.

This isn't new news for people that understand USB.
 
Looks more like a proof of a flaw in USB and not an actual security threat. Whenever someone uses the word "infect" so vaguely like that, it's probably not an issue. What, I'm going to accentually copy virus.exe onto my Mac?

Also, that picture messes with my head. It looks like one of those mythical male-to-male USB cables :D
 
Yea it sounds like in order to do this, you would have to be either a device manufacturer, or somehow able to insert code into the device manufacturer's code copy that they write to each device.

If the firmware isn't rewritable, I don't see how even some hacker would be able to take a store bought USB device and put it on there, it wouldn't be able to be written to. Maybe if you just bought raw parts and had the right equipment to flash your own ROM onto chips. Seems difficult though.

In many cases, the firmware could be burned into ROM chips, but when you talk about peripherals such as printers, flash drives, hard drives, etc., their firmware may need to be updated as bugs are discovered. If their firmware is in ROM, then if your device has a bug, you'll either have to live with it or buy a new device.
I don't think you will be happy if this happens.
 
I superglued my USB and have strickly been using thunderbolt (and paying 10x) for the last 2 years I knew it would finally pay off lol. /sar
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.