Last Updated on October 11, 2019 by Dave Farquhar
Tomorrow morning on Fox 2: How this USB drive could be worse than the worst malware you’ve ever imagined!
Yes, when a security vulnerability hits TV news, it’s a big deal. It’s probably also sensationalized. And it’s not time to panic yet.This attack actually isn’t new. It’s been theoretically possible for years, and I’m pretty sure I first heard about it in the 2007-2008 timeframe. Some companies and government agencies took precautions against it many years ago.
What is new is that someone proved the concept and is demonstrating it at security conferences in Las Vegas this week. Karsten Nohl and Jakob Lell aren’t fearmongers; they’re legitimate security researchers with outstanding track records. Last year Nohl presented some fantastic research on the terrible security in mobile phone SIM cards, and if he got this kind of attention last year, I completely missed it. I think that was actually the bigger threat, but that’s last year’s news. But do me a favor and instead of panicking over USB, take your phone to the nearest phone store and trade in your SIM card if it’s more than about three year’s old. It’ll cost about 10 bucks and immensely improve your mobile phone’s security, regardless of who made it.
But let’s talk about this year’s news. It’s really a multifaceted problem. USB was designed for ease of use, not security. USB devices contain firmware that harbors information about the device to make it very easy for the computer it’s plugged into to identify it and load a driver. A device can even masquerade as multiple devices. I’ve seen USB sticks that present themselves as both a hard drive and a CD-ROM drive. This facility, at one time, could even allow a device to host its own drivers, though current Windows builds make that impossible now, for security reasons. It’s much better to let the operating system go find a driver off the Internet.
The problem is that only honesty prevents anyone from planting a rogue USB keyboard device that runs commands behind your back inside any other USB device. That’s one of the attacks these researchers are demonstrating.
The other problem is that the USB stacks in operating systems–the code that makes USB work–isn’t all that well protected. This gives USB-hosted malware more options than it ought to have.
And in case you’re wondering, no, your antivirus software isn’t going to see any of this, let alone protect you from it. That’s why some companies do some pretty draconian USB blocking.
So what can you do? Not a lot, but if you’ve ever been the type to buy computer peripherals out of the back of a van parked in an abandoned gas station parking lot on a Saturday afternoon, it’s probably a good idea to stop doing that. Buy reputable peripherals from reputable resellers. That’s not foolproof–the NSA has been backdooring Cisco network gear for years–but if someone’s planting booby-traps in Logitech or Microsoft peripherals, you and I aren’t the target. Not this year, and probably not in five years. Someone who’s willing to go to that expense is going after state or industrial secrets.
That’s the important thing to remember about computer security stories that come out in August. August is when the big hacker conferences in Las Vegas happen, and the stuff that they talk about in Vegas tends to be the kinds of attacks that cloak and dagger operatives use on each other. If I’m a criminal who’s trying to infect my next door neighbor, I’m not going to sabotage the supply chain to do it. There are far more cost effective ways to plant malware on a private individual’s computer. A little bit of poison Javascript on an innocent-looking web page works every time because there’s no practical way to do application whitelisting on a consumer PC yet, and it costs nothing (or next to nothing) to infect a web page. Backdooring Microsoft’s supply chain costs a lot.
But there is a silver lining. Nohl and Lell have recommendations to prevent these attacks. One can only speculate on what they will be, how affordable they will be and how effective they’re going to be because the talk hasn’t happened yet. And with some luck, maybe by the time these types of attacks become practical to carry out on private citizens, there will be adequate defenses in place to block them.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.