Posted by Eric Huang on September 11, 2014
A dog walks into a bar, sits down, looks and the menu and says, “Vodka Martini”. The Bartender says, “This is amazing! We don’t get a lot around here like you.” The dog says, “At these prices, I’m not surprised.”
Over the past 6 weeks, I’ve received a huge number emails (37) regarding security flaws in USB Devices.
I ignored all of them.
Until my dad sent me an email with concerns.
The article from Security Research Labs (SRL) called Turning USB Peripherals into BadUSB can be found here. https://opensource.srlabs.de/projects/badusb.
It’s a short fun read.
Its says USB Peripherals, the firmware, can be infected, turn evil, and then steal your data. (It’s all true).
They demonstrate it with an Android phone later.
Read the rest of the SRL site, and you will never use another electronic device.
SRL clearly identified a real risk. It’s small to neglible, if you take the right precautions.
It points out vulnerabilities in:
Billons of USBs – Sensational articles
It’s not billions.
Well, it is Billions if you believe Billions of people are effected by the Ebola Virus because we might be infected.
What’s even more interesting is the articles sensationalizing the BadUSB idea.
I hate them. All of them. They say “Billions of USB devices effected”
The coverage is sensationalist garbage of the kind meant to create controversy. Instead of talking about what you can do to stop it as a user, it just raises concerns without fact checking and thought.
At the same time it’s a little right. (At least with regard to phones)
Here’s an example article: http://www.androidauthority.com/badusb-hack-412902/
You will be attacked via the internet thousands more ways
So let’s look at this with some logic.
For Evil, Infected USB to be useful, Break this into two things that have to happen.
1) Infection – You need to infect the device/peripheral
2) Retrieval – Get the Your Data back Evil Doers
Infection – Keyboards and Mice
This is so absurd, and non sexy, even the researchers don’t really care.
It would require either
a) You bring your keyboard and mouse around and it gets infected by someone else’s PC, and you bring it home.
b) Someone plugs in a random keyboard and mouse into your PC, and you decide to use it for while, and then they take it away.
c) Or the keyboard/mouse is infected by the manufactuer by the Russian Mafia at the factory. In this case, they are getting a whole lot of “a” “s” “d” and “w” sent to them by kids playing video games on their PCs.
Retrieval – Getting your valuable data back to the Russian Mafia
Here’s two ways
1) The Mafia gets the keyboard/mouse back – This is silly.
2) They send it over the internet – Usually requires you “allow” installation of something on your PC to let this happen. This is possible
Somehow, the keyboard/mouse installs some software to make your router reroute data to Russia.
Don’t install special software to run you keyboard or mouse. Just use the Windows drivers. If you install special software, just download it from the manufacturer’s website like Microsoft or whoever built the keyboard/mouse (again, assuming it wasn’t built by the Russian Mafia).
Let’s go to the real risk, USB Flash Drives and Mobile Phones
Infecting USB Drives and Phones
This vulnerability isn’t new. It’s always been there. The new thing is the firmware hack. Specifically demonstrated against Flash Drives with Phison chips.
Preventing problems on USB Flash Drives
USB Flash Drives have always been vulnerable. The USB Firmware vulnerability hack is new. Here’s my thinking, it’s hard to infect these because they are all different. So again, you need to infect them either through bad software on the PC or by picking one up off the ground or accepting one from a stranger.
1) Don’t install bad software on your PC
2) Don’t pick up and use USB drives off the ground
3) Don’t accept USB drives from strangers.
Data Hygiene is Key – Keep your PC and Phone and Flash Drives Clean
Basically, treat your cheap, USB 2.0 drives as disposable when you are using them for transferring data between users. If you are backing up to other USB 3.0 drivers or flash drives, make sure you only use these with your one PC.
Preventing problems on Android Phones
1) Don’t install bad software on your phone
2) Don’t pick up and use phones you buy used (or off the ground)
3) Don’t accept Android phones from strangers
Seriously, just be careful what you install after you install Angry Birds. And don’t be plugging your phone into a whole bunch of different computers. And don’t be browsing around to dozens of unknown websites and clicking on stuff in your Android phone.
More likely scenarios
The bigger danger is if you are plugging your phone or flash drive into a lot of different PCs and those PCs somehow overwrite your phone firmware (should be almost impossible) or put a “virus” on your flash drive or phone the normal way (more likely).
Infection through Infected Email or Attachments
– Your best friend sends you awesome link to a funny video.
– You click on it and get infected.
Infection through Pirated Movies/Videos
– You or your awesome college roommate gives you flash drive with bit torrent pirated episodes of Game of Thrones Season 4.
– You plug it into your PC
– You copy the files to your PC.
– You infect your PC.
Infection through a Website
– You search for information on home cures for stomach aches
– You search and find a site that leads to a pop-up that you try to dismiss
– You infect your computer.
Infection in all these cases will also place a Retrieval component as well. This allows the Russian Mafia to get the data from your infected device.
General Prevention – Same as for your PC.
– Install and update Virus Protection and Internet Security Software
– Put a Password on your Router. (Don’t use the default password because it could be easily hacked)
– Install software on your computer that prevents you from going to “bad” sites like Norton Security. Pay attention to warnings from Google
– Only install software from “Trusted” sources. Don’t install a driver from any site. For example, go to HP and get the right driver from hp.com.
To subscribe, click on this link: http://feeds.feedburner.com/synopsysoc/ToUSB
Please subscribe using your RSS feed, Outlook or News Reader like Flipbook, Google Elements, Pocket, or just bookmark us.
Oh and our customers shipped over 100 million products with USB 3.0
Here’s the link to original BadUSB article
Here’s the presentation (which is really quite interesting) at the Black Hat conference.
And here’s an educator talking about what I call Positive Coaching. She calls it building relationships to teach. To me it’s all the same.