USB Hack - Unfixable? - Once infected, computers and their USB peripherals can never be trusted again

Sometime back I pointed to an article "Can you or your computer detect a compromised USB device? - NO !!!"

So, if you were not careful before, change now !!

This is a follow-up.




(From the article)

Two security researchers, Adam Caudill and Brandon Wilson, have reverse-engineered a popular USB firmware from Taiwanese firm Phison, which powers hundreds of millions of devices. With the right exploit, USBs can become an injection conduit for malicious code—so, a flash drive could emulate a keyboard and issue commands on behalf of the logged-in user, to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer

The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.


The two are replicating research from SR Labs’ Karsten Nohl, who gave a talk at the Black Hat security conference discussing the exploit, which he dubbed BadUSB. However, given the persistent nature of the issue, he decided not to release it.

“No effective defenses from USB attacks are known,” he said in his information page on the issue.


To make matters worse, cleanup after an incident is nigh impossible.

“Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root,” Nohl said. “The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive.”

In case we missed the point, he added, “Once infected, computers and their USB peripherals can never be trusted again.”


But the decision not to disclose is one that Caudhill and Wilson feel is a grand mistake. So now, they’ve thrown the exploit code up on Github to bring attention to the issue.

“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience in Louisville, Ky. Last week. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”

Government agencies and high-end espionage groups are probably already using it, Caudhill told WIRED.

The link below has more information:-
http://www.infosecurity-magazine.com/news/unfixable-usb-hack-threatens-life/?utm_source=twitterfeed&utm_medium=twitter



Previous Article

http://martin-news-bytes.blogspot.com/2014/08/can-you-or-your-computer-detect.html