The USB standard has a fundamental security flaw that allows an attacker to take over any device it is connected to, whether PC or Mac, say security researchers in a frightening piece by Wired.
Describing the proof-of-concept Karsten Nohl and Jakob Lell plan to present at the Black Hat conference next week, they say the weakness is fundamental to the way in which USB works. Rather than storing malicious files on a USB device, the researchers managed to hack the USB controller chip that enables a USB device to communicate with a computer, changing its firmware. That means it can allow absolutely any USB device, from a USB key to a keyboard, to be compromised.
“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”
“You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s clean, [but] the cleaning process doesn’t even touch the files we’re talking about.”
Unlike most malware, which targets Windows, this exploit allows any USB device to emulate a keyboard or mouse, taking complete control of both PCs and Macs.
As it’s undetectable, the exploit could be silently added to a USB key when it is inserted into a PC, and then infect the next device it’s connected to. There is, say the researchers, no protection at all against the method of attack short of never sharing USB devices – treating them as you’d treat a hypodermic needle: only ever using one you know to be brand new, and not dreaming of allowing anyone else to share it.
FTC: We use income earning auto affiliate links. More.
Speaking of hypodermic needles… I guess that will give wireless peripherals a real shot in the arm, so to speak.
Your taste in puns is as bad as mine :-)
And ANDY GREENBERG’s
Reblogged this on Taste of Apple and commented:
This is quite troublesome…
The end of the world is nigh. I guess USB X will fix all this, in about a decade. It might even be able to be inserted either way too.
Well,
Apple will then maybe introduce Thunderbolt Sticks for Data,
and switch the Cabling on its wired Keyboard to Lightning or Thunderbolt as well.
And the rest of the Market will copy them & USB will be the next Blackberry! *snicker*
I hope so too, but does Thunderbolt have other flaw the other day (year) too.
This is going to be disproved as chicken-little (sky is falling) horse shit very quickly. I can already spot a number of flawed assumptions and I don’t make my living from security.
Well first of all physical access is required to your computer. Since I don’t give physical access to my computer there concept is already broken. Again you would need an administrator password to copy anything off from a Mac. If a Mac is turned off and you try and boot from it with a firmware password installed you would fail again as it will only boot from the main drive. So they can beat there drum all they want but this is really a low security threat because again physical access is required.
No you don’t have to. Your device just have to share an USB, which means connecting it to two different devices in it’s life time.
iOS devices ask permission to use DATA on USB, so before USB is granted access to my Device it needs my permission, this was added on an iOS update, so probably OSX can do this too
Really really old news… Almost a year old… Why did you post this?
You’re confusing it with Cottonmouth.
I have to wonder if this can pass from pc to mac as the software to control would be vastly different. The article does not address this issue so I have to wonder how much else is inflated??
While I can see software on a stick controlling a Mac, I think it would be much easier on a PC.
Just wondering.
So, linux is fine? w00t.