Computer security Stories July 31, 2014

Security researchers say USB security ‘broken,’ can take over Macs or PCs

The USB standard has a fundamental security flaw that allows an attacker to take over any device it is connected to, whether PC or Mac, say security researchers in a frightening piece by Wired.

Describing the proof-of-concept Karsten Nohl and Jakob Lell plan to present at the Black Hat conference next week, they say the weakness is fundamental to the way in which USB works. Rather than storing malicious files on a USB device, the researchers managed to hack the USB controller chip that enables a USB device to communicate with a computer, changing its firmware. That means it can allow absolutely any USB device, from a USB key to a keyboard, to be compromised.

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”

“You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s clean, [but] the cleaning process doesn’t even touch the files we’re talking about.”

Unlike most malware, which targets Windows, this exploit allows any USB device to emulate a keyboard or mouse, taking complete control of both PCs and Macs.

As it’s undetectable, the exploit could be silently added to a USB key when it is inserted into a PC, and then infect the next device it’s connected to. There is, say the researchers, no protection at all against the method of attack short of never sharing USB devices – treating them as you’d treat a hypodermic needle: only ever using one you know to be brand new, and not dreaming of allowing anyone else to share it.

Computer security Stories February 26, 2014

In the latest release of its iOS Security document spotted by TechCrunch, Apple offers a number of details about the function and processes of the Touch ID fingerprint recognition system offered on its iPhone 5s. The document describes the Secure Enclave, “a coprocessor fabricated in the Apple A7 chip,” which manages safely matching active fingerprints read by Touch ID against registered fingerprints saved by the user. While much of how Touch ID behaves was revealed last fall when the iPhone 5s was introduced and through experience, the white page does list more specifics than have previously been made available…

expand full story

Powered by WordPress.com VIP