It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Code to exploit fundamental USB flaw posted on Github

page: 1
8

log in

join
share:

posted on Oct, 3 2014 @ 12:56 PM
link   


Remember that fundamental USB security flaw that a pair of researchers unearthed back in July? You know, the one that allegedly affects every single USB device in the wild for which there is no fix for. While they did publically demonstrate the flaw using a piece of malware they created called BadUSB, the duo elected not to release the code. A couple of other researchers, however, decided to throw caution to the wind by posting code for a similar attack on Github. During the recent Derbycon hacker convention, researchers Adam Caudill and Brandon Wilson revealed that they were also able to reverse engineer the USB firmware that Karsten Nohl and Jakob Lell spoke of a few months ago.

Code to exploit fundamental USB flaw posted on Github



Thought I would bring this article to the attention of ATS considering most of us employ the use of USB devices every day of our life's. The possible ramifications are numerous to say the least.

So what do you think ATS, is it a good or bad idea to make this information(security flaw) public knowledge?
edit on 3-10-2014 by andy06shake because: (no reason given)




posted on Oct, 3 2014 @ 01:40 PM
link   
It's good. It might lead to a few more attacks short term but long term we'll all be better off by knowing about the exploit and developing work arounds, whether that's a USB 4.0 standard or SD cards, or something else. Security through obscurity only makes you think you're more secure, it doesn't solve the actual problem.



posted on Oct, 3 2014 @ 01:46 PM
link   
a reply to: Aazadan

I tend to agree with you, there is no point in hiding the issue. Better to try and address the problem and work towards a solution. All though it's my understanding that the nature of the security exploit precludes any kind of solution.
edit on 3-10-2014 by andy06shake because: (no reason given)



posted on Oct, 3 2014 @ 01:55 PM
link   
a reply to: andy06shake

Knowing there's no solution is a solution in itself. It means people know to be careful of USB devices and instead use other technologies.



posted on Oct, 3 2014 @ 02:09 PM
link   
a reply to: Aazadan

This is also true however using other technologies is rather impractical as things stand. Considering rather significant proportion of our storage mediums never mind a whole host of other peripheral devices employ the use of said USB.
edit on 3-10-2014 by andy06shake because: (no reason given)



posted on Oct, 3 2014 @ 02:15 PM
link   
It's a good thing IMO. The bad guys will obviously take advantage of this, but this will force the good guys to find a solution. And on that point. There's no such thing as "no solution" when it comes to computers. If it can be programmed then it can be "counter-programmed" (for lack of better word).

Which reminds me - I should start working on a solution because the person that finds the answer is going to have more $$$'s than they'll know what to do with...

edit on 3/10/2014 by Gemwolf because: WW



posted on Oct, 3 2014 @ 02:18 PM
link   
a reply to: Gemwolf

"There's no such thing as "no solution" when it comes to computers. If it can be programmed then it can be "counter-programmed"

I agree with that statement also, someone will come up with a solution, I should probably have said "precludes any kind of solution as of yet".

Maybe some kind of third party interface/dongle that circumvents the security issue, like an adapter between the device and the USB port? Means £££ for someone.

edit on 3-10-2014 by andy06shake because: (no reason given)



posted on Oct, 3 2014 @ 02:24 PM
link   
a reply to: andy06shake

USB sticks can be replaced by cloud storage (not that that's the most secure... just depends on who you want to be vulnerable to) or SD cards (most laptops and tablets have an SD slot, internal non usb card readers cost $20), or Compact Flash cards. The vulnerability only applies to USB right?

A keyboard/mouse can use the older ps/2 connections still present on most PC's though using a USB to PS/2 adapter probably isn't a good idea.

You can even get internal hard drives and bays that plug in through one of the large front bays. My old school had that setup in one of the labs for customized machines.

There's many alternatives to USB, they're just not the most popular



posted on Oct, 3 2014 @ 02:30 PM
link   
a reply to: Aazadan

Personally i don't feel the cloud is secure enough or offers the anonymity advertised regarding storage of my own personal data, just my opinion. It's also limited by our internet speed regarding information retrieval. As to the other interfaces listed, technologically speaking, is that not kind of moving backwards? I do employ the use of micro SD cards all the same.

edit on 3-10-2014 by andy06shake because: (no reason given)



posted on Oct, 3 2014 @ 02:38 PM
link   

originally posted by: andy06shake
...
Maybe some kind of third party interface/dongle that circumvents the security issue, like an adapter between the device and the USB port? Means £££ for someone.


See, there's a brilliant solution already! Better go register that idea at the patent office immediately!



posted on Oct, 3 2014 @ 02:39 PM
link   
a reply to: andy06shake

This right here is exactly why it needs released.

From the source article:



Blaze suggested the attack may already be in use by the NSA. Caudill believes that if the only people who can use it are those with significant budgets, manufactures will never do anything about it. Proving to the world that it is practical and anybody can do it puts pressure on manufacturers to fix it, he said.


Anyone remember Snowden's leak on Cottonmouth? The NSA spying tool that resided on a USB periphereal plug?



posted on Oct, 3 2014 @ 02:48 PM
link   
a reply to: Gemwolf

I really don't have a clue as to how patients operate, or how i would go about obtaining one. And my electronic engineering days are somewhat in the past. Tell you what, im not greedy, you patent the idea and bung me 25% future profits, gentleman's agreement?

edit on 3-10-2014 by andy06shake because: (no reason given)



posted on Oct, 3 2014 @ 09:41 PM
link   
The Tree Of Knowledge

Better that everyone know about something like this than just a few.

Disclosure will definitely force change, and when the status quo is widespread vulnerability, change is good.



posted on Oct, 4 2014 @ 01:28 AM
link   
Well that's a git repo Im going to be following.
Thanks



posted on Oct, 4 2014 @ 03:15 PM
link   
It is good to make public so that we can figure out how to fix it. But this is the second major code issue in a while.



posted on Oct, 5 2014 @ 12:30 PM
link   
Please
disregard

edit on 10-5-14 by T3mp0ra1Pri50n3r because: Please disregard



posted on Oct, 6 2014 @ 10:18 PM
link   
I studied IT and was certified CCNA a while back but never went into the industry. One of my instructors was and is to this day the most knowledgeable person I've ever met in regard to the tech industry. He worked for one of the top aerospace corporations in the US at the time. He told us that we should know this; "There is NO secure system anywhere in the world!". If it's connected to the internet or not. If you connect to the internet it is likely that your entire computer has been cloned the first time you connect and just about every time after that. There is technology that exists that is not available in the public realm that can access any device anywhere in the world at any time whether it is plugged in and turned on or not. Even if the battery is removed. It's all just a matter of what information you need to protect and who you need to protect it from. If you don't want anyone to ever have it don't put it on a computer or other electronic device.



posted on Oct, 8 2014 @ 04:02 PM
link   
This flaw, along with proof of concept working code was made known to people in the IT industry many months ago, so that they could fix it.

Guess what they did?

They did the ostrich act, and buried their heads in the sand going 'na na na na not listening!!', because rolling out a fix would be.. Cost prohibitive.

So they decided to force the issue by making it public, and yes, it worked. Manufacturers are releasing fixes and patches. They also complied with all standard practices, that is to make exploits known to the relevant people, and give them time to fix it, before going public.

In this case, its entirely the manufacturers own fault, they were made aware, and chose not to act on it.

There is NO security in obscurity, what they found out, others are also quite capable of finding out and abusing. Would you rather know something is potentially abusable, or just get abused without ever knowing its an issue?




top topics



 
8

log in

join