Sci/Tech Massive, undetectable security flaw found in USB: Time to get your PS/2 keyboard out of the cupboard

tom_mai78101

The Helper Connoisseur / Ex-MineCraft Host
Staff member
Security researchers have found a fundamental flaw that could affect billions of USB devices. This flaw is so serious that, now that it has been revealed, you probably shouldn’t plug a USB device into your computer ever again. There are no known effective defenses against this variety of USB attack, though in the future (months or years, not days) some limited defenses might be possible. This vulnerability, which allows any USB device to take over your computer, mostly exists due to the USB Implementers Forum (the USB standards body) eschewing security in favor of maximizing the versatility, and thus the massively successful adoption, of USB. The USB IF itself notes that your only defense against this new attack vector is to only use USB devices that you 100% trust — but even then, as we’ll outline below, this won’t always protect you.

This flaw, dubbed BadUSB by Security Research Labs in Berlin, leverages the fact that every USB device has a controller chip. Whether it’s your PC, smartphone, external hard drive, or an audio breakout box, there’s a USB controller chip in every device that controlsthe USB connection to other devices. It turns out, according to SR Labs, that these controllers have firmware that can be reprogrammed to do a whole host of malicious things — and, perhaps most importantly, this reprogramming is almost impossible to detect.

Read more here. (ExtremeTech)
 

Narks

Vastly intelligent whale-like being from the stars
but how do you know that without plugging it in?

as a side-note, does this controller flaw affect all flavors of USB? (1.0, 1.1, 2.0, 3.0, 3.1)?
The point is that if most USBs are immune, most attackers won't bother.
 

Slapshot136

Divide et impera
The point is that if most USBs are immune, most attackers won't bother.
the preferred strat is to drop off a known infected flash drive near the parking lot of an office, so that an employee will see it, pick it up, and plug it into their work PC - and from there wreck havoc - the flash drive can be chosen in advance such that it supports firmware re-writes/hacking

it's similar to wifi cards - most don't support monitor mode, but that doesn't really deter attackers, since they can still get access to those that do what they want
 
Last edited:
General chit-chat
Help Users
  • No one is chatting at the moment.
  • The Helper The Helper:
    Food trucks are killing out here because Bars cannot open unless they sell food and the governor ok'd the use of a food truck in front as serving food
  • The Helper The Helper:
    Just not enough food trucks
  • The Helper The Helper:
    a buddy of mine just opened up a food truck and he is killing it but he is a great cook and has awesome food right in the middle of the pandemic too food trucks are immune to pandemic because they are take out in Texas you will always be able to get take out or delivery
  • The Helper The Helper:
    He is in the different food facebook groups in houston and posts videos of him making his food
  • The Helper The Helper:
    he is killing it
  • jonas jonas:
    @Varine with the restaurants, there surely is a lot of luck and hard work but most restaurants fail because they suck. Flair isn't right, economics not well thought through, food is mediocre or sucks, location is bad, etc. If you're thinking about opening one, make sure you're looking at the stories of those that would be playing at your level, don't let your hopes be dragged down by all the subpar restaurants out there.
  • jonas jonas:
    I'm a bit worried about the future of data science, there's an influx of incompetent people hired by incompetent managers, that can't last. But I'm sure smart data scientists will always be useful and hireable. Same as smart security people.
  • jonas jonas:
    My sister in law worked in a vegan food truck, the owners were also making a killing, added several trucks and opened two restaurants over 5 years
  • Ghan Ghan:
    The CompTIA stuff is pretty much crap unfortunately. The places that ask for those low-level certs aren't likely places you want to work. For IT you really want a degree, but in the meantime you need to figure out some way to learn the skills. Cybersecurity is really hot right now so competition is fierce.
  • tom_mai78101 tom_mai78101:
    I realized I don't have anything much to say, other than "Good luck!". Compared to other places, I'm just very lucky we didn't have a lot of surges of cases coming in.
  • The Helper The Helper:
    My daughter just got back from school at Georgetown TX, outside of Austin and said there were 100 cases in the last week but she also said nobody was wearing a mask anywhere so people mask up and stay safe!
    +2
  • thewrongvine thewrongvine:
    happy thanksgiving folks!
    +1
  • Ralle Ralle:
    PLOOB
  • Varine Varine:
    @Gyah Yeah I figured they aren't particularly valuable, but they'll at the least act as a baseline for some entry level work somewhere.
  • Varine Varine:
    I now see how horribly I spelled @Ghan
  • Varine Varine:
    I had a rough morning
  • The Helper The Helper:
    that field is going to explode and though there is competition there is going to be room for all levels in the coming years imho.
  • tom_mai78101 tom_mai78101:
    Why are we competing for rough mornings? :(
  • Varine Varine:
    I don't want to compete for that, yall can have it.
  • Varine Varine:
    @The Helper I'm trying. Once I am more prepared to be figuring out school I'll probably ask for your advice
  • Varine Varine:
    Right now I'm just trying to get through the pandemic and figure out how I'm going to pay for it, and figure out what I need to get a job at Best Buy instead of a kitchen somewhere.
  • thewrongvine thewrongvine:
    oy just catching up on the discussion above. @Varine yeah I usually alternate between claritin & zyrtec, depending on whatever my body decides to reject at the time lol
  • thewrongvine thewrongvine:
    the more I use it the less effective it gets over time as my body accustoms to it so I try to not use it every day
  • S songbird:
    Glad to see some interest in the IS3 NUON reprint. :)
    +1
  • The Helper The Helper:
    Thank you Carl for making that happen that just might be the spark we need.

    Members online

    No members online now.

    Affiliates

    Hive Workshop
    Top