[Cryptography] You can't trust any of your hardware

Jerry Leichter leichter at lrw.com
Sun Aug 3 22:28:47 EDT 2014 

On Aug 2, 2014, at 8:54 PM, Nemo <nemo at self-evident.org> wrote:
>> How many USB devices have ever been patched after sale?
> I dunno... How many iPhones are there?
> 
> I own one of these:
> 
> http://worldwide.bose.com/productsupport/en_us/web/bluetooth_headset_series2/page.html
> "Software updates are available"
> 
> Does my USB printer count as a "USB device"?
> 
> I am fairly certain updatable USB devices are the norm, not the
> exception.
In iPhone is not a "USB device".  It's a device that has a USB port.  The same goes for an PC or laptop with a USB port - which is pretty much any PC or laptop built in the last 5, maybe 10, years.

I think it's pretty clear that when people think of a USB device, it's a device that exists solely be be used through its USB port.  Memory sticks are by far the most common such devices, but you can find others as well.  I'd say there's a pretty clear line at the point where the device implements - as far as the user is concerned - only and exactly one of the standard USB profiles.  While these devices *also* tend to implement firmware update mechanisms - in fact, there's even a standard profile for that - this is never documented for end users and hardly anyone has been aware that that additional interface is present.  That's what makes this attack surprising.

An iPhone uses its USB port for ancillary functions - charging, syncing, software updates.  The updates primarily - perhaps exclusively, in the life of the iPhone; it's hard to tell - apply to firmware that has little to do with running the USB port.

The Bose headphone you mention is primarily used through Bluetooth.  A quick look through the documentation indicates that the overwhelming use for the USB port is to charge the device.  Yes, it can also be used to update the device - but again presumably the intended primary updates are to the parts of the firmware that, well, run the headset - not the USB port.

Your printer is an interesting case, and I don't have an answer.

There are few sharp lines here, but there is a very broad, very heavily populated, set of "USB devices" that we commonly look at as having fixed functions based on code that will never be changed.  USB memory sticks are extremely cheap and produced in the hundreds of millions.  No one thinks of them as active devices.  And yet ... they are.  They contain significant processing power running non-trivial code - and that code can be replaced.  That's the big message here.  Yes, obvious in retrospect - but how much have *you* thought about defenses against legitimate memory sticks from major manufactures that have had their standard firmware replaced with attack code?

                                                        -- Jerry

More information about the cryptography mailing list