[Cryptography] You can't trust any of your hardware
Jerry Leichter
leichter at lrw.com
Thu Jul 31 11:46:00 EDT 2014
http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/
The full talk/paper don't seem to be available yet, but they (a) figured out how to write malware that attacks a system via something plugged into its USB port (no, it doesn't depend on AUTORUN); (b) flipped that around and figured out how to replace the firmware on a USB device from the host. I wouldn't have thought (b) was possible - after all, how many firmware updates for USB devices have you ever seen? - but I guess it's handy at the end of manufacturing, and gets left open because ... who would ever think of attacking it?
On further reflection, though, I realized that the only thing new here is that they actually went and built a full-cycle virus. All the rest was done a couple of years ago: Apple published an update for its (USB) keyboards - http://support.apple.com/kb/HT4010 - and someone reverse-engineered it and figured out how to upload any code they liked - https://www.blackhat.com/presentations/bh-usa-09/CHEN/BHUSA09-Chen-RevAppleFirm-PAPER.pdf
The fun never ends....
-- Jerry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140731/b171420a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140731/b171420a/attachment.bin>
More information about the cryptography
mailing list