[Cryptography] You can't trust any of your hardware
Peter Todd
pete at petertodd.org
Thu Jul 31 20:18:01 EDT 2014
On Thu, Jul 31, 2014 at 11:46:00AM -0400, Jerry Leichter wrote:
> http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/
> The full talk/paper don't seem to be available yet, but they (a) figured out how to write malware that attacks a system via something plugged into its USB port (no, it doesn't depend on AUTORUN); (b) flipped that around and figured out how to replace the firmware on a USB device from the host. I wouldn't have thought (b) was possible - after all, how many firmware updates for USB devices have you ever seen? - but I guess it's handy at the end of manufacturing, and gets left open because ... who would ever think of attacking it?
That's exactly why it's left open. If you find out after the fact that
you need to reprogram the firmware on a batch of USB devices you'll save
tens of thousands of dollars if you can do it by just plugging the USB
devices into a programmer via the USB port. They'll never bother adding
authentication to that programming backdoor because it's more work; they
don't have any market pressure to do it right because the schematics and
firmware are all closed source secrets.
Meanwhile the NSA can easily get access to schematics and firmware by
buying off employees and hacking into the computers of the people
designing them.
I dunno how to fix this. The best I can come up with is to make more of
these exploits happen - post anonymous bounties to get firmware and
schematics leaked?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140801/9392ad18/attachment.sig>
More information about the cryptography
mailing list