Comments
USB Hardware Easily Subverted, Researchers Claim
Threaded  |  Newest First  |  Oldest First
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
7/31/2014 | 4:52:57 PM
Why are there no USB Firewalls yet?
I was reading the Blogpost and Wondering to myself.

Why are their no USB Firewalls yet?

Seems to be a matter of Cost primarily.

The other issue is that if they can hit the BiOS with their attacks ,absolutely anything is possible.

And Hardware Level attacks are much more difficult to erase than just pure Software Hacks.

Lot of Trouble,Looking forwads to this Black Hat Presentation.

Regards

Ashish.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
7/31/2014 | 5:14:51 PM
Re: Why are there no USB Firewalls yet?
I wonder what percentage of people insert thumb drives they find somewhere? Just leaving compromised USB sticks in hotels and in bars is probably a very efficient way to create a botnet.
Bhori
50%
50%
Bhori,
User Rank: Ninja
7/31/2014 | 6:29:08 PM
Re: Why are there no USB Firewalls yet?
Amazed that still the USB culture prevails in many organizations where numerous flash drives from Employees, Customers, Vendors and even the visitors and trainees find their way into company PCs. From the article, it seems that currently the only way to cover this risk is to restrict thumb drive use. I wonder how culture can be changed quickly and are there any secure alternatives available.
Bhori
50%
50%
Bhori,
User Rank: Ninja
7/31/2014 | 6:39:42 PM
Re: Why are there no USB Firewalls yet?

The USB-IF spokesperson added that USB specifications support additional security, but equipment makers decide whether to implement these capabilities, which would entail greater cost.  


Seems that security and cost will be added following some high profile breach. But, still that would be the security added at USB owners end rather than the device which will run it.

pcharles09
50%
50%
pcharles09,
User Rank: Moderator
7/31/2014 | 7:57:19 PM
Re: Why are there no USB Firewalls yet?
@Thomas C,

It's more common that you think. I've heard of hackers spraying USB sticks in corporate parking lots. Guess what happens within a day or two: Curious employees plug them in to either see what's on them OR format them to use for themselves. Either way, the botnet gets stronger.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
7/31/2014 | 11:59:40 PM
Re: Why are there no USB Firewalls yet?
@Thomas: most people I know who work outside of tech wouldn't think twice about sticking a USB they found into their computer, espeically if it was one handed out as, say, a promotional item somewhere. Education is sorely lacking on this topic.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
7/31/2014 | 6:38:48 PM
USBs and the military / intelligence world
The Department of Defense tried imposing an absolute ban on USB removable storage a few years ago but eventually wound up allowing exceptions selectively. USBs were apparently a factor in the Edward Snowden leak scandal as well. One challenge: USB has become the standard interface for connecting all sorts of gadgets to a PC, including keyboard and mouse. Maintaining an absolute ban might make a lot of sense -- except that it's impossible to maintain.
Jeff Jerome
50%
50%
Jeff Jerome,
User Rank: Ninja
7/31/2014 | 10:10:29 PM
Re: USBs and the military / intelligence world
It is hard to imagine that the government would put sanctions on USB thumb drives but that would also need to translate to other USB devices.  It seems almost impossible to "Ban" this type of device, they are everywhere.  However as a security precaution, we may all want to reconsider how we use them and consider technology that would scan that device prior to allowing it down lad anything to your computer.  But if we step back that can also translate to other products as well and other I/O devices. Theoretically you could gain access to a computer via a coded message on a microphone or even IR through a camera, that is attached via a USB cable too.  Lots of theories so little time, unless we cluster.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
8/1/2014 | 7:43:43 PM
Re: USBs and the military / intelligence world
well clearly there's something wrong with the way USB devices are set up if they can be reprogrammed to overwrite the operating system or BIOS when inserted.

 

 
Li Tan
50%
50%
Li Tan,
User Rank: Ninja
8/2/2014 | 5:14:25 AM
Re: USBs and the military / intelligence world
This post addressed on black spot. Hardly there is somebody pay attention to USB port. People get used to the convenience of plug and play. They can easily forget about the security issues. Furthermore, there is hardly somebody think about the possibility of hacking via USB port...
CitizenT128
100%
0%
CitizenT128,
User Rank: Apprentice
7/31/2014 | 10:30:21 PM
NOT new!
This is as old as USB itself.  It's just a fact of life.  As long as you control what's plugged into your PC (or any other USB host device), it's not a problem.  I have known about this "threat" for over a decade, and for me- it's a non-issue.  USB devices have to be recognized by the device they're plugged into.  Generic things, like keyboards and mice and mass storage have default drivers (and any device- be it a USB stick, a mouse or just what looks like a plain cable, can be identified by a PC as any of those if the person who programmed it decided to have it be so).  Otherwise your PC is going to ask you to install a driver (which could be the actual malware).  Just pay attention.

If you want something to keep you up at night, consider that every DAY there are between 20K and 30K new pieces of malware released into the wild.  There's no way that Anti-Virus software can keep up with all of that.  The vast majority of those are thrown together with malware kits that don't require any real programming skills.  So those are just variations of existing (and detectable) malware, but there are a few unique pieces of code that are made by very skilled, even gifted programmers.  Some are from governments and other organizations and are very selective in what they target, and what they do once they infect a system.  Those are not a threat to me and you (unless you're a criminal, a terrorist, or someone has an interest in you and your activities and associates).  But some are from criminals, ID thieves targeting you and me and anyone with a bank account, a credit card, or a decent credit score.

Just be careful what you do, what websites you visit- no porn or gambling sites- which are more likely to give you a problem than not.  Don't put USB devices or media (like CDs and DVDs) into your machine unless you know where they're from and where they've been.  Don't open Email unless you know who sent it, and why (and try not to be fooled by spoofed messages).  Turn off your preview pane, so Emails don't get opened without you intentionally acting to open them.  (Yes, just opening or previewing an Email can infect you. So can opening a web page, even unintentionally or very briefly.)  And look at your bank and credit card activity every day or at least a few times a week.  Never pick up a USB stick or an SD card that isn't yours.  If you practice behavior that your Mom would approve, you are less likely to be a victim.

The people who want to hurt you are counting on being able to remain anonymous.  If you stick with who and what you know, behave like an upright citizen, and run some good security software you will probably be okay.  And Linux will not protect you from something pretending to be a keyboard or a mass storage device.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
7/31/2014 | 11:57:31 PM
Re: NOT new!
@CitizenT138: "If you want something to keep you up at night, consider that every DAY there are between 20K and 30K new pieces of malware released into the wild."

Yikes, thanks. Your mission is accomplished.

Your advice is completely sound and about the best that any of can hope for in trying to avoid hackers who are way ahead of most home and business and even enterprise-scale efforts. Research I've seen generally indicated that plain old human error on the part of well-meaning employees is as big a danger to enterprise systems as anything else.

Yet most companies do very little to educate their employees about safe practices when it comes to using hardward and software (and clicking on those links!).

 
quantm
50%
50%
quantm,
User Rank: Apprentice
8/1/2014 | 2:55:32 PM
Re: NOT new!
Thank you for pointing out how this is not new, not even remotely new. It blows my mind that it is the topic of a BlackHat talk. I think next year I will submit a talk about the dangers of DNS Poisoning or maybe DDOS attacks.
asksqn
50%
50%
asksqn,
User Rank: Ninja
8/1/2014 | 12:03:54 PM
Place Your Bets!
And still USB has its entire line of peripherals available for purchase with nary a warning at all.  I should start a pool to take bets as to how long before news hits the intenet detailing the big trainwreck data breach/network hijacking event most likely coming from some low level government employee.  Of course it goes without saying it will be American citizens who will suffer since the feds don't give too much of a crap about securing personally identifying information.
X3N0N
50%
50%
X3N0N,
User Rank: Apprentice
8/4/2014 | 12:32:55 PM
data theft via USB
In my opinion, data theft via USB has become an everyday job, but unfortunately are often the attentive users (data theft via USB) don't agree. Especially in personal computers make it easy for data theft.


The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 23, 2014
Intrigued by the concept of a converged infrastructure but worry you lack the expertise to DIY? Dell, HP, IBM, VMware, and other vendors want to help.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.