Why the Security of USB Is Fundamentally Broken
Andy Greenberg
Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work. Without thoroughly checking a USB before inserting it into a computer, various issues could arise. Data could stolen, files could be corrupted and so much more. Of course, corrupted computers and files can use ssd data recovery to try and recover information but it’s not always guaranteed to work if you don’t know what’s corrupted them in the first place.
That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.
“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”
‘In this new way of thinking, you have to consider a USB infected and throw it away as soon as it touches a non-trusted computer.’
Nohl and Lell, researchers for the security consultancy SR Labs, are hardly the first to point out that USB devices can store and spread malware. But the two hackers didn’t merely copy their own custom-coded infections into USB devices’ memory. They spent months reverse engineering the firmware that runs the basic communication functions of USB devices-the controller chips that allow the devices to communicate with a PC and let users move files on and off of them. Their central finding is that USB firmware, which exists in varying forms in all USB devices, can be reprogrammed to hide attack code. “You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,'” says Nohl. But unless the IT guy has the reverse engineering skills to find and analyze that firmware, “the cleaning process doesn’t even touch the files we’re talking about.”
The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed-in addition to USB memory sticks, Nohl and Lell say they’ve also tested their attack on an Android handset plugged into a PC. And once a BadUSB-infected device is connected to a computer, Nohl and Lell describe a grab bag of evil tricks it can play. It can, for example, replace software being installed with with a corrupted or backdoored version. It can even impersonate a USB keyboard to suddenly start typing commands. “It can do whatever you can do with a keyboard, which is basically everything a computer does,” says Nohl.
The malware can silently hijack internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases. Or if the code is planted on a phone or another device with an internet connection, it can act as a man-in-the-middle, secretly spying on communications as it relays them from the victim’s machine.
Most of us learned long ago not to run executable files from sketchy USB sticks. But old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against.
The element of Nohl and Lell’s research that elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer. “It goes both ways,” Nohl says. “Nobody can trust anybody.”
But BadUSB’s ability to spread undetectably from USB to PC and back raises questions about whether it’s possible to use USB devices securely at all. “We’ve all known if that you give me access to your USB port, I can do bad things to your computer,” says University of Pennsylvania computer science professor Matt Blaze. “What this appears to demonstrate is that it’s also possible to go the other direction, which suggests the threat of compromised USB devices is a very serious practical problem.”
Blaze speculates that the USB attack may in fact already be common practice for the NSA. He points to a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden. The device, which hid in a USB peripheral plug, was advertised in a collection of NSA internal documents as surreptitiously installing malware on a target’s machine. The exact mechanism for that USB attack wasn’t described. “I wouldn’t be surprised if some of the things [Nohl and Lell] discovered are what we heard about in the NSA catalogue.”
The alternative is to treat USB devices like hypodermic needles.
Nohl says he and Lell reached out to a Taiwanese USB device maker, whom he declines to name, and warned the company about their BadUSB research. Over a series of emails, the company repeatedly denied that the attack was possible. When WIRED contacted the USB Implementers Forum, a nonprofit corporation that oversees the USB standard, spokeswoman Liz Nardozza responded in a statement. “Consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices,” she wrote. “Consumers safeguard their personal belongings and the same effort should be applied to protect themselves when it comes to technology.
Nohl agrees: The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets. To avoid the attack, all you have to do is not connect your USB device to computers you don’t own or don’t have good reason to trust-and don’t plug untrusted USB devices into your own computer. But Nohl admits that makes the convenient slices of storage we all carry in our pockets, among many other devices, significantly less useful. “In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it,” says Nohl. “You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer. And that’s incompatible with how we use USB devices right now.”
The two researchers haven’t yet decided just which of their BadUSB device attacks they’ll release at Black Hat, if any. Nohl says he worries that the malicious firmware for USB sticks could quickly spread. On the other hand, he says users need to be aware of the risks. Some companies could change their USB policies, for instance, to only use a certain manufacturer’s USB devices and insist that the vendor implement code-signing protections on their gadgets.
Implementing that new security model will first require convincing device makers that the threat is real. Just as server hosts have grown to adopt options after accepting the threat shown to be countered in a seedboxescc review, this is the major first step. The alternative, Nohl says, is to treat USB devices like hypodermic needles that can’t be shared among users-a model that sows suspicion and largely defeats the devices’ purpose. “Perhaps you remember once when you’ve connected some USB device to your computer from someone you don’t completely trust,” says Nohl. “That means you can’t trust your computer anymore. This is a threat on a layer that’s invisible. It’s a terrible kind of paranoia.”
Apple reportedly paying internet providers to ensure speedy delivery of its data
Ben Popper
Apple has apparently turned on its new content-delivery network, and is reportedly paying Comcast and other big ISPs to move hardware into their data center and build direct interconnects to their networks. This is the exact same evolution that Netflix has been going through, building out its own CDN and agreeing to pay ISPs for interconnection. The major difference is that Netflix has loudly opposed the fact that ISPs can charge a fee for this arrangement, while Apple has stayed mum on the issue.
Content delivery networks (CDNs) are intended to speed up the delivery of data to customers by placing servers in locations around the country. That way when I request data in New York, it can ping a nearby Apple server. Apple has traditionally relied on third-party CDNs like Akami and Limelight, but has decided it can do much of that work for less money by working directly with ISPs.
According to Dan Rayburn, the analyst who broke the news: “With Apple planning to release the beta version of their next desktop OS today, Yosemite (10.10), and with iOS 8 expected to come out this fall, Apple’s putting in place a lot of capacity to support upcoming software releases. Apple is still using Akamai and Level 3?s CDN services for iTunes (Akamai), Radio (Level 3) and app downloads, but over time, much of that traffic will be brought over to Apple’s CDN.”
The FCC has said it is looking into the business deals that govern paid interconnections, but so far has not classified this issue as part of net neutrality, as Netflix would like. A paid interconnection is not the same thing as an “internet fast lane”, which privileges certain bits over others on the ISPs network. If paid interconnects becomes the norm, however, they could begin to have the same effect, with companies who can afford them delivering their data to consumers faster and more reliably than those who don’t.
Big companies like Facebook and Google joined Netflix in criticizing ISPs ability to charge for interconnection, but they did so through a trade organization, and have not publicly attacked the practice the way Netflix has. A big tech giant like Apple agreeing to pay ISPs, and not complaining about it, is probably a bad sign for Netflix’s push to reform the way this market operates.
RadioShack’s days are numbered
Chris Isidore @CNNMoney
.
The chain of 4,000 stores has just $62 million in cash left – a figure that is rapidly approaching zero. Things are so dire that it actually doesn’t have enough money to close the 1,100 locations management says it needs to shutter.
Investors, credit rating agencies and the company”s lenders seem to be in agreement that RadioShack’s days are numbered.
Even the company’s own Super Bowl ad mocked its stores for being decades out of date.
“They have been irrelevant for a long time,” said Robin Lewis, CEO of The Robin Report, a retail strategy newsletter. “If they’re not the sickest patient in ICU, they’re minutes away from being rolled in.”
Related: Most endangered brands
Last month research firm B. Riley & Co. made the unusual move of cutting its price target for RadioShack (RSH) shares from $1 a share — to $0. Shares of RadioShack (RSH) , hit a record low of 62 cents Thursday after Moody’s said it expects RadioShack to run out cash by Fall of 2015.
“A significant turnaround has to happen for them to survive. But we haven’t seen any evidence of a turnaround yet,” Moody’s analyst Mickey Chadha told CNNMoney. Moody’s now has RadioShack debt only two short steps above a default rating. And it will probably be cut further.
Related: Autopsy of America – Photos of dead shopping malls
In March the chain announced plans to close over 1,000 stores, about one out of every five. But its lenders refused to give RadioShack the cash it needed to do so on terms the chain could afford, so instead it announced plans to close only 200 stores.
That’s forcing the company to burn cash even more quickly.
“That 1,100 store closing plan was in essence saying they don’t have the capital to manage 4,000-plus stores,” said Chadha. “But the lenders are taking a dim view of the turnaround themselves and positioning themselves for liquidation.”
Can RadioShack survive?
The company’s huge network of stores has done little to help it hold off competition from Amazon (AMZN, Tech30) and other online retailers.
The company now depends on smartphones and tablets for more than half its sales. That’s a competitive, low-margin business, said Chadha. And each smartphone sale hurts RadioShack’s chance to sell its higher-margin products, such as digital cameras and GPS systems..
Company officials did not respond to a request for comment about Moody’s outlook or its cash problems.
Why chefs love to hate Yelp
Chris Schodt
Having your livelihood dependent on the goodwill of a group of anonymous strangers is enough to give anyone a complex. In this piece for San Francisco Magazine, a group of chefs explain their broken relationship to Yelp and the legions of reviewers who control whether their businesses live or die. While Yelp can help people find new restaurants (or can help a city track food poisoning), chefs obsess over reviews and many wish the service didn’t exist at all. “If two or three days go by and business sucks, I’ll go, ‘Shit, I got a bad review on Yelp.'” says Jeff Mason, the owner of a sandwich shop in San Francisco. The anonymous system, the lack of control on fake reviews, and the difficulty engaging with reviewer has put restaurateurs in a codependent relationship with a service they both loathe and need.
Intelligent Time Management App ‘Timeful’ Launches on iOS
Juli Clover
Timeful, described as “the first intelligent time manager” for mobile devices, is a new iOS app designed to help users manage their lives by combining a time management app with a calendar, a to-do list, and habits. Timeful aims to provide a personalized experience that encourages people to commit to various self-improvement activities and complete goals.
The app connects to the calendar on an iOS device, importing already existing events into a daily view that includes all tasks that must be completed. It also incorporates to-do functionality, allowing users to create tasks and file them under separate colored headings like Personal, Work, Fun, and, Important. To-do tasks can be scheduled for “Today,” “Tomorrow,” “Someday in the next 7 days,” or on a specific date.
Specific calendar events can be scheduled in much the same way, entering the task and selecting a time. One major negative of Timeful in comparison to other calendar apps is the fact that it doesn’t accept conversational input, meaning users have to manually select times and dates for calendar events.
Along with accepting calendar and to-do input, Timeful also includes a “Habits” feature that sets it apart from other time management and task apps. With Habits, users can enter frequently repeated tasks such as “Take a Walk,” selecting preferred days and times to perform the tasks, which Timeful will then work into a busy schedule. Events and habits show up directly on the calendar at scheduled times, while to-dos are listed at the top and can be completed at any time during the day.
As users complete tasks and fulfill habits, Timeful will learn more about a person’s habits, figuring out the optimal time to present each task for completion.
Timeful combines your calendars and to-do lists so you can see everything that’s competing for your time in one place. It uses sophisticated algorithms and behavioral science to suggest – based on your own available time and location – the best times to schedule to-dos and good habits throughout your day.
Spaceflight to launch network for communicating with tiny satellites
Signe Brewster
So, you built your shoebox-sized satellite. You found a spot on a rocket and got it to the International Space Station, where astronauts then released it into Earth’s orbit. Now you need to communicate with it. How?
The answer has been a headache for space startups, which, like any small company, don’t necessarily have the resources to build a huge amount of communications infrastructure from scratch. Some go ahead and do it. Others, like Southern Stars, find a partner with existing resources.
Spaceflight, which has been booking space for small satellites on rockets since early 2013, believes there is room for another option: a global network for communicating with satellites that anyone can buy time on, bringing down the cost for big and small satellite companies.
“Just as computers used to be mainframes and then it was the PC and now it’s tablets and smartphones with billions of different nodes on a network, that’s kind of the same paradigm in space,” Spaceflight president Curt Blake said in an interview. “The size of spacecraft has really fallen and the cost to make a spacecraft has fallen as well. Now is the time when a ground network at a lower cost makes sense.”
Blake said it currently costs a small satellite company $400 to $500 each time its satellite makes contact with a ground station. That may happen multiple times a day as it circles the globe and crosses over different stations. And the model for companies like Planet Labs and Spire (formerly known as Nanosatisfi) is to put dozens, and potentially hundreds, of satellites in space at a time. That adds up.
Spaceflight said its network will cost between $3,000 and $50,000 a month depending on the type of antenna used. Companies can also pay by the minute, with rates ranging from $1.95 to $19.95 per minute.
Spaceflight’s network will come online in early 2015, and the first station will be located in Washington. It will add more stations every year until 2017, at which point it will have locations on six continents.
In the meantime, the company will keep sending small satellites into space. It has coordinated the launch of 76 so far from companies like Planet Labs, Southern Stars and universities.
“I think you’ll see lots of different applications out there that are spawned. Having something up in space is great, but if you don’t have a ground network to communicate what you’re doing, it’s not worth anything,” Blake said. “Most of us are down here.”