Saturday, August 2, 2014

Why the Security of USB Is Fundamentally Broken

Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.

6 comments:

Anonymous said...

It's like what they used to say about promiscuous sex - "when you have sex with someone, you're having sex with everyone they ever had sex with". The advent of AIDS gave (or rather SHOULD HAVE GIVEN)monogamy a whole new motivation.

In the days before virus checkers became so ubiquitous, it was said that when you shared files with someone, you shared files with everyone they ever shared files with. So now it's USB drives. Same principle. Never share files via USB. There are other, more secure ways. Ways that AREN'T able to get past AV software.

What did Solomon say about "nothing new under the sun"?

Ed said...

"....unless the IT guy has the reverse engineering skills to find and analyze that firmware".

Those that do, do not usually proclaim it to the world.

Anonymous said...

sounds like the perfect set-up to get someone busted for child porn when going through customs. We've seen that with Tor e-mail but this is far more devious. With the e-mail you could spot the unknown address of the sender, with this you'd have no idea where an outside source has directed your internet.

Paul X said...

All the manufacturers need to do is provide an app to read the firmware checksum, and the md5sum or sha256sum for each firmware release. Then people could check whether the firmware has been fiddled with and throw away the ones that are suspect.

Also, keep in mind every manufacturer of every device has different ways to load firmware. Some may even require physical access to the chip to do it - for example, grounding a "load" signal. So the job of "turning" a flash drive might be a little more difficult than this article suggests.

Paul X said...

Now that I read the article comments, I am less worried. The problem is with devices that are field-programmable (that need firmware upgrades). Things like flash drives generally are high volume, low profit per piece, which means the firmware is hard coded into the device and cannot be changed. The cheaper the device, the safer you are. Keyboards and mice and USB hard drives might be a bit more worrisome than flash drives. But, I think the router remains the most vulnerable component in every home system (and really needs looking at).

I did one or two field-programmable chip designs years ago. Back then there was no security and the chip was reloaded during every boot. It was not a home computer but a very expensive device. The mass market is much different.

Anonymous said...

Years ago fighters were told to turn their side towards the enemy thereby reducing their exposure to fire. Nowadays our guys adopt a frontal posture to take fire on their ceramic plates and reduce exposure to their relatively unprotected sides.

The key is to understand you adversary's abilities and your own vulnerabilities and take appropriate steps to reduce your exposure.

Why would cyber warfare be any different?

My biggest struggle ever with computer malware involved the floppies that my kids were required to carry back and forth to school.