Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday August 01 2014, @01:16AM   Printer-friendly
from the physical-access-often-defeats-security-measures dept.

ArsTechnica reports on the rise of BadUSB:

White-hat hackers have devised an exploit that transforms USB devices (keyboards, Web cams, etc.) into highly programmable attack platforms that can't be detected by today's defences.

Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week's Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations.

Karsten Nohl, chief scientist at Security Research Labs in Berlin, said:

... there are few ways ordinary people can protect themselves against BadUSB attacks short of limiting the devices that get attached to a computer to those that have remained in the physical possession of a trusted party at all times. The problem, he said, is that USB devices were never designed to prevent the types of exploits his team devised.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by anubi on Friday August 01 2014, @01:44AM

    by anubi (2828) on Friday August 01 2014, @01:44AM (#76200) Journal

    I had been concerned about the security of USB devices since I bought an "off the shelf" USB memory-chip reader, it proceeded to "install drivers", then I had to clean out all the mess it installed. Once I plugged the USB device in, it took over and put some sort of malware in my machine.

    I note even when a co-worker gives me a USB stick and tells me it contains the file I asked of him, when I plug it in to my machine, first thing it wants is to "install drivers".

    I never remember having to "install drivers" to read a file off a floppy disk. I just had to concern myself with executables and all the newfangled programs that masqueraded as data but contained executable scripts.

    All this legislation from Washington for "protection" of intellectual property is sure having a lot of unintended consequences in us not being able to control what we feed our machines. I only wish there was some way to convince our Congressmen to attach a significant liability rider to the next go-around of copyright enforcement law - what I am asking for is I grant them the right to run proprietary secret code on my machine provided they accept full responsibility for its behaviour - no different than I will grant McDonalds to garnish my burger with "secret-sauce", but if I get sick on it, they foot the doctor bill.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
    • (Score: 3, Insightful) by kaszz on Friday August 01 2014, @01:48AM

      by kaszz (4211) on Friday August 01 2014, @01:48AM (#76201) Journal

      Washington only gives a shit about voter cattle and lobbyists. Besides that, being able to spy on the voter cattle (and by extension control) is a benefit..

    • (Score: 2, Informative) by Anonymous Coward on Friday August 01 2014, @02:19AM

      by Anonymous Coward on Friday August 01 2014, @02:19AM (#76208)

      > I had been concerned about the security of USB devices since I bought an "off the shelf" USB memory-chip
      > reader, it proceeded to "install drivers", then I had to clean out all the mess it installed.

      Those "drivers" all came from your PC not from the USB device itself.

      This hack is about reprogramming the microcontroller on the USB stick to also present as a keyboard. But the keyboard driver will come from the host operating system, not the USB stick.

      Note that the PS3 was finally 100% jailbroken via an even more low-level hack, one that didn't rely on drivers.
      Basically the PS3 crack worked by having a USB device that created malformed USB protocol packets and the PS3 firmware did not error check those packets, leading to a buffer overrun that could be exploited to run code with full privileges.

      • (Score: 2, Informative) by mgcarley on Saturday August 02 2014, @05:33PM

        by mgcarley (2753) on Saturday August 02 2014, @05:33PM (#76745) Homepage

        That's not entirely true - your average EV-DO/3G/LTE stick (widely used developing countries where the wired services are more crap than the wireless services) usually has a small partition on it containing drivers & software which it will try to automatically install - and those devices are often made by all sorts of "trustworthy" companies.

        --
        Founder & COO, Hayai. We're in India (hayai.in) & the USA (hayaibroadband.com) // Twitter: @mgcarley
    • (Score: 2) by frojack on Friday August 01 2014, @02:51AM

      by frojack (1554) on Friday August 01 2014, @02:51AM (#76218) Journal

      The installation of drivers is mostly just spew from Microsoft's generic device handlers. Its really matching the device to generic windows drivers.

      But you are right, its disconcerting, and unnecessary. And Joe user is never actually sure exactly what the hell is going on. And a devious exploit would be programmed to act in exactly that same way.

      I always plug in new thumb drives into Linux first, sometimes I format new thumb drives via Linux before I use them.
      And I prefer to get files over the network where I can scan them before I put them on my machine. USB net is just the modern equivalent of sneaker net. Just a little more dangerous.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 3, Insightful) by kaszz on Friday August 01 2014, @01:33PM

        by kaszz (4211) on Friday August 01 2014, @01:33PM (#76366) Journal

        Sorry, Linux/BSD is not immune against this attack vector.

      • (Score: 2) by urza9814 on Friday August 01 2014, @02:49PM

        by urza9814 (3954) on Friday August 01 2014, @02:49PM (#76399) Journal

        I always plug in new thumb drives into Linux first, sometimes I format new thumb drives via Linux before I use them.

        Unfortunately, neither of those will do anything to prevent this particular attack...

    • (Score: 2) by aristarchus on Friday August 01 2014, @03:36AM

      by aristarchus (2645) on Friday August 01 2014, @03:36AM (#76233) Journal

      It wants to do what? As soon as you stick it in? That is just rude! No chance you are running MicroSoft Windows with autoplay enabled, is there? I know a solution to your problem, it's an operating system, maybe you've heard of - - ouch! What the heck? USB devices are biting me! Get down! Eject! Just stop it! Where's my drilling hammer?

    • (Score: 1) by Hairyfeet on Friday August 01 2014, @10:44AM

      by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Friday August 01 2014, @10:44AM (#76317) Journal

      What OS are you running? Because the last version of Windows I saw that required drivers for a USB stick was Win2K. When Vista/7/8 says "installing drivers" it really means "recalling the HID driver from the Windows driver cache and assigning it to this device" it doesn't mean its actually installing any foreign drivers from anywhere.

      The only hardware I see Windows actually need a real driver for when it comes to USB is 1.- Hardware that takes over a major function, such as capture cards and wireless network sticks and 2.- Cellphones. And the latter is because the OEMs can't seem to decide by default how a phone should be treated. Some treat it as a removable drive, some treat it as an PMP MTP device like MP3 players, and Samsung which said "fuck it it'll be BOTH a removable drive AND a PMP at the same time!"...can't blame USB for that, its the shitty OEMs doing that.

      --
      ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
      • (Score: 4, Informative) by Jaruzel on Friday August 01 2014, @11:56AM

        by Jaruzel (812) on Friday August 01 2014, @11:56AM (#76334) Homepage Journal

        Some drives that support encryption come with a fake read-only CD device also inside them [1], that has Autoplay files on it, and causes Windows to try and install the 'drivers' to make the encryption work. if you don't need encryption then this can be ignored/canceled, but it'll bug you every time you insert it.

        Do what the sensible people do (no, not install Linux ;) ) - Go to [classic] Control Panel, Click on Autoplay - and untick 'use Autoplay for all media and Devices'... One less open door for malware to wander in via.

        If you then want a device to Autoplay, you can always just right click on it in File Explorer and select the appropriate option.

        -Jar

        [1] Also a lot of USB 3G Dongles do this too.

        --
        This is my opinion, there are many others, but this one is mine.
      • (Score: 1) by anubi on Friday August 01 2014, @12:23PM

        by anubi (2828) on Friday August 01 2014, @12:23PM (#76340) Journal

        Thanks... Win7.... of course autoplay disabled.

        I do have some things like you said that are so unique I expect to have to load a driver: A PICO USB Oscilloscope and I have a USB based OBDII automotive scan tool ( ELM 327 ). And believe me if either of those companies betray my trust and put malware in their driver - the market for their stuff is so limited that all it takes is some customer having a demonstrable proof of it to kill the sales of the product. However both have been exemplary in their performance.

        There are some things, like you said about USB sticks, webcams, mice, keyboards, whatever, that they should be so generic that forcing a driver to install should ( and for me, it did ) arouse much suspicion... much like some waiter wanting my mother's maiden name to settle a credit card charge.

        I know just enough about assembly code to realize just what one can do with it. I was an ardent follow of "Fravia" back in the day, and had run across a few people with extraordinary talent on how to subvert machines ( I am just glad they did not work for any TLA's, but then the chance of that happening was pretty slim as I know there would have been personality conflicts big time with the managers ).

        So, having seen what can be done, how few instructions need to be changed to open up a back door, and the tremendous incentives out there for the creation of botnets, I am very apprehensive on the net, as I also use the net for purchasing stuff now and then. I value my system's integrity so much not because I am trying to keep private my stash or porn or anything, rather there is my personal information where my reputation can be burned for a one-time benefit for someone else. At my expense.

        --
        "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
        • (Score: 3, Insightful) by kaszz on Friday August 01 2014, @01:38PM

          by kaszz (4211) on Friday August 01 2014, @01:38PM (#76368) Journal

          NSA and criminal gangs don't care if they burn the reputation for a company. As long as they get their desired outcome. Ie threat of reputation is no guarantee.

          And USB devices doesn't need to require a driver to hack the computer they are connected to.

  • (Score: 4, Insightful) by kaszz on Friday August 01 2014, @02:06AM

    by kaszz (4211) on Friday August 01 2014, @02:06AM (#76203) Journal

    If your computer has unauthorized or for that matter any user that can get access to USB devices. They can also make them do things you didn't thought of. Like a normal user being able to make a connected USB device to act as a bridge as a HID keyboard.. which happens to automatically be considered as a console keyboard = your computer is controlled by someone else (pw0n3d!). The real nasty bit about this is that after you make a full reinstall and clean out the machine. The USB device can easily re-insert a backdoor. So with USB you don't have security but rather device liability.

    Just another nail in the USB coffin as a really bad idea!

    To be effective about this. Any CPU or for that matter sequence able state machine that has an internal connection can hide and screw your security. This may be PCI, Firewire, USB, LPC, SMbus etc. So have a look (think) where all CPUs with rewritable firmware are and have strategies to keep them under your control. And one-time-programmable (OTP) devices from manufacturers may also by default contain evil code. A quick list is keyboard MCU, mouse MCU, network chips, harddisks, controller cards, fan controllers etc. It was easier earlier on because only the keyboard and the motherboard had a CPU.

    ** So any CPU connected to a bus that lacks access control is a liability. **

    • (Score: 0) by Anonymous Coward on Friday August 01 2014, @02:25AM

      by Anonymous Coward on Friday August 01 2014, @02:25AM (#76210)

      One thing OS maintainers could do is to limit the number of simultaneous HIDs. One keyboard and one mouse, any others that show up cause a big massive warning to pop-up and do not even start to initialize the new device.

      That won't protect you against booting up and getting the fake keyboard first nor will it protect you from USB protocol level hacks. But it would be an incremental improvement over current practice.

    • (Score: 1) by frojack on Friday August 01 2014, @03:02AM

      by frojack (1554) on Friday August 01 2014, @03:02AM (#76223) Journal

      Was there one proper sentence in your first paragraph Kaszz?

      I'm sure you had a point, but it was lost in the fragments of your cluster-bomb.

      Remember this was a proof of concept, and there is no guarantee this will work on just any random device. And even if it does successfully survive a boot, and continue to live in the keyboard, there is still no reliable way it can know what the machine is actually doing. It may inject its nefarious commands onto the USB bus an inappropriate times. You would have to know precisely the proper times to trigger your exploit, but USB devices can't know what the machine is expecting. Its a "just so" situation, which will only work if you absolutely know the sequence of events that must precede your exploit dump.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 2) by kaszz on Friday August 01 2014, @03:30AM

        by kaszz (4211) on Friday August 01 2014, @03:30AM (#76231) Journal

        The point is that any user that is logged into a system with connected USB devices could potentially also make those devices into resident privilege escalation devices. A simple plot is to passively detect a vurnable window of opportunity to execute it.

        • (Score: 1) by frojack on Friday August 01 2014, @03:52AM

          by frojack (1554) on Friday August 01 2014, @03:52AM (#76234) Journal

          Well, that was my point. USB doesn't actually have the ability to passively detect that much.
          USB devices can't read the system bus. They get what the system wants to send them.

          A USB block device, sure. They might be able to wait for a read of a named file, and then substitute their own compromised version. But HIDS, mice and keyboards, they never get asked for files.

          Can you make the mouse pretend to be a block device on next boot? Maybe, but what without autoplay turned on, it does nothing, and the user notices that their mouse doesn't work, and gets a new one.

          Oppetunity is thin at best.

          --
          No, you are mistaken. I've always had this sig.
          • (Score: 2, Interesting) by Anonymous Coward on Friday August 01 2014, @04:28AM

            by Anonymous Coward on Friday August 01 2014, @04:28AM (#76242)

            Well, that was my point. USB doesn't actually have the ability to passively detect that much.
            USB devices can't read the system bus. They get what the system wants to send them.

            A USB block device, sure. They might be able to wait for a read of a named file, and then substitute their own compromised version. But HIDS, mice and keyboards, they never get asked for files.

            Can you make the mouse pretend to be a block device on next boot? Maybe, but what without autoplay turned on, it does nothing, and the user notices that their mouse doesn't work, and gets a new one.

            Oppetunity is thin at best.

            You aren't being sufficiently paranoid/imaginative. Why would the mouse not work if the attacker had spent just 2 more minutes thinking deviously, and decided to make the mal-firmware pretend to be a hub with a mouse attached? Beyond that, you are missing the much bigger obvious deviousness- the mal-firmware can _pretend to be anything_. I don't think you've pondered that threat surface. How many OS's do you know that are happy to automatically run driver code upon detection of a new USB device? How many of those drivers do you think were painstakingly written in a security conscious mindset of dealing with a HOSTILE hardware device? Are you fscking kidding me? Now imagine the nsa and the mafia with a laundry list of such hostile-virtual-device 0-day exploits. We are talking about an entire class of virus/malware which survives a reformat of the system disk and best-practices reinstall of the OS. The real story here is how much propoganda effort the NSA GCHQ and mafia have put into keeping this entire threat surface off of people's radar. In the Wired article on BadUSB I think, they got comment from the USB standards body, and their line was basically - "the threat model is that we don't care if you haven't maintained pure control of your USB devices". Plug a usbstick into a computer that has been otherwise traditionally infected, and is able to rewrite the usbsticks firmware, and from this day forward, that stick is a security hole for any system it plugs into. But now you are going to tell me about your wonderful faith in those thousands of device drivers and how rare it will be that any of them fail to cope with a HOSTILE-DEVICE properly. Ok, sleep tight.

          • (Score: 1, Informative) by Anonymous Coward on Friday August 01 2014, @04:41AM

            by Anonymous Coward on Friday August 01 2014, @04:41AM (#76243)

            > Maybe, but what without autoplay turned on, it does nothing,

            Even with autoplay turned off MS Windows still parses the master boot record, the partition table and directory structure. A maliciously configured block device may be able to exploit the code doing those scans. Proof of concept for older versions of windows (XP, iirc) exists.

            > and the user notices that their mouse doesn't work, and gets a new one.

            The trick is to make the USB microcontroller act as two (or more) different devices. This is a standard feature in some off-the-shelf microcontrollers, you may have even seen it yourself with a U3 usb stick [wikipedia.org] which also acts like a cd-rom drive.

            > Opportunity is thin at best.

            Famous last words. [blackhat.com]

          • (Score: 3, Insightful) by maxwell demon on Friday August 01 2014, @05:22AM

            by maxwell demon (1608) on Friday August 01 2014, @05:22AM (#76256) Journal

            Well, that was my point. USB doesn't actually have the ability to passively detect that much.

            But the operating system actively probes the USB devices that get connected.

            A USB block device, sure. They might be able to wait for a read of a named file, and then substitute their own compromised version.

            And if you reprogram your keyboard to tell the computer that it really is a hub with a keyboard and a block device, you've got a "block device" connected to your computer. And if your system automatically reads some data from block devices, you may have an attack vector.

            Can you make the mouse pretend to be a block device on next boot?

            That's what the article is about.

            Maybe, but what without autoplay turned on, it does nothing, and the user notices that their mouse doesn't work, and gets a new one.

            You assume it doesn't also identify as mouse. It would be a stupid attacker who would do that. And about Autoplay: If it also tells your computer it contains a keyboard, it can just sent the system the necessary command to run a program from the drive.

            --
            The Tao of math: The numbers you can count are not the real numbers.
            • (Score: 1) by frojack on Friday August 01 2014, @07:21AM

              by frojack (1554) on Friday August 01 2014, @07:21AM (#76277) Journal

              And about Autoplay: If it also tells your computer it contains a keyboard, it can just sent the system the necessary command to run a program from the drive.

              But would the system be in a state to accept such a command, or will it just spew that command into somebody's email? (or something) .

              Is there really enough storage in a keyboard to hold any meaningful threat? Is there a processor there that could actually handle that much storage?

              With a thumb drive, or a camera, or a printer, you have a chance. There is enough storage and processing power in those devices that you could work with them.

              But a mouse or keyboard would have to be custom built to handle the tasks you imagine. I don't think you could subvert some random off the shelf mouse or keyboard for this purpose.

              --
              No, you are mistaken. I've always had this sig.
              • (Score: 0) by Anonymous Coward on Friday August 01 2014, @07:53AM

                by Anonymous Coward on Friday August 01 2014, @07:53AM (#76283)

                It seems you have yet to RTFA.

                Here is a way to guarantee security failures - assume the attackers are under-provisioned. That's what you are doing in this thread. Cut it out you are only embarrassing yourself.

    • (Score: 2) by bob_super on Friday August 01 2014, @05:36AM

      by bob_super (1357) on Friday August 01 2014, @05:36AM (#76260)

      > Just another nail in the USB coffin as a really bad idea!

      USB is one of the most successful interfaces in the history of computing.
      Considering how it replaced a clusterf*ck of random-shaped ports with a simple (though annoyingly rectangular) flexible solution, which grew from 1.5Mb/s to 12, 480 and then multiple Gb/s, while allowing just enough power for a spinning rust or a spinner-killer flash drive, you should respect the achievement.
      It's a bloody serial port on steroids, and if you had made it secure it would have failed, and I'd still have DB9 and DB25 cables cluttering my desk.

      • (Score: 2) by elgrantrolo on Friday August 01 2014, @07:33AM

        by elgrantrolo (1903) on Friday August 01 2014, @07:33AM (#76281) Journal

        Amen! I also don't particularly miss the IRQ, DMA, memory address and similar considerations that were needed when adding internal components.

      • (Score: 3, Insightful) by kaszz on Friday August 01 2014, @01:26PM

        by kaszz (4211) on Friday August 01 2014, @01:26PM (#76364) Journal

        I'll agree with you, except that USB is not a nice solution. Firewire or Ethernet-device-bus + power without the magnetics would been way neater. All this polling 1000 times/s, single duplex, complex device classes, single ended side-channel signaling, inconsistent charge interfaces, rigid master-slave setup etc.. It all makes this "solution" very clumsy. But the former RS232, Parallell GPIO, PS/2 abuse, exotic interface card, SCSI megacable mess is of course even worse.

        So it was worse, but that's no excuse to not make it right.

  • (Score: 5, Interesting) by quacking duck on Friday August 01 2014, @04:47AM

    by quacking duck (1395) on Friday August 01 2014, @04:47AM (#76246)

    I became aware of the danger unsecured USB posed about 4 years ago when a company at a trade show passed out business cards with a stripped-down USB end (i.e. no protective metal siding) to it to keep it thin. Thought it was a neat idea to have a small drive with PDFs or what not.

    Instead, I plug it in to my Windows box and watched in shock as a run prompt came up, the address for the company's website was typed in before my eyes, and my browser was taken to the site.

    The card was reporting itself as a freaking keyboard.

    This was shortly after Apple got flak for blocking Palm from using iTunes to manage the Palm Pre's music library. The outrage was undeserved, since Palm was making their devices spoof their USB vendor ID and device ID as Apple and iPod, respectively, in gross violation of the honour system USB licensees were to adhere to in lieu of any crypto signatures, and the USB Implementers' Forum smacked Palm down for violating this policy.

    Both cases were relatively benign but it certainly highlighted to me where the next generation of attacks would come from.

    • (Score: 1, Insightful) by Anonymous Coward on Friday August 01 2014, @05:06AM

      by Anonymous Coward on Friday August 01 2014, @05:06AM (#76250)

      Check out the Rubber Ducky Deluxe [myshopify.com] which is basically a programmable keyboard impersonator.

      BTW, I disagree about Palm. Apple abused their itunes customers first giving Palm the moral high-ground to undo it however was most convenient to their customers.

      • (Score: 2) by quacking duck on Friday August 01 2014, @02:22PM

        by quacking duck (1395) on Friday August 01 2014, @02:22PM (#76387)

        Your *perceived* abuse (limiting iTunes users to sync only with Apple devices, presumably) doesn't justify violating industry-wide terms of use to not to spoof other vendors/devices. Two wrongs don't make a right, and the USB-IF agreed with Apple despite Palm raising the issue with the USB-IF first.

        • (Score: 0) by Anonymous Coward on Friday August 01 2014, @09:31PM

          by Anonymous Coward on Friday August 01 2014, @09:31PM (#76546)

          I'm sure absolutely no customer ever complained about that "wrong."
          And as the customer is the one paying for the product, it is their opinion that counts.

          • (Score: 2) by quacking duck on Monday August 04 2014, @03:47PM

            by quacking duck (1395) on Monday August 04 2014, @03:47PM (#77243)

            Since no customer ever paid for iTunes directly, I guess their opinion doesn't count then.

            And if they paid for a Palm Pre with Palm's promise that iTunes would continue working with their new device, despite a lack of formal agreement between the two companies to provide compatibility... that's Palm's problem, not Apple's.

    • (Score: 2) by jasassin on Friday August 01 2014, @07:06AM

      by jasassin (3566) <jasassin@gmail.com> on Friday August 01 2014, @07:06AM (#76272) Homepage Journal

      Scary shit. Thanks for the story! Wow! Would Linux help?

      --
      jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
      • (Score: 1) by Urlax on Friday August 01 2014, @10:24AM

        by Urlax (3027) on Friday August 01 2014, @10:24AM (#76311)

        well, if they sent "WINKEY+R -> CMD -> [ENTER] -> iexplore somesite.com -> [ENTER]" it would only work on windows.

        if they sent "VK_BROWSER_HOME -> ALT-D -> somesite.com -> [ENTER]" it should work on any os, any browser...

        • (Score: 2) by quacking duck on Friday August 01 2014, @02:28PM

          by quacking duck (1395) on Friday August 01 2014, @02:28PM (#76392)

          Not sure if VK_BROWSER_HOME is a semi-standard keycode, but neither of the Windows keyboards with browser keys on them do anything on my Mac. Also, on Macs the keyboard shortcut to focus on the browser's url bar is command-L, even on multi-platform browsers like Firefox and Chrome.

          Of course, there's nothing stopping them from making it "type" multiple sequences, one after the other, so it'll work on all systems.

      • (Score: 2) by mrider on Friday August 01 2014, @03:54PM

        by mrider (3252) on Friday August 01 2014, @03:54PM (#76424)

        You are considerably less likely to have some random software to turn your otherwise pristine GNU/Linux computer into Typhoid Mary than with say Windows. This is not (necessarily) because Linux is more secure so much as because there's such a wide difference between different distros and installs such that drive-by infections are so much harder on Linux. The trolls always talk about how there needs to be "one layout that all distros follow, and only a few distros". In this case, the fact that the trolls haven't gotten their way is precisely what makes Linux a harder target.

        Using Linux on the other hand will do nothing to protect you from a device that has already been altered, assuming they have designed a cross-platform payload. For example, if your thumb drive is programmed to emulate a keyboard, and the keyboard sends key scan codes, and the result of those scan codes translates to commands in your distro's language (which is likely) - then it's game over. And at that point, it's possible that they could turn your computer into an infection vector just the same as with any other O.S.

        What you could do would be to turn off automatic USB scanning, and then probe the device by hand. I doubt if many people would even know how to do this, and even fewer still will bother.

        The metaphors we use to describe computing (like "virus") look like they've expanded. You wouldn't put some random person's kidney in your body. It's time to start realizing that you can't put some random hardware device in your computer either. Regardless of O.S.

        --

        Doctor: "Do you hear voices?"

        Me: "Only when my bluetooth is charged."

  • (Score: 2, Interesting) by pkrasimirov on Friday August 01 2014, @06:30AM

    by pkrasimirov (3358) Subscriber Badge on Friday August 01 2014, @06:30AM (#76268)

    My mother got brand new HP printer, standard USB connector. She called me for having trouble making it run. The printer icon was nowhere to be found, only a new block device appeared. This was the printer, a flash drive with autorun.inf. I've configured her autorun disabled so she never got the prompt to run anything. Only after I started the exe from the printer, there came a printer device, a scanner device, installed "utility programs", websites auto-opened and some other crap, you know the drill.

    I had to run exe from HP with full admin privileges in order to use the printer. You can say this is not some flash stick a stranger gave me but it is exactly this: I don't know the salesperson, I dont know the HP programmer guy, I can only guess what's in the printer exe.

    • (Score: 2) by maxwell demon on Friday August 01 2014, @06:52AM

      by maxwell demon (1608) on Friday August 01 2014, @06:52AM (#76269) Journal

      And even if you trust all those: Who tells you that very same printer wasn't already sold and then returned after modifying the exe?

      --
      The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 1) by darkfeline on Saturday August 02 2014, @02:05AM

    by darkfeline (1030) on Saturday August 02 2014, @02:05AM (#76613) Homepage

    It seems to me that the proper way to deal with this (keeping in mind that I'm not intimately familiar with the low-level hardware-kernel interface) is to have your OS's hardware management (udev on Linux?) require you to manually connect (mount, recognize, or whatever the technical term is) devices plugged in after boot, with a possible whitelist exception for mass storage devices. That way, if you plug in something that presents itself as an input device, you have to manually okay it before the kernel starts accepting data from it.

    --
    Join the SDF Public Access UNIX System today!