|
Zero day USB Threat
Hi Everyone,
Just wanted to share this zero day usb threat reported on Cnet. It is reported to affect Linux Machines. Here is the link: http://news.cnet.com/8301-27080_3-20...CmoreStories.0 |
Quote:
Is it in the USB device? So if the USB device emulates a keyboard, so what? Would the risk be greater as an arbitrary keyboard connected to a Linux computer? Does the human interface get administrator rights by magic? To me it looks a little bit like the author has once seen a Linux computer which did not pop up a window when a USB device was connected, and based on that drew the conclusion that a dangerous situation could arise. (Like the "warning! are you sure that you want to continue..." dialog boxes in Windows protect users from doing something stupid!) jlinkels |
and what can we do about that?
"oh, i know, don't use smartphones , their too smart asses" hhaahha |
I think they're hacking the computer using a charging phone ... this, of course, assumes that the phone was hacked. Meh, not that interesting. Why would I charge my phone with a usb port (in doesn't even have a USB port), and how would it get hacked ? This is more of a phone security issue, that happens to also affect computers connected to it.
|
it is turning the phone into a keyboard using a usb cable
when one plugs in the "hacked phone" it is seen as the keyboard and NOT as the phone then the "new" keyboard has root access to the system and the payload can be inserted but if you have physical access then this can be done by other means so... Ars has a review of the cnet news http://arstechnica.com/security/news...sb-drivers.ars |
John VV: Plugging in a usb keyboard device gives you a root shell?
|
Extremely interesting vulnerability! Thanks for the link to the article! :)
|
At first blush this exploit may not seem very threatening, but if you replace the smartphone with say an iPod or similar usb charging device, trouble could follow. In context who would have imagined that something like Stuxnet would be a threat as it specifically targeted only a very specific OS running a centrifuge.
|
But then again, how does it work, and how does it work in Linux? Like I asked before, the article is by far not specific enough. Apparently you understand it well enough to consider it a threat, so please explain.
About Stuxnet: Infection of the PLC's was done thru infecting Windows PC's. Siemens (the PLC manufacturer) builds industrial equipment based on proprietary hardware, but relies for both development and user interface fully on Windows. Not even hardened or embedded Windows, but plain commercial desktop XP. Many protocols between PLC's and Windows are proprietary, and only available on Windows. I gather it to be not that difficult to infect a Windows PC and then, while there are already open connections between PC's and PLC's to use these connections to crack the PLC. The development protocols go much further than just oploading the software, and deeply affect the running PLC both in code and data. The originality in this Stuxnet attack was that it was focused at just one installation. Not that a PLC was infected thru a PC, and cracking the PLC is not that difficult. If it was really the US and Israel governments behind this attack they had plenty of resources to develop such tools. jlinkels |
Quote:
Quote:
|
Quote:
I don't consider this a real (or new) threat for me, because someone with physical access could simply do this by hand anyway. A smartphone needs to be really hacked - not just have an app installed. I don't think the app API exposes the USB driver stack to spoof the device class. Read the discussion thread on the arstechnica article, there are some more ideas how this could be turned into a real threat. |
Interesting. The main reason of existence of this threat is that devices connected to USB port are not authenticated by user. It is compromise between comfort (just plug and use) and security. The USB drivers should get option to authenticate, but I don't known how one device can be distinguished by other, but the same model. So for now all devices presenting itself as keyboard or mouse should be paused (by driver) to access computer until user of this computer allow them to connect. The meantime we should not connect untrusted devices.
|
Well, I still fail to see the reason for the excitement in this article. A USB device is connected to a computer and emulates a keyboard. So? It is since long known exactly what risks are imposed when one has physical access to a Linux computer. One can reboot the machine and gain root access. But that is not the case here.
What is the difference between a remote SSH connection and an emulated keyboard? What is the difference between an e-mail with malicious content which can be run with user credentials and an emulated keyboard wedging in characters using the same user credentials? As far as I understand this exploit does not enable the change of the USB driver present on the host (the computer to be infected), does it? It would be different if the USB device would provide its own driver, which is in turn using root credentials is installed by the host. jlinkels |
Quote:
But yes, the real-life threat level of this exploit is often exaggerated. |
I realized that I know how someone with bad intentions could exploit this vulnerability to do bad things, but, I decline to provide this information because I do not wish to inspire those with bad intentions to "publish" a proof of concept.
Some things should just not be public knowledge. |
| All times are GMT -5. The time now is 02:21 PM. |