back to article Plug and PREY: Hackers reprogram USB drives to silently infect PCs

Researchers say they have managed to reprogram the firmware within some flash drives with malicious code – code executed by the gadget's micro-controller to ultimately install malware on a PC or redirect network traffic without a victim knowing. Karsten Nohl and Jakob Lell, from German security skunkworks SR Labs, spent months …

  1. Chris Gray 1
    FAIL

    Make them not writeable

    Seems like the simple and sure-fire fix is to make the firmware not writeable. It can't be that hard to get the software right, and I've never heard of a need for in-the-field firmware upgrades on simple USB devices. Even if it is cheaper to use flash than a non-writeable ROM for the firmware, stick one of those tiny fuseable links in the write line, and blow that as the final step of soldering it all together. Might add a tiny bit to the cost.

    1. Mr Flibble

      Re: Make them not writeable

      It can't be that hard to get the software right

      Ah. You're a hardware person, then? It can't be that hard to get the hardware right…

      But, yes, OTP ROM.

    2. Anonymous Coward
      Anonymous Coward

      Re: Make them not writeable

      Unless the 'fuse' is actually in the silicon or it's mask programmed then there will always be a way around it.

      It would stop most script kiddies but state sponsored? Just buy the drives and specify not blown,.

  2. dan1980

    Super low-brow but am I the only one who saw the image accompanying this story and though it was a feminine hygiene product?

  3. Michael C.

    I may be missing something but how does the malware get on the USB device in the first place? Seems like a chicken and egg situation if the infected USB devices are designed to infect a computer, but requires an infected computer to infect the USB device?

    If the devices have to be prepared with the malicious code, then how does it differ from designing and manufacturing a malicious USB device from scratch, which I would imagine has always been possible?

    1. Eddy Ito

      It only takes one

      People will gladly pass it around and make copies if it includes the latest hit movie, probably named something like "Terminators VS Transformers 10: Tactical Take-down!", on it. Watch a free movie and infect all your friends. The sneaker-net is just as effective at spreading malware as it ever was.

    2. Denarius Silver badge
      Meh

      I just heard a river of slobber

      coming from spooks offices everywhere. Probably been doing it for years anyway. Think Iran centrifuges. Takes us back to the days of the infected floppy only slightly worse.

    3. diodesign (Written by Reg staff) Silver badge

      Re: Michael C

      "I may be missing something but how does the malware get on the USB device in the first place?"

      I imagine you reverse engineer a vendor tool that updates the firmware, so you can see the magic packets needed to put the device into program mode. You then either read the firmware off the chip (if poss) or download a firmware update and work out what the raw binary is.

      From there, you work out how the chip works internally: where registers are and so forth. You add in your new code, hook it up so it runs, and then upload that modified firmware to the controller in program mode.

      Now you're all set. After that, make sure the PC malware you install has the capability of automating the above. And now you're cooking on gas.

      IMHO it's the reverse engineering of the firmware and the firmware programming that's impressive. You shouldn't trust USB sticks anyway on machines that are sensitive. If you genuinely care about information security, you'd compartmentalize your data and systems so that plugging a random USB thing into your gaming PC doesn't screw over your machine with your PGP keys.

      C.

      1. Anonymous Coward
        Anonymous Coward

        Re: Michael C

        re: diodesign

        Pity I can only upvote this one time.

        I need more accounts.

      2. Jim 59

        SR Labs

        Well any code can be hacked and infected. All that SR have proved is that hacking embedded firmware takes a big budget, months of research and special equipment. We knew that already. Not to disparage their effort but what has it achieved?

        Big corps and governments have the resources for this kind of thing, but if they wanted to do it they would be doing it already.

        Everyday hackers and black hats will continue to cast their net widely, waiting for that one password which is set to "apple" or whatever.

      3. Gotno iShit Wantno iShit

        Re: Michael C

        You're thinking way too black hat, I doubt it's remotely that hard. Among the advertised features of the Phison PS2251-01 are:

        - Support Program RAM (Firmware Upgradable)

        - Supports VID, PID, serial number & vender information update

        - Supports multiple partitions and hidden mode

        You probably just need to ask for a copy of the datasheet & tools, how could they advertise these as features the customer can use if they don't provide the info & tools to do so?

    4. cortland

      If you build it... they will volunteer their data.

  4. david 12

    Can you still buy memory cards/USB sticks on EBAY?

    1) All flash devices have firmware.

    2) Reprogramming the firmware of flash devices is a standard operation, and little old ladies in the market stalls of Shenzhen will do it for you. The most basic purpose is to implement algorithms dealing with bad flash cells. For years, the most common malware purpose was to lie about the size and provenance of the flash device.

    3) 10 Years ago it was common for usb devices to include keyboard emulators to install software. There were a couple of efforts directed towards standardising the process, which eventually died as the industry moved away from the idea because of security concerns

    This clever demonstration links the two well known ideas: flash controller.reprogramming, and usb device malware.

    1. Phil O'Sophical Silver badge

      Re: Can you still buy memory cards/USB sticks on EBAY?

      10 Years ago it was common for usb devices to include keyboard emulators to install software.

      I've had freebies from trade shows which look like USB thumbdrives, but which just pretend to be a keyboard and open a browser pointed to the supplier's URL. This sounds like the same idea, and you don't even need to have the malware on the device, just on the website.

      As always, the only safe solution is not to connect things to your computer if you don't trust them 100%. For freebie giveaway thumb drives I always put them on a Unix or Linux box & reformat them first, before they go anywhere near a Windows PC. I would guess that this sort of malware attack will produce errors if plugged into an OS it isn't expecting?

      1. Anonymous Coward
        Anonymous Coward

        Re: Can you still buy memory cards/USB sticks on EBAY?

        " I would guess that this sort of malware attack will produce errors if plugged into an OS it isn't expecting?"

        Why? On initial connection, is there reason to expect that your Linux box would object to a device that identifies itself as storage and keyboard combined? And if you were crafting an attack against Windows machines, how and why would it produce an error message on the Linux box? "USBStealthDeath has an exception at 00000F:1H8C" should set the alarm bells ringing, and the authors would presumably make code failures silent, particularly since there's a few non-Windows machines around, and once you're rumbled that's it.

        1. Michael Wojcik Silver badge

          Re: Can you still buy memory cards/USB sticks on EBAY?

          " I would guess that this sort of malware attack will produce errors if plugged into an OS it isn't expecting?"

          Why?

          For the fake-keyboard attack, it will likely produce errors because the string sent by the "keyboard" won't be meaningful to whatever interprets it on the wrong OS. A fake-keyboard attack that targets Windows probably starts by sending Ctrl-Esc or a similar key combination, so the attack will have a command interpreter to send further instructions to. On another OS, that sequence might very well not be meaningful. Even if it is, and the malware is lucky enough to get the keyboard focus on, say, a bash instance, a bunch of Windows command lines aren't going to get it very far - and the resulting error messages might well be visible.1

          The fake-NIC attack is more likely to be successful on multiple OSes.

          But the point is that these attacks don't simply involve the silent execution of code loaded from the USB device - they involve impersonating other kinds of devices. The vulnerability is assuming the user can tell what USB device classes some random piece of hardware with a USB connector will advertise itself as. (That's a riotously dumb assumption, but Security Is Hard.) That leads the user to act under an erroneous threat model.

          1Presumably the malware tries to hide traces of its actions by closing windows it opens, etc. Whether that would work under Linux or some other non-Windows OS would depend greatly on circumstances.

  5. Robin Bradshaw

    USB Rubber Ducky

    Whilst this is rewriting the code on an existing USB drive the attack vector they describe, a combined mass storage/HID keyboard usb stick, can be purchased here from hack5 the same people who brought you the wifi pineapple:

    http://usbrubberducky.com/

    If your interested in messing with USB thumb drives the software to reprogram them is reasonably easy to find but id reccomend only using it in a VM as it tends to come from strange chinese websites.

    I found this talk incredibly helpfull in chasing down the software https://www.youtube.com/watch?v=ZdzTRkojzwU but never got beyond messing making my test drives appear as a combined CDrom/flash stick and giving the drives stupid names, im guessing with considerable effor the firmware in the flash tool could be disassembled and patched to do bad things.

  6. J.G.Harston Silver badge

    Errmm.. old news?

    There was stuff about this *years* ago. I saw a demo of an "infected" USB mouse infecting a PC it was plugged into.

    Plus.... you have to be a brain-damaged super-moron running their PC as an Admin user for it to do anything at all anyway - and if you're doing that you deserve to have you hard drives disappear into a pile of randomised bits anyway. "Starts a cmd session then types in a string to install malware" - what, than magically reads the user's mind and types in the Admin password to actually do the install?

    1. diodesign (Written by Reg staff) Silver badge

      Re: Errmm.. old news?

      "There was stuff about this *years* ago. I saw a demo of an 'infected' USB mouse infecting a PC it was plugged into"

      You're talking about this? Look at it. It's been *physically* modified. This BH talk is about rewriting the firmware in an undetectable manner.

      Imagine automating the process of rewriting the firmware using just software: every time a supported stick is plugged in, and your malware is on the PC, you get to infect the stick's firmware silently and reliably.

      Which means, in theory, you can spread your software nasty from thumb drive to thumb drive (if they're using supported micro-controllers), creating an infection.

      Having said that, this process is not /that/ new - see the links in the story to older presentations. What I believe is new here is reliable and realistic firmware rewriting that can be demonstrated on stage and weaponized.

      C.

      1. DropBear

        Re: Errmm.. old news?

        I suppose that might work - as long as the user is not in the least phased by inserting his USB drive, only to see it soon auto-magically "disconnect" -> "new USB device detected: xxxxx programming interface etc. / DFU firmware update interface" -> "disconnect" -> "new USB device detected" -> "mass storage attached" -> "new USB device detected" -> "HID keyboard" -> "Your new device is working properly". I'm not saying it's impossible, I'm saying it requires a special kind of dummy (of which there are quite a few around, granted).

        1. Anonymous Coward
          Anonymous Coward

          Re: Errmm.. old news?

          You mean the weird dance of dialogs that every Windows user is used to seeing when plugging in a new device? How many people really pay attention to the little bubbles telling what it is doing, rather than just waiting for it to quit doing it and hope it works?

  7. John Savard Silver badge

    I don't recall my computer, when connected to the Internet, and with a flash drive plugged into a USB port, ever telling me that it wants to download an update for the software in the flash drive's controller. So it seems that there's no legitimate reason for the firmware on these drives to remain programmable once they leave the factory.

    That ought to be a cure that is implementable at trivial cost.

    1. Eddy Ito

      That's just it, the computer only knows it's a flash drive because the flash drive says it's a flash drive. If it says it's a video adapter, cdrom drive, ethernet port, etc. that's what the computer 'believes' and it's quite possible something else might need an update. Ask yourself what your grandmother would do when presented with the following;

      "Windows has found a security update for your WiFi adapter. Click OK to install WPA3 and make your network more secure" [OK]

  8. Charles Manning

    I call semi-bollocks

    It is generally not possible to "infect" a mouse by plugging it into a computer etc.

    You generally have to develop the firmware and program it into the mouse using development tools of some form - at least cracking open the case. Anyone can buy a development board for a few $ and make a mouse that would have Bad firmware built in, but that's a different matter entirely.

    There are some devices that start up "naked" and have their runtime firmware injected into them by the host, but then the host is already infected anyway.

    There are some development environments that provide a mechanism to easily reprogram the firmware, but those are designed for hobby/development and are not used in production.

    Of course there is nothing preventing someone making a bad mouse and selling it on ebay etc, but that's a very different matter from infecting a shrinkwrapped mouse.

    Oh, as for your mouse having a tiny OS.... Unlikely. Most mice etc will be bare metal. There is no point in putting an RTOS in a mouse.

    1. NotArghGeeCee
      Black Helicopters

      Re: I call semi-bollocks

      This isn't a tool for the S'kiddies, this is potentially grown-up stuff.

      Imagine if you will a trade show. Imagine a vendor at this trade show giving away gift logo'd USB sticks, mouses, novelty rubber-tipped missile launchers, whatever. Now imagine those had been nobbled by said vendor (or a third-party without the vendor's knowledge - yes, shadowy organisation with a TLA, I'm looking at you) with some nasty.

      I am sure that has never/doesn't/will never happen.

      1. diodesign (Written by Reg staff) Silver badge

        Re: Re: I call semi-bollocks

        "This isn't a tool for the S'kiddies, this is potentially grown-up stuff."

        Absolutely. This isn't for Anonymous. This is for cops and g-men. Strike up a conversation with someone at a conference, you've had a few beers, he or she suggests you whack in a USB stick to copy over some stuff you'd be interested in. You're savvy, you know you've disabled autorun and open documents in a VM or a non-sensitive machine. You're confident.

        Doesn't matter in this case. Game over.

        C.

        1. Rob Carriere

          Re: I call semi-bollocks

          I suppose the non-sensitive machine still works (doesn't really matter whether it gets pwned by a malicious document or a malicious drive -- you were prepared for it to get pwned)

          But, yeah. Nasty.

          How hard would be to modify the OS so it pops up a notice, "The device you just inserted wants to register as mass storage, a keyboard, and a network card. Which of these functions do you want to allow?"

          1. gotes

            Re: I call semi-bollocks

            How hard would be to modify the OS so it pops up a notice, "The device you just inserted wants to register as mass storage, a keyboard, and a network card. Which of these functions do you want to allow?"

            Could be a bit annoying when you've just plugged in a keyboard and have no other means of responding to the prompt.

            1. Rob Carriere

              Re: I call semi-bollocks

              Gotes said:

              "Could be a bit annoying when you've just plugged in a keyboard and have no other means of responding to the prompt."

              Er, yes. One of the reasons I've never quite gotten the big rush to make keyboards USB. (Yeah, I know, standard connector is 0.3 cents cheaper). The things need exceptional handling in a number of places and this is one of them.

              Still, as someone below has already suggested, you can pop up a passcode on the screen and require it to be input. Combine that with serial number lock-in for known good keyboards and you're good to go.

              Alternatively, dedicate a USB port to the keyboard and only ask questions if a keyboard is plugged into another port. This should serve most desktops well. A laptop already has a built-in keyboard, so you have a channel to answer the popup. That in combination with a serial number lock should minimize the fuss on most laptops.

        2. Jim 59

          Re: I call semi-bollocks

          Sure, but cops and g-men could re-program any firmware, they might even have their very own code in your Haswell quad core, garage door opener or sat-nav. The only thing that makes this USB back door more dangerous is that USB devices often get interchanged between computers.

          It is also risky for the hackers. It is harder to remain anonymous when passing around an infected thumb drive, than it is when, say, launching a virus on your botnet. If malware is suspected there is a physical chain of supply to follow.

          1. Graham Cobb Silver badge

            Re: I call semi-bollocks

            I think you are missing the point. As an earlier commentator said, what this does is turn today's USB sticks into the equivalent of the old infected floppy.

            In the business world today, USB sticks are routinely exchanged between people (in the same company, or between companies). When I meet a customer, it is very common that we will exchange documents on a USB stick (they may want a copy of the presentation I have just given, or I may want a copy of the RFP that his purchasing dept will send me in a few days time). If the customer's PC has been infected, this attack allows them to infect my PC as well, even if I use my own USB stick and without actually opening any documents from the stick.

            As for those who mention non-Admin accounts, VMs, or keeping assets separate: I am talking about the business environment. That is completely geared up for doing business -- not for security. I have been in sales/marketing for many years now and have NEVER worked for a company (big or small) where my normal work account on my laptop does not have local admin rights -- locking down the PCs, particularly for home and travelling users, is just too hard (i.e. expensive in support resources and expensive in lost time for the user). Despite best intentions, the company ALWAYS ends up making the tradeoff that all field people accounts have admin access on their own laptop.

            That may or may not be a good idea, but it is the way of the world. This attack is very serious in the world of business users in the field.

            1. J.G.Harston Silver badge

              Re: I call semi-bollocks

              "I am talking about the business environment. That is completely geared up for doing business -- not for security."

              We can't be bothered making sets of keys for the storeroom, so we're just taken the door off.

              That sort of business deserves to go bust very quickly.

            2. Mr Flibble

              Re: I call semi-bollocks

              The workaround for that would appear to be SD or SDHC of a suitable form factor.

              1. herman Silver badge

                Re: I call semi-bollocks

                SD? Those also contain little ARM processors that can be reprogrammed.

                http://www.zdnet.com/sd-cards-hacked-7000024686/

            3. DropBear
              WTF?

              Re: I call semi-bollocks

              "I have been in sales/marketing for many years now and have NEVER worked for a company (big or small) where my normal work account on my laptop does not have local admin rights"

              Sorry, it's still not quite clear what's preventing you or any other "business user" logging into their PC as a non-admin user for business-as-usual, even if you occasionally do make use of your admin privileges to install this or that...?

              1. Michael Wojcik Silver badge

                Re: I call semi-bollocks

                Sorry, it's still not quite clear what's preventing you or any other "business user" logging into their PC as a non-admin user for business-as-usual

                Irrelevant. If users aren't prevented from running with excess privilege, most of them will happily do so.

          2. keith_w Bronze badge

            Re: I call semi-bollocks

            just drop a few around an entrance to the place you want to infect, guaranteed someone will pick one up and plug it in - and if there is bait on it, movies, music, porn, it'll get passed around.

        3. DropBear
          WTF?

          Re: I call semi-bollocks

          "Doesn't matter in this case. Game over."

          ...Is it now? So you won't see USB devices plugging out and in repeatedly on your bog standard OS? You won't see rapid-fire action flicking up a console / browser / whatever, as if you'd be watching someone use your PC remotely through VNC? And any damage won't be limited to your (obviously) non-admin account, that is not supposed to be able to install system software anyway? Yeah, you'll need to be VERY drunk indeed.

    2. Anonymous Coward
      Anonymous Coward

      @Charles Manning

      A lone guy in his basement won't do this, but some well funded hackers trying to get at stuff that's well protected behind firewalls?

      You don't need to be able to compromise any random device, you can recognize what is plugged in via the normal USB identification system and tell what you can compromise. There is probably little point in infecting a mouse because one rarely switches a mouse or keyboard between computers. That's why USB sticks are the perfect vector. Even if you have only programmed a way to automatically infect one out of four, that's still a great way into supposedly secure networks, even some air gapped ones if they think they're avoiding problems by concentrating on the data on the USB stick, rather than the firmware driving it.

  9. idahoguy

    This is nothing new... this has been done for years!

    We need better reporting. This type of hack has been done for year. There is even a script kiddie type of device anyone can use!

    https://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe

    1. diodesign (Written by Reg staff) Silver badge

      Re: This is nothing new... this has been done for years!

      "This type of hack has been done for year."

      Again, like the modified mouse above, this is custom hardware. You have one evil USB plug, there. Just one. What are you going to do? Go around plugging it into everyone you want to pwn?

      With this BH exploit automated, you can modify USB sticks using purely software again and again and again, whenever a device with a supported micro-controller is plugged in to an infected PC. That's the point of this BadUSB.

      "We need better reporting."

      I need a better reader.

      C.

      1. Michael Wojcik Silver badge

        Re: This is nothing new... this has been done for years!

        I need a better reader.

        Ah, don't we all.

  10. Ben Bonsall

    I wonder how long it will take before someone steals a car by plugging in a usb stick...

  11. Nifty Silver badge

    Where's my Windows update to fix this?

    By now I'd expect, at a minimum, to be able to make a simple security policy change on my Windows 7 PC, to ensure that either

    a) If one keyboard is already plugged in or is part of the laptop, a prompt will always appear to ask me to confirm the device if it is not a mass storage one.

    OR

    b) If one keyboard is already plugged in or is part of the laptop, no new USB device is allowed to connect as a keyboard

    Anything less than this is an NSA-ready backdoor

    1. Graham Cobb Silver badge

      Re: Where's my Windows update to fix this?

      It's a bit harder than it might appear. Adding and removing keyboards to laptops is very common in a corporate environment -- I am always plugging and unplugging keyboards as I move my laptop between desk, conference rooms, carrying it over to someone else's desk to show them something, etc. Several times each day (particularly now that we work in a full hot-desk, open plan environment where you can't even have a phone call without disturbing people so have to go a "phone booth" room each time you get a call). And I typically have the laptop closed while I am doing it and I wouldn't want to open it just to acknowledge a pop-up (and presumably acknowledging it from the new keyboard would defeat the point).

      I think there may be more success for a popup if the keyboard seems to be combined with another function -- although plugging in hubs with keyboard, mouse, external disk pre-connected is also common so that has to still be allowed.

      I certainly hope Microsoft are working on a way to counter this, but it is not as easy as it may seem.

      1. Nifty Silver badge

        Re: Where's my Windows update to fix this?

        Alright, how about this: If any keyboard is connected to a Windows machine, a random numerical password is displayed on the screen. It has to be entered before the device is accepted.

    2. Anonymous Coward
      Anonymous Coward

      Re: Where's my Windows update to fix this?

      "Anything less than this is an NSA-ready backdoor"

      And you don't think that the NSA had W7 equipped with multiple backdoors, unlocked front doors and open windows long before RTM?

  12. Robert Helpmann??
    Childcatcher

    USB Firewall

    USB firewalls that block certain device classes do not (yet) exist.

    Um... actually, they do. There is a McAfee product, Data Loss Prevention that has just that sort of functionality built in. Alas, it is only for Windows devices, but there are likely similar products out there. It is a pain to administer - it has all the hallmarks of an acquired product that was slapped into an existing management console - and is likely to be resented by users as it will keep them from doing what they desperately want to do (infesting the corporate network with malware), but it exists.

    1. Peter Gathercole Silver badge

      Re: USB Firewall

      I ought to point out that on Linux is it perfectly possible to whitelist your udev rules so that only known devices (manufacturer, ID and function) can be configured.

      Of course, this will not prevent a device masquerading as another by using the ID strings of another device, but it would make the attack surface much smaller in that the miscreant would have to know which devices are allowed.

      The other thing that I'm spotting here is a suggestion that the code in the USB device could examine the system. I'm not sure whether that is possible, particularly if it is appearing as a keyboard. Flow of data is particularly one-way for a keyboard. Those that offer programmability in the hardware (gamers keyboards, for example) generally appear as more than one USB device anyway, with the non-keyboard device being used as a control point for the controller generating keyboard scan codes. You could block all but the keyboard device.

      If it is configured solely as a keyboard, I don't think that the OS would send any data to it for it to be able to look at the system. At least not for a USB device. If it were fireware, then all bets would be off.

  13. Down in the weeds
    Boffin

    USB 'firewall'

    Yes, udevs rules in Linux help but are not the complete answer to 'USB firewall', as Peter Gathercole points out, spoofing USB devices will malicioulsy provide legitimate Product ID and Vendor ID strings.

    Nobody seems to have cottoned on to the fact that use of USB devices is inherently risky BY SPECIFICATION. The USB specification mandates that OS kernels (all of them) instantiate low level drivers upon detecting the connection of a USB device.

    USB mass storage devices with on-stick µC are way more difficult to mitigate.

    Being truly nerdy I once watched the Linux kernel generte all of: 'sgx', 'sdy' and 'sr0' upon connection of an Imation IronKey (sg is SCSI generic, sd is the flash mass storage bit & sr is a pseudoCD on the IK wherein stored all the code: no µC on the IK)

    In Linux we can write udevs rules to 'white list' only those USB devices that we (would wish to) 'trust' by PID, VID (and even down to the granularity of Serial# if such is included in the USB parameter block offered by the device).

    In Windows we need a COTS bolt-in to achieve the same function (because the Windoze Registry obfuscation of where the USB device Class and device-specific USB parameter block is stored is heinous and the coders of the COTS bolt-on have done all that 'heavy lifting' for us).

    Then, to truly 'trust' the device you need to take the executable from a Known Good* one and 'fingerprint' it, e.g. take the SHA-256 hash of it.

    Now, 'adopt' the executable -include it in your own software (which of course you measure before invoking, including measureent of the 'adopted' USB exe)

    Then, adjust udevs rule to point to a script that ensures the 'internal' exe is invoked not the 'on stick' exe

    I am not sure how this last bit is accomplished on M$, but a PowerScript guru would achieve it

    * i.e. not 'as previously enjoyed by NSA' & not using on-stick µC

  14. Chris Gray 1

    Writing to keyboards

    @Peter Gathercole

    I'm pretty sure that USB keyboards *can* be written to. I have small hands, so always switch CAPSLOCK and CTRL so I can readily reach CTRL. The LED for capslock is software controlled by the OS, and it toggles when I press the key physically labelled as "Ctrl". So, the OS is writing to the keyboard, if for no other reason than turning the LEDs on and off. Also, aren't there keyboards that allow you to program sequences into special keys?

    1. Colin Miller

      Re: Writing to keyboards

      The keyboard doesn't send the ASCII code for the key that was pressed; it only sends the keycode.

      It is upto the OS to decide what to make of the keycode, if it is CTRL or CAPSLOCK; 'Q' or 'A' (UK/FR keyboard), etc. The OS can tell the keyboard to switch on or off its LEDS, but that's about it.

  15. Chris Gray 1

    Search: "programmable keyboard"

    A quick search on Google very strongly suggests that it is the keyboard itself that is being programmed, and not just OS keytables that are modified. For example, a Windows programming utility that uses a datafile to program the keyboard, and then you can be using a KVM switch to flip over to a Linux box and used the programmed keyboard.

  16. Anonymous Coward
    Anonymous Coward

    What about phones?

    Android phones use a standard USB connection, so undoubtedly many would be easy to infect in this way. What about iPhones? They don't have a USB connector, but the Lightning cable essentially bridges USB to Lightning to allow connection to a standard computer. How much of the USB protocol is used, and can exploiting that allow doing something nasty to the phone via the Lightning protocol? Might be a more difficult problem but there's not enough data to rule it out at this time.

    What about chargers for that matter? Using the USB port for charging has its downsides, this exploit is proof of that. Since a charger can now exploit your phone (at least certainly models depending on the USB chip used) maybe wireless charging has a purpose after all!

    1. Michael Wojcik Silver badge

      Re: What about phones?

      I haven't tried plugging a standard USB keyboard into an Android phone, but I expect it works, so yes, that looks like a plausible vector. (In my case it'd stumble over the phone's lock code, and that's probably true for many readers here, but in my experience most people don't bother locking their phones.)

      And yes, there shouldn't be an impediment to mounting the fake-keyboard attack with (what appears to be) a USB charger, though that may often have to be done under the old "physically modified USB hardware" rather than this newer "reprogrammed USB device firmware" approach. I imagine most standalone USB chargers are just little transformers with no firmware. But I may well be wrong.

      And I've seen plenty of USB sockets for device charging in hotels and other public places - who knows what those are connected to.

  17. Anonymous Coward
    Anonymous Coward

    NSA

    This makes one think about some of the capabilities being claimed for the NSA in the Snowden leaks that security people were skeptical of. They may have known about and been using this class of exploit for years...

  18. herman Silver badge

    Essentially, this is just a different delivery method for a trojan horse. Damage will be limited if user and administrator privileges are separated and if MAC or RBAC is used. If everybody would use enterprise versions of their favourite OS, be it Windows, Mac or Linux, then trojan/virus problems will mostly go away.

    1. Michael Wojcik Silver badge

      Damage will be limited if user and administrator privileges are separated

      Yes, limited to exposing everything that user does from that point on, while using the infected device. Reassuring!

      If everybody would use enterprise versions of their favourite OS, be it Windows, Mac or Linux, then trojan/virus problems will mostly go away.

      What an entertaining fantasy.

      I use the "enterprise" edition of Windows1 on my main development machine, and I lock it down much tighter than the default configuration, and it is by no means immune to user-installed malware. I dare say at least once a week there's a Bugtraq post describing some vulnerability my system would be susceptible to, if I weren't careful.

      1Because that's my primary development target, and it's a lot easier to use the various Linux and UNIX machines remotely than it is to use Windows remotely.

  19. Uwe Dippel

    Same drill - same drill ...

    It is as almost always ...

    ... the customer. Sorry 'bout that.

    The article points this fact out, with all its consequences. You customer goes to your next hyper-market and compares prices. The cheaper the better. Done.

    If me, controller manufacturer, or USB-vendor, puts out a good drive, me going bankrupt.

    A thousand complaints, in- and outside of IT, and drilling down, in most cases it is the customer who's in the end to be blamed.

    Sorry 'bout that, but it is the truth.

  20. Vociferous

    Interesting.

    I have a USB device which, upon connection, is listed as a second keyboard. I've wondered about that.

  21. Ian P

    I'm new to hacked USBs - a neighbour told me she bought a 256GB one for £7 and I laughed. I said perhaps it was 256MB then she showed me the Ebay receipt. Ignoring the AV threat with these the hacked firmware in these is very clever. Windows reports 256GB, you can write files to it without problems and you can read back files PROVIDED you haven't written more than 6GB in the first place. Hence no surprise that traders of these fake sticks get lots of positive feedback. This is a massive con. This particular seller has probably made £2K since the end of July. Get lots of nice feedback and ...keeps churning out these fakes. I'm so envious of the bastards.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021