If a USB device identifies itself as a keyboard, the system shouldn't accept its keystrokes until that keyboard has typed the user's login password (EDIT: or the user explicitly authorizes the device using a different keyboard). If it identifies itself as a storage device, the filesystem driver should be hardened. If it identifies itself as an obscure 90s printer with a buggy driver written in C, it should prompt the user to confirm the device type before it loads the driver.
It's 2019. Why the f* haven't Windows, MacOS and Linux all implemented these basic precautions?
I'd rather this device presented itself as a drive containing various virtual files that contain temperature data in them, but the cat's out of the bag, so to speak.
I can't see how the filesystem hack would work, if the OS has the drive mounted, it would cache files in memory, and not notice the file contents changing. You can't even modify the metadata, because most of that might also be in memory.
USB is trash for security.
Also, perhaps folks working in data centers can and confirm/deny, but from what I know it's usually strictly forbidden to bring any USB devices into a data center area.
We’re not a cloud provider, but I’ve been in lots of DCs and seen plenty of USB devices.
MTP devices are ~mostly harmless~ and relatively easy to trust. Network devices are not.
It's the same mechanism used to reach your router. Subnet-local / connected routes are routes in themselves. Routers let you leave your subnet.
This is why everybody tries to piggyback on being a USB HID device.
Source: Have plugged several brands of USB-to-COM adapter in to Win 7 / 8.1 and they've "just worked".
Now, since most things use a Prolific chip, you only have to install the driver for one device and you pick up a ton of them.
But it has to be installed by somebody, and that means all of the silliness that goes along with Windows driver installation.
Very hard to troubleshoot.
"Sensor not detected? OK, open up Notepad and hit Caps Lock three times quickly. Did some text appear? The sensor is fine, the problem is with your computer."
The rest is just making up a serial protocol.
No need for a special driver.
The free (money-wise) approach we ended up doing was to use WinUSB and marking the device as “vendor specific”, and using libusb to talk directly to it. That was a bit awkward, but covered Windows, Linux, and OSX for us.
This was 5 years ago though. Windows 10 might directly support generic CDC devices, but Win 8.1 didn’t.
Edit: sibling mentions HID. HID does work like this, but we needed more bandwidth than HID provided. CDC was perfect for what we were doing but it didn’t auto install. Mass storage auto-installs but didn’t fit what we were doing.
:D Obviously you have to consider needs of your users as an engineer, when chosing any technology, for their particular problem.
But that requires custom software to interface with it and parse the data or make payload requests and developers are that lazy.
Maybe we should have stuck to PS/2 keyboards after all.
Am I the only one old enough to remember 'disk bombs' from the 90s where you filled 3.5" floppies with paste made from strike anywhere match heads so when the disk spun up it melted? You could do similar things with a USB stick. You could have a high voltage converter which fries your PC the second you plug it in.
Basically, it is always a bad idea to plug in unknown peripherals to your computers. The OS isn't going to save you in all cases.
I took the OP to be talking more about general case. Random people plugging into a public recharge station, using (shady) Amazon/Ebay USB drives, plugging in a "found" USB stick, etc. The OS can at least help thwart simple attacks here.
In the worst case, the device contains a GSM modem which is powered by USB but otherwise only appears to the host as a USB drive -- and if you can get the target to write useful data to it, I guess you have something? That's an awfully expensive attack that I would assume has relatively low chance of yielding something useful. (Unless maybe you market it as a "secure cryptocurrency wallet", and hope you can sell enough to people that then put on enough cryptocurrency to make up for the significant manufacturing expensive which you're able to steal before anyone notices there's a modem in it and sounds the alarm..)
> You could do similar things with a USB stick. You could have a high voltage converter which fries your PC the second you plug it in.
This has not only been done, it is a commercial product: https://usbkill.com/
While being obnoxious and causing one (random?) person some money (presumably they will destroy or throw out this USB drive aftward), it doesn't really get you anything. There's many other cheaper ways to destroy someone's computer, as there are many other things you can destroy to cause a person expense and/or inconvenience.
> Basically, it is always a bad idea to plug in unknown peripherals to your computers. The OS isn't going to save you in all cases.
100% agree, but that doesn't mean it shouldn't try at all.
Not necessarily a specific target(although maybe in a sense). If I were, say, the Chinese intelligence apparatus, I'd be sprinkling exfiltration devices around D.C., military bases, and defense contractor offices(especially the small ones, who don't always seem to have their shit together).
You can fit a lot of smarts in a small form factor these days. I could, with the budget of an intelligence agency, cheaply mass produce USB storage controllers which only activate when specific files of interest(say, OrCAD schematics, or source code) are saved to the device. I could sprinkle them around, or even just strongarm one of my country's manufacturers so that the bug goes into wide distribution. Now I use sniffer vans, like were used to execute the Tempest attacks against military bases in the 80s, to find my beacons and exfiltrate.
GSM modems might be expensive, although it would be a great way to get data out. You could also add GPS and use a small geofencing database to activate when you're within a target radius.
Keep in mind this is just the musings of a bored idiot(me). I suspect an intelligence agency could find more useful things to do with a USB stick.
Damn dude that really worked? I remember reading about it in the anarchist cookbook but didn't go through with the effort after getting thoroughly punked re: smoking banana peels and trying out pressure points on older kids
> 1. Obtain 15 lb. of ripe yellow bananas. 2. Peel the bananas and eat the fruit. Save the skins. 3. With a sharp knife, scrape off the insides of the skins and save the scraped material. 4. Put all scraped material in a large pot and add water. Boil for three to four hours until it has attained a solid paste consistency. 5. Spread this paste on cookie sheets and dry it in an oven for about 20-30 minutes. This will result in a fine black powder (bananadine). Usually one will feel the effects of bananadine after smoking three or four cigarettes.
Bananadine is a fictional psychoactive substance which is supposedly extracted from banana peels.
I won't copy my data on unknown device. Mics and cameras trigger prompts in MacOS. The keyboard device on the other hand, can be used for 5 seconds walk by attack, running install scripts (Bad USB) attack.
You won't, but many people will. They'll plug it in, figure the device is fine, and begin to trust it.
Mics and cameras trigger prompts if they present themselves as USB devices. I'm saying they do not need to do that. They can draw power from the port and send captured data out wirelessly.
That's assuming it presents itself as a mic or camera. What's to say it can't have the hardware embedded in the device but not present it to the host machine? Then any exfiltration technique can get a direct look into audio/video of the area.
It's pushed by the auto manufacturers and insurance companies to normalize driving and make you pay for more expensive safety features. If people drive irresponsibly enough to wreck their cars, but not enough to kill themselves (modulo the safety level of their car), they buy more cars and spend more money on car insurance.
Miniaturized wireless electronics is the Ice IX that will destroy civilization
Edit there is usbguard too:
For linux you can actually require USB devices to be authorized first by changing a few kernel settings.
A friend of mine wrote a few shellscripts a few years ago to do exactly that:
As you can see it's something that's very simple to do, there's just no good "normal user" UI for it.
I believe modern Thunderbolt already has this sort of cryptographic device authentication, which means not only physical access but at least a bit of reverse engineering skill, a much higher barrier than knowing their keyboard model.
I believe the major missing piece for desktop Linux at this point is that many input devices (including my own) are USB based. Without a way for the device to cryptographically attest its identity, you either have to accept vulnerability from wired external devices during boot or do without input until user space has been started.
Edit: My mistake. It appears that it was opt-in as of January, will become on-by-default at some point in the future, and only blocks devices during boot and while the screen is locked. It appears to trust all devices plugged into it once you've logged in. (https://www.forbes.com/sites/leemathews/2019/01/07/google-sh...)
At this point in 2019 intelligence gathering and government/corporate security vulnerabilities are much more in the digital realm than physical. Wifi enabled cameras/microphones, cell phones, servers, consumer computers, usb devices, iot devices are all used to that end.
We need to hold the flame to OS vendors to handle basic security precautions. It's not like the US government doesn't have contract negotiations with them large enough to force the issue.
It's also unacceptable to have security around the most protected person on the planet be ignorant to common attack vectors and procedures.
You mean like SELinux? Or SE Android? Or the STIGs?
I am just saying that they should have a pre usb meter that prevents the usb stick from being attached to a device directly such that they can screen it off ...
Still, requiring one to type a password in a newly connected keyboard is a pretty good idea as long as it's a configuration option. I imagine you'd also like something similar for the mouse. Maybe having to type a password on a virtual keyboard. It's annoying to have to do something like that every time a computer is woken up. You're talking about typing a password 3 times. Once to log the keyboard in, then to log the mouse in, then to select a user and log the user in.
Your other suggestions are vague, so I'm not sure what you mean by "basic". I mean, if one knows a driver is buggy, those bugs would be taken care of (from the developer's point of view; the administrator might not update the software, but what can the developer do?).
And what does it mean to "harden" a filesystem driver when a device identifies itself as a storage device? A filesystem driver should be "hard", period. All the time. That's something done when the driver is being written, not until it identifies a device.
Wireless presenters often identify themselves as keyboards so that they can "press" the arrow keys to move forward or backward. How are you going to type your password using such a device?
(Which would mean you can still have malware-download-command-typers pretending to be barcode-scanners pretending to be keyboards, but you can't have malware-download-command-typers pretending to be storage devices pretending to be keyboards, because the "Allow typing with this keyboard?" dialog will give it away.)
Keep in mind that autoplay is not unique to USB drives either. CD-ROM drives have had that feature forever.
Because up until 10 years ago, developing your own USB device was generally expensive and malicious devices ended up being out of scope in threat modelling. In addition, some models these days still define 'physical access == game over'...
How expensive? USB is a protocol, a micro, and some power management.
How long ago was this 'out of scope'?
He's also right about the physical access thing. Fundamentally, it doesn't make much sense to add protections against scenarios where the attacker apparently needs physical access, because there's no way to protect against all things he could possibly do then. It's not really obvious that the user needs protecting from himself as he plugs in a device of doubtful origins. We used to hold the user to higher standards.
If you plug in an old printer, you know you just plugged in an old printer; you can load the old-printer device driver and it probably won't exploit it. But if you plug in a USB stick you found in the parking lot, and it asks you whether you just plugged in an old printer, then the game is up; you know it's a tricky device, pretending to be something it's not in order to target a security vulnerability.
This type of protection parent is referencing is "endpoint protection" and there are many industry standard solutions. Why should an OS be more limiting? If you have physical access to a machine that stores things you shouldn't have access to, it's already compromised in my opinion. Why the eff are people overlooking physical security in 2019 is the better question.
Universal plug'n'play is USB's reason for existence, if it can't do that then maybe we should step away from USB itself. Back when keyboards were plugged into PS/2 ports I didn't have to worry a floppy disk would emulate one (ignoring autorun). I'm sure it's possible to have a malicious PS/2 device, but having it plug into the keyboard port would at least indicate what it's going to do.
If you are thinking in terms of "if it identifies itself as...," then there is a good chance that something lower in the stack may be compromised.
This gets even more troublesome once we consider that people sometimes forget that seemingly "dumb" dongles such as display adapters can be very similar to USB sticks from an implementation and vulnerability point of view (e.g., "Thunderclap").
I think the overhead of hardening systems for each of these scenarios would be immense.
That statement is not helpful, because it remains true for any security measure.
The GP suggestions can make everyone's computers more secure now, at what would seem to be a low cost...
Probably easier/safer to display a random number on-screen and then ask the user to retype it into the device. I figure numbers are less likely to run into problems when the keyboard isn't US-standard QWERTY.
For more paranoia/portability, show the user a repeating rhythm-game and wait for them to hit any keys they want as long as it is close enough to the correct pattern. ("Shave and a haircut... two bits!")
You could also use audio output for the user to hear, but then the attacker could embed a tiny microphone in the USB stick...
Good KVMs already look at the keyboards they have connected, present separate virtual keyboards to connected computers, and route keystrokes explicitly based on state. You just need them to count the keyboards connected to them, and present a separate virtual keyboard for each downstream connected keyboard, so that the connected computers can tell which keystrokes came from which keyboard.
Well, just the one OS vendor comes to mind and a particular chip maker also shares the blame. Just how difficult can it be to design-in total isolation into a 'computer'.
You could petition OS manufacturers to focus more on physical security, but there's limits to what you can do without piles of abstractions (ala smart phone security)
Okay, please explain a little more. I'll give you a concrete example of a device to work with.
Last week I accidentally left my usb flash drive at a coffee shop with some important files on it. When I went back, the coffee shop had it in the lost and found. It looks the same on the outside, but it's a mass-produced model.
How do a vet this hardware before plugging it into my computer? I do need to access the files on it, but also attackers may have had access to it for several hours.
Or just go to an "Internet Cafe" and do it there.
The same argument applies to the Internet -- we don't say that it's the human's responsibility to vet every website or email message before we let our computer connect to it. We expect our computer to do that. That's why it was wrong for Outlook to automatically execute every program sent to you via email.
This makes it sound like plugging USB sticks guests are carrying into a computer is standard procedure for the Secret Service. That might make sense if they have some sandboxed computer designed for this purpose, as suggested by other commenters. But then the rest of the quote makes it sound like the agents were unprepared for files to be copied and they panicked and aborted the "analysis" to prevent "corruption". Which makes it sound like, no, they just plug it into their own computers...
"The Secret Service agent who questioned Ms. Zhang after her arrest, Samuel Ivanovich, said during testimony... [h]is four-and-a-half hour interrogation of Ms. Zhang was recorded by video... but it lacked sound because he didn’t realize that the agency’s office in Palm Beach didn’t have that capability." 
 https://www.nytimes.com/2019/04/08/us/chinese-woman-mar-a-la... ¶12
The whole dimension of vulnerabilities and exploits, protocol flaws, trust boundaries, techniques for selecting or creating less vulnerable software, getting crypto implementation details right, principle of least privilege... none of that stuff even registers. I briefly worked in an IT consulting company that sold security and PCI compliance services; nobody was talking about any of that stuff. It was all password policies, antivirus products, phishing awareness campaigns.
The government definitely has real computer security engineering work happening in the NSA, NIST (FIPS 140-2 in particular is no joke), and other very high end defense-related areas. But I would not generally expect people using the word "cyber" to have a fighting chance against a nation-state-level evil USB stick.
>Mr. Alles was told to develop an exit plan before the arrest of a Chinese woman carrying a malware-laced device at Mar-a-Lago, exposing holes in the security of the private club.
“We would then create a forensic image of the USB and extract any malware for analysis in the lab,” he said. “While there is still a very small risk that the malware targets Linux, that’s not the normal case.”
That's an ok start, but you not only want to prevent it from auto-mounting the filesystem, you want it to not even auto-configure any USB HIDs presented to the OS. And even then that may not be enough if there are flaws deep in the usb stack that are being exploited. Ideally you'd have an analyzer in the middle that records everything and allows analysis later, think Wireshark or Fiddler.
Which is actually pretty sane procedure.
I think techcrunch here is trying to sell us on the idea that we're all smarter than the stupid secret service in order to get clicks through manufactured outrage.
I found that statement surprising. For industrial or nation state spionage I would expect people to target linux in 2019
Also keep in mind that the most likely accessible targets would be end user type machines, in that area I'd understand if you carry something exploiting a Mac but Linux? That's just virtual dead weight.
edit: looks like their products have another name nowadays, basically something that's forensically sound and allows you to create storage images
The best I've found for disk imaging is using Windows Enterprise (or similar, stripped down) with SafeBlock, but that seems less than ideal. I'd love to find a *nix alternative.
You could imagine a USB device that presented as a harmless file store unless certain conditions were detected, in which case the device could re-present as a keyboard (providing pre-programmed keystrokes) or potentially a bluetooth or wireless network receiver that could log or analyze traffic to a hidden partition.
I think the question of how to safely analyze suspect USB devices, at the level of potential nation-state actors, needs a lot more consideration and probably some custom tooling.
"Boss, the electron microscope reverse engineering from that USB stick 6 months ago came back. They said they didn't find anything out of ordinary. The bill is $400k. But I guess we can start analyzing the contents now.".
It could contain a microphone and a transmitter.
A more evil device, for assassination, could contain explosives or nerve gas. Plugging in the device is fatal.
However, I'm doubtful that a small USB drive would have enough volume to be effective. Wouldn't matter on TV though.
I would be absolutely shocked if the US’ three letter agencies did not have some form of custom tooling to detect this — especially considering the sophisticated multi-vector I/O exploitation they demonstrated a decade ago with Stuxnet and the Equation Group.
Regardless of your views on his policy, Trump has demonstrated zero respect for opsec — even in a national security context — so I would also not be surprised if those three letter agencies have decided the White House is untrustworthy with its cyber warfare capabilities.
I haven't dared plugging this in. First and foremost I'm afraid it isn't standards compliant and will somehow fry my motherboard, secondly I don't have a burner device and the necessary knowledge to determine if anything suspicious is happening.
So for now my USB stick and its decorative case in Chinese art style are purely for display.
Maybe I can use a raspberry pi as burner device and check it out.
"And what do we have here?" [holds up thumb drive]
"That? Uhh, that's, my secrets! Don't look at my secrets! Please don't plug them into your Microsoft Windows® computer!"
I would think the secret service would have a policy in place for handling unknown media already, and I’m sure a Very Urgent Memo is wending it’s way from division headquarters as we speak.
‘Secret Service agent. Samuel Ivanovich, who interviewed Zhang Mar-a-Lago, testified at the hearing. He stated that when another agent put Zhang's thumb-drive into his computer, it immediately began to install files, a "very out-of-the-ordinary" event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich said. The analysis is ongoing but still inconclusive, he testified.’
"How do I fix my computer after I plug in a malware USB device? I meant, I didn't do that, I'm asking for a f-- another agent."
I also don't like the new design of Macbook in which they merged the USB port and charging port into one. This really opens up huge security risks in my opinion.
(Of course, I'm assuming we're not dealing with a zero-day in the USB stack or filesystem drivers. But that probably is something that the Secret Service should be on top of, as well.)
In essence, modern OS's give "autorun" privilege to keyboards and mice. That's the HID in this discussion -- Human Interface Device.
What does autorun have to do with a mouse or keyboard device? The problem with USB is that you don't know if it is a "mass storage device" or any of the other kinds of devices that can start interfacing with your computer.
If it is an (automated) keyboard device (HID), it will immediately start "typing" which means it can open a terminal window and start executing things.
> She was caught by the Secret Service with four cellphones, a laptop, cash, an external hard drive, a signals detector to spot hidden cameras, and a thumb drive.
I have 3 cellphones - one private (family calls, face time etc), one CDMA phone and one separate GSM for the most of EU countries. And external SSD drive with all my important backups and projects that would take forever to download off of DropBox. And yes - recently even cheap signal detector, as I don't want to be watched in my hotel room, even only for "security reasons" as to whether I will demolish the room or not. (call me paranoid but so was I before Snowden files and I was proven right)
I usually carry about $3,000 USD total in different currency - usually 20% AUD, 20% CAD, 30% USD and rest EUR/GBP. Trust me so many times paying with cash comes to be much cheaper, and at some occasions the only way to go!
Yes, thumb drive too; usually empty so that if I am at the meeting and someone wants to send me some heavy files, I can give them my thumb and viola!
If all this makes me a spy then I definitely need to change my profession :|
Do you typically sneak into these summits, telling the security staff a variety of lies to do so?
I've seen some versions of Windows present a conspicuous file copy dialog box when it sees a new flash drive plugged in (or even the same flash drive plugged in to a new port) - some song and dance about copying *.INF driver files. On the other hand I would expect a malicious flash drive to be as silent as possible. What are the odds the agent was just misinterpreting this?
It blows my mind that someone from the secret service wasn't informed that they shouldn't plug evidence from a suspected spy into their laptops.
Plot twist: she was a legitimate member with a personal malware ridden usb stick she wasn't aware was infected. /joke
The stupidity of it (from an infosec standpoint) should be a given, yet this aspect appears to be the focus of the debate.
Am I missing something?
Totally aside from that, all of Florida is in the 100 mile civil rights suspension zone: https://www.aclu.org/other/constitution-100-mile-border-zone
Now get off my lawn.
I know secretive service agent =/= computer expert but jesus...both my little sister and 60 year old mother know better.