Hacker News new | past | comments | ask | show | jobs | submit login
No one, not even the Secret Service, should randomly plug in a strange USB stick (techcrunch.com)
388 points by MagicPropmaker 16 days ago | hide | past | web | favorite | 213 comments

It's a severe discredit to the major operating system vendors that plugging in a USB stick can still compromise a system.

If a USB device identifies itself as a keyboard, the system shouldn't accept its keystrokes until that keyboard has typed the user's login password (EDIT: or the user explicitly authorizes the device using a different keyboard). If it identifies itself as a storage device, the filesystem driver should be hardened. If it identifies itself as an obscure 90s printer with a buggy driver written in C, it should prompt the user to confirm the device type before it loads the driver.

It's 2019. Why the f* haven't Windows, MacOS and Linux all implemented these basic precautions?

Recently I tried out some USB temperature sensors. They present as both a proprietary temperature sensor and also as a USB keyboard. In the event you don't have a driver for the sensor, you can still get your readings by toggling the caps lock which sends a "turn on caps lock lamp" signal to the "keyboard", which responds by "typing" the temperature data.

I'd rather this device presented itself as a drive containing various virtual files that contain temperature data in them, but the cat's out of the bag, so to speak.

The keyboard trick is quite a hack, but creative. At the same time afaik most barcode scanners also act as keyboards, you scan a number, it "types in" those numbers.

I can't see how the filesystem hack would work, if the OS has the drive mounted, it would cache files in memory, and not notice the file contents changing. You can't even modify the metadata, because most of that might also be in memory.

Barcode-as-a-keyboard was one of the vectors that researchers at last CCC used to hack ATMs. End result: show two barcodes, cash gets out.


USB is trash for security.

Don’t think that’s a vector per se. The ATM accepts untrusted USB keyboard input (THAT is the bug)—the barcode reader is just a product that happens to make it easy to type in the right series of characters. You could have done the same thing with a normal keyboard (or an Arduino, if you wanted the convenience)

I wouldn't be terribly surprised if you could create a barcode that caused a barcode reader to send <windows key>+r and run some arbitrary command. So perhaps it wasn't a vector for an ATM, but maybe some other barcode reader where workers scan in arbitrary things they are handed...TSA maybe?

As far as I remember that's roughly how that exploit against an ATM worked:


Also, perhaps folks working in data centers can and confirm/deny, but from what I know it's usually strictly forbidden to bring any USB devices into a data center area.

We use USB drives as installers and, in some cases, as boot volumes. (And of course keyboards and mice on crash carts and USB serial ports for laptops.)

We’re not a cloud provider, but I’ve been in lots of DCs and seen plenty of USB devices.

I'd love to have a crash cart. I'd spend all day crashing it into other carts.

Before chip embedded credit/debit cards were prevalent, most magnetic strip reader (MSR) peripherals would often operate as a USB keyboard. It allows them to work with web app based POS systems without requiring things like ActiveX.

Same but different... I was working to get a Hotel property management web application running on iPad so host could check in people away from desk. The web application supported MSR swipe keyboard entry, but you can’t plug in a generic USB MSR device into iPad. I wrote a custom iOS keyboard that interfaces with lightning MSR and its API and the “typed” the characters into Safari. It was nice to be able to use generic Safari and not some App wrapper. And it wasn’t too difficult on host to change keyboards to swipe.

In high school we messed around with this in the crappy P.O.S. system at the place I worked (windowed app, running on Windows) to see what data was recorded on all our various student ID cards, gift certificates etc.

I was delighted about this when a client wanted a barcode scanner integrated with a web app. I envisioned major difficulties but instead it only took 5 minutes to implement.

Yep! I have a webapp that's been handling physical print-based photography awards for 7 years now. It generates a PDF label with barcode that the entrant sticks on the back of their print, and then they're shipped to the judging location and the award staff scan 4000+ entries over a couple of days. The barcode scanning was the easiest part of the whole project.

Emulate a MTP device (often used by cameras) and mount with a fuse driver. Since the content on the remote device can change the driver shouldn't be caching it.

Or emulate a network, generate a DHCP response for your favorite /31 and don't send a router, and point a public domain name at the other address in that /31.

I'm not sure if you are serious. My goal was to use an USB device standard for which open source drivers exist and which doesn't open security holes by allowing it into your system.

MTP devices are ~mostly harmless~ and relatively easy to trust. Network devices are not.

Can you elaborate? I understand the concept of RNDIS or CDC devices, but if you've sent an IP address only without a router, how is any traffic going to make it back to the other IP in that subnet? I figure it will go back over the default route, but how are you in control of the traffic itself?

The subnet mask determines the size of the connected network, which is in itself a route in your routing table.

It's the same mechanism used to reach your router. Subnet-local / connected routes are routes in themselves. Routers let you leave your subnet.

at that point you might as well just use the real drivers.

this is how they've always worked. How else should a barcode be entered by a scanner?

The driver could read data from the device and clamp the results to a reasonable number of non control code characters.

Eeewww. Why not just make it a virtual com port, which most computers already have drivers for?

Because Windows, the most popular operating system on the planet, didn't have VCOM drivers by default until Windows 10.

This is why everybody tries to piggyback on being a USB HID device.

It did for a few different devices, they could have mimicked one of those.

Source: Have plugged several brands of USB-to-COM adapter in to Win 7 / 8.1 and they've "just worked".

Somebody, somewhere had to install a driver. And, because you could never count on it, you can't design to it.

Now, since most things use a Prolific chip, you only have to install the driver for one device and you pick up a ton of them.

But it has to be installed by somebody, and that means all of the silliness that goes along with Windows driver installation.

FTDI chips have their driver deployed by default on most Windows, Mac and Linux installs. It's nice being able to buy a USB/serial cable and it just work, without needing to deploy any drivers at all. Check it out!

Had to install FTDI drivers on (an admittedly old) Windows laptop 3 weeks ago before I could use it to talk to the Cisco gear I was reconfiguring ...

IIRC the FTDI chips use a non-standard com driver on Win 7. IF you want your device (with your VID and PID) to show up as a serial port, you need to associate your device with the usbserial driver, which at the very least requires a custom .inf.

funny thing: my UPS also presents as a keyboard. and made my computer kept waking up from sleep at random intervals.

Very hard to troubleshoot.

That's kind of ingenious, but is sending temperature data over USB really such a hard problem in the first place? I'm not really familiar with the USB protocol.

USB doesn't work without a driver and sometimes you don't want to (or can't) install a driver. This sounds like the kind of hack that a clever (but arguably unwise) engineer would shove in to help them remotely troubleshoot a device.

"Sensor not detected? OK, open up Notepad and hit Caps Lock three times quickly. Did some text appear? The sensor is fine, the problem is with your computer."

It's not that hard to pick some standard class, like CDC and have a userspace app that uses it just like a serial device. You can get info on which serial device to use via sysfs on Linux.

The rest is just making up a serial protocol.

No need for a special driver.

Would this work for every operating system without requiring the user to do anything?

It was a long time ago, but I’m pretty sure CDC doesn’t auto-enumerate on Windows. Mac and Linux is fine. I think you still need a .inf for Windows, and for it to work generally, you need WHQL signing ($$, time).

The free (money-wise) approach we ended up doing was to use WinUSB and marking the device as “vendor specific”, and using libusb to talk directly to it. That was a bit awkward, but covered Windows, Linux, and OSX for us.

This was 5 years ago though. Windows 10 might directly support generic CDC devices, but Win 8.1 didn’t.

Edit: sibling mentions HID. HID does work like this, but we needed more bandwidth than HID provided. CDC was perfect for what we were doing but it didn’t auto install. Mass storage auto-installs but didn’t fit what we were doing.

Well, define "work", "every operating system", and "requiring user to do anythig".

:D Obviously you have to consider needs of your users as an engineer, when chosing any technology, for their particular problem.

USB can and does work without custom drivers. It's the raison d'etre for HID.

But that requires custom software to interface with it and parse the data or make payload requests and developers are that lazy.

why is this unwise?

Because it could lead to all manner of weirdness that the user doesn't expect. Imagine someone trying to type some data into a spreadsheet and every time they hit the capslock key a strange text string appears in the cell, maybe leading to data corruption. Or even worse, it happens in some program where the typed characters are interpreted as hotkeys and instantly perform some unknown combination of actions which the user may or may not even know occurred.

He failed to consider that people on hacker news would tut disapprovingly at his hack.

You can actually use the USB hid class to present pretty much any data in any way you want. The reason they present as a keyboard is probably so they don't need to worry about drivers. With newer versions of windows I think you can work with such hid devices without special drivers though.

Seems like the core problem is a single standard for many different kinds of devices, which makes it possible for devices to act totally different from what it physically appears to be.

Maybe we should have stuck to PS/2 keyboards after all.

I've use those as well, bit of a pain to work with in non keyboard mode but they are at least accurate enough.

Sure, you can fix it so devices don't appear as unauthorized keyboards... you still leave yourself open to a near infinite number of other attacks. What stops me from creating a USB device that appears as a storage medium, yet contains a transmitter which slowly exfiltrates any data written? What about a USB-powered microphone or camera posing as a flash drive? Hell, it would be of great value to just have an software defined radio which could execute arbitrary bluetooth and WiFi attacks while allowing remote control via RF.

Am I the only one old enough to remember 'disk bombs' from the 90s where you filled 3.5" floppies with paste made from strike anywhere match heads so when the disk spun up it melted? You could do similar things with a USB stick. You could have a high voltage converter which fries your PC the second you plug it in.

Basically, it is always a bad idea to plug in unknown peripherals to your computers. The OS isn't going to save you in all cases.

I suspect you're arguing from the point of view of a determined attacker against a specific target, in which case, I agree -- there's an infinite number of different attacks you can try, with the caveat that any failed attempt is possibly going to tip your target off and make them up their opsec game, becoming a much more difficult target.

I took the OP to be talking more about general case. Random people plugging into a public recharge station, using (shady) Amazon/Ebay USB drives, plugging in a "found" USB stick, etc. The OS can at least help thwart simple attacks here.

In the worst case, the device contains a GSM modem which is powered by USB but otherwise only appears to the host as a USB drive -- and if you can get the target to write useful data to it, I guess you have something? That's an awfully expensive attack that I would assume has relatively low chance of yielding something useful. (Unless maybe you market it as a "secure cryptocurrency wallet", and hope you can sell enough to people that then put on enough cryptocurrency to make up for the significant manufacturing expensive which you're able to steal before anyone notices there's a modem in it and sounds the alarm..)

> You could do similar things with a USB stick. You could have a high voltage converter which fries your PC the second you plug it in.

This has not only been done, it is a commercial product: https://usbkill.com/

While being obnoxious and causing one (random?) person some money (presumably they will destroy or throw out this USB drive aftward), it doesn't really get you anything. There's many other cheaper ways to destroy someone's computer, as there are many other things you can destroy to cause a person expense and/or inconvenience.

> Basically, it is always a bad idea to plug in unknown peripherals to your computers. The OS isn't going to save you in all cases.

100% agree, but that doesn't mean it shouldn't try at all.

> I suspect you're arguing from the point of view of a determined attacker against a specific target

Not necessarily a specific target(although maybe in a sense). If I were, say, the Chinese intelligence apparatus, I'd be sprinkling exfiltration devices around D.C., military bases, and defense contractor offices(especially the small ones, who don't always seem to have their shit together).

You can fit a lot of smarts in a small form factor these days. I could, with the budget of an intelligence agency, cheaply mass produce USB storage controllers which only activate when specific files of interest(say, OrCAD schematics, or source code) are saved to the device. I could sprinkle them around, or even just strongarm one of my country's manufacturers so that the bug goes into wide distribution. Now I use sniffer vans, like were used to execute the Tempest attacks against military bases in the 80s, to find my beacons and exfiltrate.

GSM modems might be expensive, although it would be a great way to get data out. You could also add GPS and use a small geofencing database to activate when you're within a target radius.

Keep in mind this is just the musings of a bored idiot(me). I suspect an intelligence agency could find more useful things to do with a USB stick.

>Am I the only one old enough to remember 'disk bombs' from the 90s where you filled 3.5" floppies with paste made from strike anywhere match heads so when the disk spun up it melted?

Damn dude that really worked? I remember reading about it in the anarchist cookbook but didn't go through with the effort after getting thoroughly punked re: smoking banana peels and trying out pressure points on older kids

Just so everyone knows what you smoked:

> 1. Obtain 15 lb. of ripe yellow bananas. 2. Peel the bananas and eat the fruit. Save the skins. 3. With a sharp knife, scrape off the insides of the skins and save the scraped material. 4. Put all scraped material in a large pot and add water. Boil for three to four hours until it has attained a solid paste consistency. 5. Spread this paste on cookie sheets and dry it in an oven for about 20-30 minutes. This will result in a fine black powder (bananadine). Usually one will feel the effects of bananadine after smoking three or four cigarettes.


Bananadine is a fictional psychoactive substance which is supposedly extracted from banana peels.

It just made a little fire, it didn't "explode". It would melt your floppy drive and make it useless but wouldn't come close to doing enough damage to hurt anyone unless they had their face a few inches from the front of the PC.

Unless the strike surface also contained an accelerant, as well as the igniter...:)

I'm guessing that there are plenty of things that would fit in the floppy and cause serious damage. Mercury fulminate maybe, or ammonium triiodide(?), assuming they didn't just self-detonate.

> You could do similar things with a USB stick. You could have a high voltage converter which fries your PC the second you plug it in.

See https://hackernoon.com/this-3-diy-usb-device-will-kill-your-...

> USB device that appears as a storage medium, yet contains a transmitter which slowly exfiltrates any data written

I won't copy my data on unknown device. Mics and cameras trigger prompts in MacOS. The keyboard device on the other hand, can be used for 5 seconds walk by attack, running install scripts (Bad USB) attack.

> I won't copy my data on unknown device.

You won't, but many people will. They'll plug it in, figure the device is fine, and begin to trust it.

Mics and cameras trigger prompts if they present themselves as USB devices. I'm saying they do not need to do that. They can draw power from the port and send captured data out wirelessly.

> Mics and cameras trigger prompts in MacOS.

That's assuming it presents itself as a mic or camera. What's to say it can't have the hardware embedded in the device but not present it to the host machine? Then any exfiltration technique can get a direct look into audio/video of the area.

Seat belts and airbags don't save you in all cases, but we use them.

That's different. Car crashes are unpreventable, unexpected events that we can prepare for. Plugging random USB stick into your computer is preventable, and adding these safety features may cause people to think it is safe to plug in random USB sticks into their computer.

Most car crashes are extremely preventable. Do some people not drive more dangerously because they believe themselves to be safe because of things like seat belts?

You are so right. I never understood the prevalent idea that traffic accidents are somehow random rolls of the dice. Seemingly the vast majority of them are not. Adjust your speed, not too fast, not too slow; stay focused on road, mirrors, and other traffic; keep your distance; don't be drunk; don't fall asleep; know and follow the rules, and you will hugely reduce your risk of harm.

> I never understood the prevalent idea that traffic accidents are somehow random rolls of the dice.

It's pushed by the auto manufacturers and insurance companies to normalize driving and make you pay for more expensive safety features. If people drive irresponsibly enough to wreck their cars, but not enough to kill themselves (modulo the safety level of their car), they buy more cars and spend more money on car insurance.

This is why Steve Jon's wanted all peripherals wireless ;-)


Miniaturized wireless electronics is the Ice IX that will destroy civilization


Off topic, but my life will never be the same again, there are 18 types of crystalline water ice and one amorphous! [1]

[1] https://en.wikipedia.org/wiki/Ice#Phases

Would plugging it in through a USB hub on an old laptop running Linux not be sufficient?

Edit there is usbguard too:


> It's 2019. Why the f haven't Windows, MacOS and Linux all implemented these basic precautions?

For linux you can actually require USB devices to be authorized first by changing a few kernel settings.

A friend of mine wrote a few shellscripts a few years ago to do exactly that:


As you can see it's something that's very simple to do, there's just no good "normal user" UI for it.

Definitely a good start but in a targeted attack scenario that's pretty trivial to bypass, if someone brags about having the latest Das Keyboard or something that's all it'd take... we need cryptographic authentication in the USB specification or at least a randomized serial that'd be unique per device so an attacker would need physical access to clone your keyboard.

I believe modern Thunderbolt already has this sort of cryptographic device authentication, which means not only physical access but at least a bit of reverse engineering skill, a much higher barrier than knowing their keyboard model.

It's particularly frustrating because of how trivial the solution appears to be. Trust on first use is more than sufficient in this case, so asymmetric cryptography with a randomized key would be fine. I realize mass produced electronics can be very cost sensitive and that a PKI chip might add a whole $0.70 to your product (https://www.digikey.com/en/product-highlight/a/atmel/atsha20...), but still. I paid ~$50 for my keyboard! I would not have begrudged the manufacturer an extra dollar or two in order to ensure my system's security.

That's definitely progress, but there's more work needed to make it usable enough to be on by default.

As far as I understand it, this already is on by default for ChromeOS. The kernel patches make it possible to utilize internal USB devices during the boot process without disabling protection - ie there's no vulnerability window prior to user space being up and running.

I believe the major missing piece for desktop Linux at this point is that many input devices (including my own) are USB based. Without a way for the device to cryptographically attest its identity, you either have to accept vulnerability from wired external devices during boot or do without input until user space has been started.

Edit: My mistake. It appears that it was opt-in as of January, will become on-by-default at some point in the future, and only blocks devices during boot and while the screen is locked. It appears to trust all devices plugged into it once you've logged in. (https://www.forbes.com/sites/leemathews/2019/01/07/google-sh...)

The only reason your laptop is trusted is because you trust the person who gave you the laptop. The same threat model applies to the first keyboard you get for your desktop. Neither laptop/desktop nor keyboard is inherently more trustworthy.

I'm not worried about the keyboard I purchased or my hardware vendor. Well I am, but far less so than the prospect of a foreign USB device being plugged in and managing to execute malicious code. Think someone quickly inserting a device as they walk by, secretly swapping out one of my peripherals while I'm not around, or similar. Authorization on first use is more than sufficient to mitigate this type of attack, and if you add end-to-end encryption you can also prevent USB keyloggers.

I wish I could upvote this comment twice.

At this point in 2019 intelligence gathering and government/corporate security vulnerabilities are much more in the digital realm than physical. Wifi enabled cameras/microphones, cell phones, servers, consumer computers, usb devices, iot devices are all used to that end.

We need to hold the flame to OS vendors to handle basic security precautions. It's not like the US government doesn't have contract negotiations with them large enough to force the issue.

It's also unacceptable to have security around the most protected person on the planet be ignorant to common attack vectors and procedures.

It’s largely shortcomings of “modern” OS designs and hardware. Things like kernel-space drivers and dma for peripherals make it very hard to have any reasonable level of protection.

If i were a gov, id have a gov only interface. One that isnt common and available to every person on the planet.

Hasn't the security by obscurity myth been debunked, and furthermore hasn't government proven itself utterly incompetent at designing products?

I'm not sure I would classify it as such, it's more of an attack surface reduction, assuming we're only talking about the physical form factor.

> incompetent at designing products?

You mean like SELinux? Or SE Android? Or the STIGs?

Thats not really what I meant.

I am just saying that they should have a pre usb meter that prevents the usb stick from being attached to a device directly such that they can screen it off ...

Defense in depth has not been debunked.

Yubikeys can pretend to be keyboards to type your password. It's a simple way to get maximum compatibility for a hardware key. I imagine there's other legitimate use-cases for non-keyboards to act like keyboards.

Still, requiring one to type a password in a newly connected keyboard is a pretty good idea as long as it's a configuration option. I imagine you'd also like something similar for the mouse. Maybe having to type a password on a virtual keyboard. It's annoying to have to do something like that every time a computer is woken up. You're talking about typing a password 3 times. Once to log the keyboard in, then to log the mouse in, then to select a user and log the user in.

Your other suggestions are vague, so I'm not sure what you mean by "basic". I mean, if one knows a driver is buggy, those bugs would be taken care of (from the developer's point of view; the administrator might not update the software, but what can the developer do?).

And what does it mean to "harden" a filesystem driver when a device identifies itself as a storage device? A filesystem driver should be "hard", period. All the time. That's something done when the driver is being written, not until it identifies a device.

You only need to authenticate a device once, when you first acquire it, or after it is tainted due to loss of physical control. This is how Bluetooth works today.

Maybe I'm wrong, but there's currently no sort of authentication protocol for devices in USB, right? I (and I think jimrandomh too) was thinking of USB as-is. Something that OSes can do right now without having to wait for whoever controls the USB spec. As it is, how can an OS know that the mouse it sees on waking up is the same mouse that was connected before it slept or powered off? I don't think there's any sort of cryptographic authentication specified for USB devices.

> If a USB device identifies itself as a keyboard, the system shouldn't accept its keystrokes until that keyboard has typed the user's login password.

Wireless presenters often identify themselves as keyboards so that they can "press" the arrow keys to move forward or backward. How are you going to type your password using such a device?

Yes, there are corner cases (another commenter mentioned a temperature sensor, and I this is also common among barcode scanners). These corner cases are not hard to work out; just prompt the user and require them to confirm that the device is, in fact, allowed to act like a keyboard.

(Which would mean you can still have malware-download-command-typers pretending to be barcode-scanners pretending to be keyboards, but you can't have malware-download-command-typers pretending to be storage devices pretending to be keyboards, because the "Allow typing with this keyboard?" dialog will give it away.)

I would guess that 99% of users would click ok for "Allow typing with this keyboard?" when they plug in a USB storage device.

I'd hope the Secret Service is in the 1%.

You would only need the password-auth to bootstrap your primary keyboard. If you already have a keyboard you can just accept the prompt.

You can lockdown USB access on linux with usbguard[0]. IIRC windows 10 enterprise also has some USB whitelist feature somewhere.

[0] https://usbguard.github.io/

This was super easy to setup in Ubuntu, thanks!

Because the overwhelming majority of computer users in the world are not sophisticated, and want things to "just work" once those things are plugged in. I don't think it's an unreasonable expectation/desire, despite the risks.

Keep in mind that autoplay is not unique to USB drives either. CD-ROM drives have had that feature forever.

>It's 2019. Why the f* haven't Windows, MacOS and Linux all implemented these basic precautions?

Because up until 10 years ago, developing your own USB device was generally expensive and malicious devices ended up being out of scope in threat modelling. In addition, some models these days still define 'physical access == game over'...

>USB device was generally expensive

How expensive? USB is a protocol, a micro, and some power management.

How long ago was this 'out of scope'?

I imagine he means before the advent of 3d printing, services like PCBWay, products like Arduino, and online stores like DigiKey. It's probably much easier to make one's own devices today than it was when USB was first being designed.

He's also right about the physical access thing. Fundamentally, it doesn't make much sense to add protections against scenarios where the attacker apparently needs physical access, because there's no way to protect against all things he could possibly do then. It's not really obvious that the user needs protecting from himself as he plugs in a device of doubtful origins. We used to hold the user to higher standards.

Because very many people (and more importantly, businesses) have obscure buggy printers from the 90s or the equivalent thereof.

The key thing to realize is that malicious USB devices get to choose which device they identify themself as to the operating system, but have much less control over what they physically look like to the user.

If you plug in an old printer, you know you just plugged in an old printer; you can load the old-printer device driver and it probably won't exploit it. But if you plug in a USB stick you found in the parking lot, and it asks you whether you just plugged in an old printer, then the game is up; you know it's a tricky device, pretending to be something it's not in order to target a security vulnerability.

You are putting way, way too much faith in the average user. See, for instance, TLS exceptions. Also, realize that all the adversary needs to do is some trivial social engineering. A label on the thumb drive with a picture of the prompt and a mouse over "ok" would probably do it.

And because the 99% use case is: "I plug it in and I want it to just work"

This type of protection parent is referencing is "endpoint protection" and there are many industry standard solutions. Why should an OS be more limiting? If you have physical access to a machine that stores things you shouldn't have access to, it's already compromised in my opinion. Why the eff are people overlooking physical security in 2019 is the better question.

> It's a severe discredit to the major operating system vendors that plugging in a USB stick can still compromise a system.

Universal plug'n'play is USB's reason for existence, if it can't do that then maybe we should step away from USB itself. Back when keyboards were plugged into PS/2 ports I didn't have to worry a floppy disk would emulate one (ignoring autorun). I'm sure it's possible to have a malicious PS/2 device, but having it plug into the keyboard port would at least indicate what it's going to do.

I'd like to point out that nearly every single USB barcode scanner shows up as a keyboard to the operating system. Your point of sale system has to have focus on the field awaiting input and then when you scan a barcode it just "types in" the scanned number. What you are suggesting would immediately brake compatibility with a huge number of devices out there.

This is likely not enough to secure a system against a sufficiently skilled adversary. An OS has limited control over many of the side-channels available to the USB stick once it is inserted into the system (e.g., fluctuations in the voltage rails that give away what the processor is doing).

If you are thinking in terms of "if it identifies itself as...," then there is a good chance that something lower in the stack may be compromised.

This gets even more troublesome once we consider that people sometimes forget that seemingly "dumb" dongles such as display adapters can be very similar to USB sticks from an implementation and vulnerability point of view (e.g., "Thunderclap").

I think the overhead of hardening systems for each of these scenarios would be immense.

Yes, there will likely still be ways for a malicious USB device to use electrical side-channels to attack a connected computer. But devices like that will be much harder to develop. And more importantly: compromised devices which weren't originally designed to do that, won't be able to rewire themselves into side-channel-exploiters. So if my USB storage device has a firmware vulnerability, and a malicious computer reprograms it, it won't be able to use electrical side-channels to attack my other computers because it doesn't have a suitable DAC and ADC.

> This is likely not enough to secure a system against a sufficiently skilled adversary.

That statement is not helpful, because it remains true for any security measure.

The GP suggestions can make everyone's computers more secure now, at what would seem to be a low cost...

> If a USB device identifies itself as a keyboard, the system shouldn't accept its keystrokes until that keyboard has typed the user's login password

Probably easier/safer to display a random number on-screen and then ask the user to retype it into the device. I figure numbers are less likely to run into problems when the keyboard isn't US-standard QWERTY.

For more paranoia/portability, show the user a repeating rhythm-game and wait for them to hit any keys they want as long as it is close enough to the correct pattern. ("Shave and a haircut... two bits!")

You could also use audio output for the user to hear, but then the attacker could embed a tiny microphone in the USB stick...

Then in a walk-by attack the attacker can just type the number or play the game. Hopefully they wouldn't know the user's password.

Confirming a new device should always be separate from the dozens of unique and distinctive scenarios where a user might (or might not) need to authenticate themselves.

The reason for it to be the user's login password is that, in the common case where you plug a keyboard into a computer that's just booted or which has been unattended for awhile, you're already typing a login password, so it isn't making you do anything you weren't doing already.

Why is the secret service using Windows, osx or Linux to do USB analysis in the first place?

Problem is some of the vulnerabilities can be in the USB controller firmware itself.

One small example: KVM switches would become incredibly cumbersome to use. However, I agree, there should be a much higher security standard for USB devices on the OS-level.

There are some implementation details that the KVM maker would have to get right, but if they don't screw it up, it all works as expected.

Good KVMs already look at the keyboards they have connected, present separate virtual keyboards to connected computers, and route keystrokes explicitly based on state. You just need them to count the keyboards connected to them, and present a separate virtual keyboard for each downstream connected keyboard, so that the connected computers can tell which keystrokes came from which keyboard.

That makes sense, guess I never really took time to think about it or inspect.

Because then mouse, keyboard and other devices will not automatically work when you plug them in and 99% of users will hate that.

In BSDs and Linux, you can recompile the kernel without USB support. But then you will have to go back to using a PS/2 keyboard and mouse.

In Linux, you don't even need to recompile the kernel. You can simply pass the "nousb" parameter at boot.

Backwards compatibility.. /s

> It's a severe discredit to the major operating system vendors that plugging in a USB stick can still compromise a system.

Well, just the one OS vendor comes to mind and a particular chip maker also shares the blame. Just how difficult can it be to design-in total isolation into a 'computer'.

great, now I've typed my password into what turned out to be a malicious device ...

You misunderstand. Malicious USB devices often present themselves to computers as keyboards, which type malicious commands. But they don't look like keyboards, or have keys on them; they usually look like USB storage devices.

Now I'm imagining someone dropping malicious keyboards instead of USB sticks, waiting for people to pick them up and plug them into their computers.

They don't drop them but instead ship them to arrive for Friday delivery. Over the course of the weekend the malicious keyboard cuts its way out of the shipping envelope and scans the target office for the nearest USB port. More recent models will shove the existing keyboard behind the desk, like a Cuckoo chick does with any remaining eggs after hatching.

You misunderstand. Start forcing me to type my password as the first thing into a new keyboard, and now malicious keyboards can be certain that the first characters up to <ENTER> are a valid password for the device in question.

That's already a risk with any keyboard you use.

Buggy drivers are a problem, but if you control the hardware, it's your responsibility to vet what you plug into it. It's like with door locks: if you need protection from advanced thieves you'll need to go through some extra hoops anyway.

You could petition OS manufacturers to focus more on physical security, but there's limits to what you can do without piles of abstractions (ala smart phone security)

> it's your responsibility to vet what you plug into it

Okay, please explain a little more. I'll give you a concrete example of a device to work with.

Last week I accidentally left my usb flash drive at a coffee shop with some important files on it. When I went back, the coffee shop had it in the lost and found. It looks the same on the outside, but it's a mass-produced model.

How do a vet this hardware before plugging it into my computer? I do need to access the files on it, but also attackers may have had access to it for several hours.

If security is so important to you, you buy a $100 laptop, put the stick in it, get the files and upload them somewhere then burn the laptop and stick.

Or just go to an "Internet Cafe" and do it there.

A human cannot vet an electronic device. We can only interface to it from another electronic device.

The same argument applies to the Internet -- we don't say that it's the human's responsibility to vet every website or email message before we let our computer connect to it. We expect our computer to do that. That's why it was wrong for Outlook to automatically execute every program sent to you via email.

Your computer isn't vetting things it gets from the internet at all, with the exception of TLS certs and anti-virus scanning. Virtually all other operations done with remote content are unvetted; it's play & pray. You clicking a button is the only vetting process.

it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer

This makes it sound like plugging USB sticks guests are carrying into a computer is standard procedure for the Secret Service. That might make sense if they have some sandboxed computer designed for this purpose, as suggested by other commenters. But then the rest of the quote makes it sound like the agents were unprepared for files to be copied and they panicked and aborted the "analysis" to prevent "corruption". Which makes it sound like, no, they just plug it into their own computers...

The Secret Service as an organization has sophisticated cyber capabilities. That a specific agent within the president's detail didn't is less surprising. Still, I'd expect more from the organization, and I bet that the specific agents involved are getting disciplined and trained.

Well, they are supposed to.

"The Secret Service agent who questioned Ms. Zhang after her arrest, Samuel Ivanovich, said during testimony... [h]is four-and-a-half hour interrogation of Ms. Zhang was recorded by video... but it lacked sound because he didn’t realize that the agency’s office in Palm Beach didn’t have that capability." [0]

[0] https://www.nytimes.com/2019/04/08/us/chinese-woman-mar-a-la... ¶12

Outside the Silicon Valley bubble, cybersecurity means Windows antivirus products, password policies, caution around unsolicited email, etc. Maybe the most sophisticated users of the term have a dim idea of what encryption means. When a government agency has "sophisticated cyber capabilities" I would generally take that to mean reams of paperwork asserting that Norton is properly installed on every desktop.

The whole dimension of vulnerabilities and exploits, protocol flaws, trust boundaries, techniques for selecting or creating less vulnerable software, getting crypto implementation details right, principle of least privilege... none of that stuff even registers. I briefly worked in an IT consulting company that sold security and PCI compliance services; nobody was talking about any of that stuff. It was all password policies, antivirus products, phishing awareness campaigns.

The government definitely has real computer security engineering work happening in the NSA, NIST (FIPS 140-2 in particular is no joke), and other very high end defense-related areas. But I would not generally expect people using the word "cyber" to have a fighting chance against a nation-state-level evil USB stick.

Well, the head of USSS was fired today. Unclear if it's related.

He was also fired after the Secret Service criticised security at Mar a Lago, so we've got a few candidates to choose from in working out the real reason.

The Secret Service reports to DHS. Mr. Alles was an ally of Ms. Nielsen, who just resigned/got the boot. Stephen Miller reportedly got the go-ahead to clean house at DHS, so all the leadership that isn't in line will get cleared out.

I'm of the opinion that a POTUS that carries a unsecured iPhone against the recommendations of his staff (and overrules their security clearance decisions for his son-in-law) isn't going to fire anyone due to quibbles over OPSEC.

Generally agree. One thing can nevertheless be used as an excuse for the others, as certain little aides carry out their certain little agendas.

That's -3 points for a +3 opinion

According to the Times:

>Mr. Alles was told to develop an exit plan before the arrest of a Chinese woman carrying a malware-laced device at Mar-a-Lago, exposing holes in the security of the private club.


Williams said the best way to forensically examine a suspect USB drive is by plugging the device into an isolated Linux-based computer that doesn’t automatically mount the drive to the operating system.

“We would then create a forensic image of the USB and extract any malware for analysis in the lab,” he said. “While there is still a very small risk that the malware targets Linux, that’s not the normal case.”

That's an ok start, but you not only want to prevent it from auto-mounting the filesystem, you want it to not even auto-configure any USB HIDs presented to the OS. And even then that may not be enough if there are flaws deep in the usb stack that are being exploited. Ideally you'd have an analyzer in the middle that records everything and allows analysis later, think Wireshark or Fiddler.

My null hypothesis on reading this article is that the Secret Service did exactly what Mr "NSA Hacker" Williams suggested onto an isolated linux laptop -- and in fact this was sophisticated enough malware to start attacking it when it wasn't even mounted. So the agent shut it down and sent it all off to a better equipped lab.

Which is actually pretty sane procedure.

I think techcrunch here is trying to sell us on the idea that we're all smarter than the stupid secret service in order to get clicks through manufactured outrage.

For people unfamiliar with this strategy, check out a commercialized version, the USB Rubber Ducky.


Or the USBNinja that crams that functionality into a cable identical to major vendors, and is triggerable up to 100m away via Bluetooth.... https://lab401.com/products/usbninja

That is terrifying

> While there is still a very small risk that the malware targets Linux

I found that statement surprising. For industrial or nation state spionage I would expect people to target linux in 2019

Why? At least around here both of those sectors are still dominated by Windows with very few exceptions. Plus, in the specific incident, we're talking about a ressort. The likelihood of that having valuable targets for data exfiltration running anything other would be slim to none (with maybe the exception of the odd router, wifi AP or similar that you'd have to know details off beforehand to attack).

Also keep in mind that the most likely accessible targets would be end user type machines, in that area I'd understand if you carry something exploiting a Mac but Linux? That's just virtual dead weight.

I'm honestly surprised by the statement you quoted. You don't plug a random piece of evidence into your PC, not even for analysis, not even on a pseudo-isolated thing. From what I've seen in the private space you'd at least use something like a Logicube Talon/Falcon or similar device that is certified for forensic use and get an image of that storage medium, then you'd analyse that image.

edit: looks like their products have another name nowadays, basically something that's forensically sound and allows you to create storage images

Are there any open-source or commercial systems that do anything close to this? Does there exist such a forensically sound OS that should be used?

The best I've found for disk imaging is using Windows Enterprise (or similar, stripped down) with SafeBlock, but that seems less than ideal. I'd love to find a *nix alternative.

An out of the box Linux installation with a few changes should be enough. Though you should probably use a hardened distribution. The above poster basically listed the final steps. Go to the kernel and build a white list of valid USB devices (the machine's keyboard and mouse) to prevent it from talking to a "keyboard" you plug in. Turn off auto-mounting features, record traffic so you can double check. And keep the machine physically airgaped.

I don't know much about this case but depending on the level of concern, even just plugging the device into a safe, isolated machine and performing an image may be insufficient.

You could imagine a USB device that presented as a harmless file store unless certain conditions were detected, in which case the device could re-present as a keyboard (providing pre-programmed keystrokes) or potentially a bluetooth or wireless network receiver that could log or analyze traffic to a hidden partition.

I think the question of how to safely analyze suspect USB devices, at the level of potential nation-state actors, needs a lot more consideration and probably some custom tooling.

I can't think of many things more fun than coming up with some clever USB descriptor hacks to allow an innocuous drive full of pictures of grandchildren to carefully switch into an HID device when it thinks the coast is clear. I have to imagine there's a lot of little tricks you could implement which would be difficult to trigger in a sandbox and might require dumping the EEPROM (if that's possible).

There are quite a few usb descriptor related exploits.

e.g. https://www.cvedetails.com/cve/CVE-2013-3200/

This sounds like an effective way to stall investigations for months in exchange for a movie plot threat scenario.

"Boss, the electron microscope reverse engineering from that USB stick 6 months ago came back. They said they didn't find anything out of ordinary. The bill is $400k. But I guess we can start analyzing the contents now.".

Suppose it is just harmless to the computer, but it uses the USB port to power something else.

It could contain a microphone and a transmitter.

A more evil device, for assassination, could contain explosives or nerve gas. Plugging in the device is fatal.

Great plot device. When a certain file is opened, the nerve gas is released. Or when a file is saved with certain text or properties (author, etc).

However, I'm doubtful that a small USB drive would have enough volume to be effective. Wouldn't matter on TV though.

> I think the question of how to safely analyze suspect USB devices, at the level of potential nation-state actors, needs a lot more consideration and probably some custom tooling.

I would be absolutely shocked if the US’ three letter agencies did not have some form of custom tooling to detect this — especially considering the sophisticated multi-vector I/O exploitation they demonstrated a decade ago with Stuxnet and the Equation Group.

Regardless of your views on his policy, Trump has demonstrated zero respect for opsec — even in a national security context — so I would also not be surprised if those three letter agencies have decided the White House is untrustworthy with its cyber warfare capabilities.

Look, I hate Trump as much as the next guy(or gal) but do we really have to make EVERYTHING about trump.?

In this case we kind of do. The USB stick was recovered from a woman who was visiting Mar a Lago. Trump conducts government business there a lot, in a break with pretty much all advice. It's an incredibly insecure location.

I have a mysterious USB stick I received as a thank you from a delegation of the Chinese department of Customs (中华人民共和国海关总署) after presenting to them in Palo Alto. The USB is branded with the Chinese Customs logo and their slogan.

I haven't dared plugging this in. First and foremost I'm afraid it isn't standards compliant and will somehow fry my motherboard, secondly I don't have a burner device and the necessary knowledge to determine if anything suspicious is happening.

So for now my USB stick and its decorative case in Chinese art style are purely for display.

On the "determine if anything suspicious is happening" front, you can configure Wireshark to capture USB packets and show you what is going over the wire.

Oh nice! I've used Wireshark for TCP / UDP captures before but that's about it.

Maybe I can use a raspberry pi as burner device and check it out.

A pi zero would do the job and only risk about $5 to find out what's on the stick.

Nice idea. Start a service where people mail unknown USB devices to you and you email back a disk image.

That sounds really interesting. You should post later if you go through with your plan!

Given what happens to USB sticks in my household (needed fairly often), you may still be at risk of a family member opening it and using it should they need one in a pinch.

Fortunately I live alone and I can't remember the last time I used a USB drive. I have Gigabit Fiber so I transfer everything online.

Similar concerns should be made for Thunderbolt devices, which have direct PCIe access - much more low-level and dangerous than USB could be. The only system I've seen implement this is Gnome3 - it has a section in its system preferences for configuring Thunderbolt devices[0] and the Bolt daemon.[1]

[0] https://wiki.gnome.org/Design/Whiteboards/ThunderboltAccess

[1] https://www.phoronix.com/scan.php?page=news_item&px=Bolt-Pro...

Apparently windows has this too: https://www.startech.com/faq/thunderbolt-3-authentication-po.... Not sure whether that's the default behavior or how to enable it.

[gets apprehended by Secret Service]

"And what do we have here?" [holds up thumb drive]

"That? Uhh, that's, my secrets! Don't look at my secrets! Please don't plug them into your Microsoft Windows® computer!"

No one, ESPECIALLY the Secret Service, should randomly plug in a strange USB stick.

That should have been the correct title indeed. I was confused for a minute.

For all the complaining about usb devices, the agent behaved recklessly in trying to handle the device. If the person of interest had instead been carrying a quantity of unlabeled pills, the agent would be as wrong to gulp them down.

I would think the secret service would have a policy in place for handling unknown media already, and I’m sure a Very Urgent Memo is wending it’s way from division headquarters as we speak.

Ha haa haaaa .. you can not be serious :]

‘Secret Service agent. Samuel Ivanovich, who interviewed Zhang Mar-a-Lago, testified at the hearing. He stated that when another agent put Zhang's thumb-drive into his computer, it immediately began to install files, a "very out-of-the-ordinary" event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich said. The analysis is ongoing but still inconclusive, he testified.’

That's the new go-to for asking embarassing questions.

"How do I fix my computer after I plug in a malware USB device? I meant, I didn't do that, I'm asking for a f-- another agent."

Many voting machines being used still have USB ports wide open. It's absolutely horrifying!

I also don't like the new design of Macbook in which they merged the USB port and charging port into one. This really opens up huge security risks in my opinion.

I doubt they would release their “real” operational procedures to the press. Surely they attached the USB to some sort of sandboxed environment? On the other hand why would they be carrying around such equipment?

I can totally buy some low-level Secret Service agent with little tech knowledge plugging it into a machine without thinking twice.

Or a high-level agent. There are many dimensions where level is independent of tech savvy. I'm sure >50% of Fortune 500 CEOs could be tricked in the same way -- at least among the ones who use a computer.

Absolutely. I was just thinking, perhaps naively, that a high-level Secret Service agent would be a bit more cautious and would think "I better report this thing to my superiors and not touch it at all, just in case", even if they know nothing about technology. You want cautious and paranoid people in a job like that.

The only prominent former Secret Service agent I'm aware of is Dan Bongino. After viewing his output over the last couple of years, I have developed a fairly low opinion of whether a Secret Service agent chosen at random is likely to display any real insightfulness. I'm sure they're quite well trained for physical combat though.

Umm... you can use a raspberry pi as a sandbox. My nephew carries around such equipment. Why wouldn’t the secret service?

Probably some over eager and hot headed officer wanting to prove they're hot shit without understanding the dangers.

Remember reading a story about Russian agents organizing for USB sticks with spyware were sold in every kiosk selling gadgets around a US military base.

Shouldn't preventing this be as easy as turning off autorun? In fact, I thought Windows had that off by default for USB devices.

(Of course, I'm assuming we're not dealing with a zero-day in the USB stack or filesystem drivers. But that probably is something that the Secret Service should be on top of, as well.)

Good question. As I understand it, the USB stick can present itself as a keyboard, which is automatically mounted, and begins entering a series of keystrokes that program the system to compromise itself.

In essence, modern OS's give "autorun" privilege to keyboards and mice. That's the HID in this discussion -- Human Interface Device.

Aha, I missed that piece of the puzzle. Thank you.

> this be as easy as turning off autorun

What does autorun have to do with a mouse or keyboard device? The problem with USB is that you don't know if it is a "mass storage device" or any of the other kinds of devices that can start interfacing with your computer.

If it is an (automated) keyboard device (HID), it will immediately start "typing" which means it can open a terminal window and start executing things.

The thing that no one seems to point out is that just about any normal person carrying around a windows USB stick is likely to have malware on it. Just possessing a bad USB stick doesn't seem to be particularly incriminating by itself.

True, but there's a lot more going on here than "had a USB stick".

> She was caught by the Secret Service with four cellphones, a laptop, cash, an external hard drive, a signals detector to spot hidden cameras, and a thumb drive.

That's exactly how I travel to tech-related summits around the world, and I have nothing to do with espionage I assure you.

I have 3 cellphones - one private (family calls, face time etc), one CDMA phone and one separate GSM for the most of EU countries. And external SSD drive with all my important backups and projects that would take forever to download off of DropBox. And yes - recently even cheap signal detector, as I don't want to be watched in my hotel room, even only for "security reasons" as to whether I will demolish the room or not. (call me paranoid but so was I before Snowden files and I was proven right)

I usually carry about $3,000 USD total in different currency - usually 20% AUD, 20% CAD, 30% USD and rest EUR/GBP. Trust me so many times paying with cash comes to be much cheaper, and at some occasions the only way to go!

Yes, thumb drive too; usually empty so that if I am at the meeting and someone wants to send me some heavy files, I can give them my thumb and viola!

If all this makes me a spy then I definitely need to change my profession :|

> That's exactly how I travel to tech-related summits around the world, and I have nothing to do with espionage I assure you.

Do you typically sneak into these summits, telling the security staff a variety of lies to do so?

“Sneaking” can be anything. If her mother tounge wasn’t english and she couldn’t communicate with SS, obviously they assumed the worst; that’s what they are paid for. So no wonder they stated she sneaked in. Also as a tourist you could wander in hotel with foreign signs and they will asume you sneaked in as well.

Yup, I travel with a laptop, 2 phones, thumb drives, baggies of different currencies, random mysterious circuit boards .. and I'm not a spy either

Most of that is what was in her hotel room, not what she was caught with.

>it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer

I've seen some versions of Windows present a conspicuous file copy dialog box when it sees a new flash drive plugged in (or even the same flash drive plugged in to a new port) - some song and dance about copying *.INF driver files. On the other hand I would expect a malicious flash drive to be as silent as possible. What are the odds the agent was just misinterpreting this?

No one, especially the Secret Service should randomly plug in a strange USB stick.

It blows my mind that someone from the secret service wasn't informed that they shouldn't plug evidence from a suspected spy into their laptops.

Last time I found a memory stick on the street, in the end I tested it with of these "print your own photos" machines in a drug store. I hope they had good security :-/ (stick was unreadable).

The article assumes (or at least implies) the secret service member was plugging it into his own personal laptop or something. Why? It may very well be a computer specifically setup to screen devices, including USB drives. It may be a sandboxed and sanitized environment. Or not, but we just don't know, and this article seems a little sensationalist in casting a negative light in the secret service absent details.

If it were set up for this purpose, they wouldn’t have ripped it out in a panic.

It sounds like they had a computer specifically configured for analysis of drives. I'm going to guess that's not just Agent Smith's normal computer he/she uses to write reports, email, etc. In which case, taking out the drive was an unnecessary reflex as the malware wouldn't get much traction on a system isolated from others and not used for much else. But I could also be wrong, I'm just speculating. Which is my point-- that's all the article was doing too, speculating.

> “It’s entirely possible that the sensitivities over determining whether Zhang was targeting Mar-a-Lago or the president — or whether she was a legitimate guest or member — may have contributed to the agent’s actions on the ground,”

Plot twist: she was a legitimate member with a personal malware ridden usb stick she wasn't aware was infected. /joke

can't ctrlf on my phone, but I didn't see usbfilter yet https://davejingtian.org/2016/08/04/making-usb-great-again-w... might take some advanced tech skills to install, but this is the only way to be theoretically secure against the most powerful attack vector of these types of attacks, which is to act as an HID and input malware into the computer. basically, you flag a physical USB port as being data-storage-only and your os will prevent any device being plugged into that port as being recognized as a mouse or keyboard or any other powerful USB device.

You can avoid software issues by proper configuration (I want to configure Linux not to automatically enable USB input devices). Of course hardware issues such as damaging the computer is different, but there may be another way to mitigate that. (For several reasons I also do not like the USB so much, though)

"Not even", TechCrunch? I think the word you're looking for is "especially".

I was surprised from the get-go that no-one seem to be talking about the legality of an ad-hoc search of a USB thumb-drive.

The stupidity of it (from an infosec standpoint) should be a given, yet this aspect appears to be the focus of the debate.

Am I missing something?

The Secret Service is charged with securing any Presidential residence, so I'm sure there are statutes that let them do that.

Totally aside from that, all of Florida is in the 100 mile civil rights suspension zone: https://www.aclu.org/other/constitution-100-mile-border-zone

I think it's important to note that I always consider even a USB stick fresh out of the packaging to be a 'strange USB stick', because I've seen cases of USB sticks being infected at the factory.

I hate it when colleagues and students hand me a USB stick to use. We have great file sharing infrastructure, there's no reason for me to plug in your USB stick to access some powerpoint you want me to look at.

Now get off my lawn.

Isn't the whole premise of the discussion jilted? This is a security person doing forensics on the USB stick. Why should he not examine it (if lawful) and why would you call this "random"?

Qubes OS has a defense agains USB attacks. It just reads the USB stick inside a dedicated VM and then, if necessary you attach it to another VM.

Man, good thing he was working from a virtual machine...

This whole situation is absurd on so many levels.

Meanwhile even the shittiest hollywood plotline has "we'll infect their systems with this virus - infiltrate and plug it into their servers" narrative.

I know secretive service agent =/= computer expert but jesus...both my little sister and 60 year old mother know better.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact