Hacker News new | past | comments | ask | show | jobs | submit login
Yet Another "People Plug in Strange USB Sticks" Story (schneier.com)
110 points by diogenescynic on July 11, 2011 | hide | past | web | favorite | 61 comments

So the point of this article is that it's not stupid to plug in random USB sticks you find on the street? That's what USB sticks are for? What if you found a big slice of your favorite type of cake on a park bench, would you eat it? You wouldn't? Why not, hell, that's what cakes are for.

Picking up random USB sticks and sticking them into your computer is the equivalent of having sex with random people you meet on the street. The only thing you can hope for if you do that is that whatever you're having as protection is going to save you from catching something nasty. But by the time you find out if your protection actually protected you or not, it might already be too late.

I agree that it would be great if our systems could save us from anything and everything malware writers can come up with. But unfortunately, they can't, so our first line of defense should just be plain old common sense.

I must confess that I plug in unknown USB sticks quite frequently, and even knowing the risk, I probably won't stop.

I work part-time at a reception desk (the computer has access to nothing important). The assumption seems to be that found USB sticks are suspicious, but they actually show up quite frequently. People lose their USB stick--usually in one of the lab computers. The overwhelming majority seem to be personal drives that people have lost. Often there are obviously non-confidential files ("Econ101Paper.odt") on the drive, and it's easy to contact the owner to let them know where they can find their lost drive.

The average user simply doesn't see USB sticks as malicious (recall how much pain it took until people generally recognized unknown email attachments as dangerous!) and is occasionally exposed to lost USB sticks that they can helpfully return. This is a problem that will not be fixed by user education, except perhaps in secure facilities where USB devices are prohibited completely.

It makes sense to have a dedicated kiosk machine, hardened, connected to nothing, and regularly re-imaged, to test unknown USB drives in. That's a little different from plugging one into the computer you do your work or finances on.

Humans have a lot of machinery dedicated to determining whether or not to eat a given piece of food. Bad food has been around as long as humans, so those without any equipment for detecting tainted food have long since died off. Hence, most people would not eat that cake on the park bench, because they have a lot of senses (physical and emotional) that tell them not to.

USB drives, on the other hand, have not been around for very long. When you plug in an evil USB stick, nothing bad happens. Maybe in a few years someone buys some shit with your credit card, and your bank has to send you a new one. That's about it, though, and that negative consequence isn't enough to override the curiosity intrinsic in humanity. So people find USB drives and plug them in, just because they are curious for a glimpse into other peoples' lives. See also: tabloids.

"(physical and emotional)"

It's rationality that stops one from not eating the cake. One's physical and emotional "sense" wil tell one to eat the damn thing (if it looks good!). Similarly, unknown USB sticks should be used rationally.

That's a good analogy to describe the current state of things, by why can't we aim for something better? For example, I would not be afraid to put a random CD in my CD player.

I believe the point of this article is that if your system assumes that humans aren't stupid, then your system will fail. Blaming the humans for being stupid is no more useful than blaming rain for being wet. Shaking your head and saying that the system is fine because it was only defeated by people being stupid ends up missing the point.

Right. If 6% of people fell for this, shame on them. But if 60% of people fell for it, shame on the security team.

I can see your point, but think of it this way: No amount of security can protect against human stupidity. If I accidentally download and run an unknown application, and it asks for root privileges and I grant them, then if anything bad happens, I really can't blame the system. The system did exactly what it was supposed to do, it required the user to confirm the operation by entering the root username and password and if I did that then I explicitly granted this process to run as root. Same goes for surfing under an administrator account on Windows. Most malware these days is not successful because of their ingenious design (although there are such examples) but because they employed a successful social engineering tactic. I do agree that we should strive to create more secure systems, but I think that you can only go so far with that. In the end, users need to be educated not to grant root privileges to strange apps they just downloaded from the web or open weird-looking attachments they receive in their e-mail (even if the message seems to be coming from their friends). My point is that people should have the same amount of healthy cautiosness when surfing the web or handling unknown data storage as they generally have in their day-to-day lives.

> Picking up random USB sticks and sticking them into your computer is the equivalent of having sex with random people you meet on the street

I can't tell if that's an awful analogy because people do it all the time, or a brilliant analogy, because unless you do it safely you will eventually catch something nasty.

All of a sudden picking up random USB sticks and sticking them into your computer sounds like a lot more fun than it used to.

Schneier seems to be mostly imagining an attack in which a USB disk is loaded with some malware, but the USB stick could be just about anything:


If you work for a place where security matters, your default assumption should be, "it's unsafe".

If you work at a place where security matters, then mounting external volumes is disabled in the group policy along with auto run, installing software, and 99% of Windows tasks that aren't directly related to your job.

As he said, he blames the people who designed a system where plugging in a usb stick is unsafe, since the logical thing to do with media is to see what's on it. But for now that problem exists and people should be exceptionally cautious about such things.

My laptop has a built-in keyboard and trackpad, so why doesn't it just ask my permission to use any USB device I plug in? I don't know if there's a way to uniquely fingerprint a USB device, but if there is then I could tell the OS to always trust particular devices to make it more convenient.

Why would it ask? If you didn't want the computer to access the drive, then why did you plug it in? The mere act of plugging in a drive is a signal to the computer that you want the drive to be made available.

Note, however, that this is NOT a signal that you want the computer to start running arbitrary software on the drive.

There are plenty of times in which what the computer is told to do (and consequently does, as is their wont) is not the same as what the user might WANT it to do. Compare the computer: "The user runs this program, the program tells me to wipe the hard drive, I wipe the hard drive", and the user: "I just downloaded Medal of Honor and I want to play it".

Another example: the computer: "The user entered 'rm -rf doc', I delete ./doc/", and the user: "I want to get rid of 'Documents/' for the 23rd time today and execute 'rm -rf doc<tab>'".

The discrepancy between "do what I say" and "do what I mean" is part of where security lives. In the above cases, that would be a virus scanner and your favourite *nix command line trash utility, respectively. Other examples can easily be imagined. Just because a user tells you to do something doesn't mean they want you to do it.

And what if you've plugged in a USB keyboard at the same time as that drive?

And that USB keyboard has said "hey yes I want to run the software on this drive"?

And how does the USB Keyboard have the permission to go ahead and launch software on the user's behalf? It's precisely the same issue as autorun on a thumb drive.

This is assuming the hardware is as presents itself.

Each USB device has it's own unique ID, so yeah, it should be possible.

When you're dealing with a malicious attacker, you can't assume that they're playing by the rules.

All an attacker would have to do is find the ID of a device that you have used in the past.

If an attacker can get the USB ID of a device physically attached to your computer then he probably already has access to your computer.

While I think he's right that the OS should not automatically launch programs of an USB stick - how many people that are curious enough to plug in the stick would not double click "secret_documents.doc.exe"?

While USB sticks are made to be plugged in, the fact remains that a machine cannot be kept secure when an attacker gains physical access to it. (Remember that old and outlandish notion of an "air gap" for secure machines?)

If you can plug untrusted hardware into your machine, your machine cannot be trusted. It's not just autorun that's an issue - you've exposed your machine to unknown forces once you plugged in an item.

Corollary: If you need to be secure, don't provide IO ports.

From somebody who has actually worried about such anachronisms as air gapped networks, I can tell you that in a lot of secure environments usb and ieee io was actually physically disconnected. This has taken a pretty hard hit recently, as many many systems no longer ship with DIN connectors for keyboard and mouse. For a variety of reasons it's much easier to lock down the available drivers in the os than to try to keep sourcing systems that can operate entirely without usb. And even that was rather difficult under windows until recently.

I don't have a real wrapped up conclusion here, except to say that if these quite security conscious organizations that pay close attention to these issues have found it a pain to implement IO restricted general desk PC's, it's no wonder at all that most private organizations are having trouble.

Unknown forces? They're electrical signals. They can (should) be interpreted, or more safely, not interpreted, according to the user's desire.

Or keyboards! Or monitors! Or hard-disks! Or processors!

I realize you're being facetious, but for arguments sake:

* Keyboards do not have enough bandwidth to allow an attack unless your physical security is incredibly lax.

* Monitors make a really bad attack vector, since they're not really an input device :) They are, to some extent, a possible route of filtering data out, so make sure access is indeed limited. (I.e. don't put them in front of windows :)

* HDDs are presumably (if you really care about security) inside the case only, and the case is locked. Also, hopefully hard-erased before installation.

* Even though processors make for a decent attack vector (read "Trusting Trust" by Ken Thompson, if you haven't yet), enforcing the air gap makes it very hard to actually communicate that data to the outside world.

Of course, all this depends on what level of security you want/need. Sealing of IO ports for your home machine is fairly silly. (And if autorun is disabled, you're probably safe plugging items in - you're most likely not a high enough value target). But if you indeed do have items that MUST be kept secret on your machine, batten down the (IO) hatches.

> Keyboards do not have enough bandwidth to allow an attack unless your physical security is incredibly lax.

What does this mean? What's to stop someone from building a fake keyboard with an internal USB hub that connects the original keyboards USB connection and a thumbdrive to a normal-looking outgoing USB cable?

Disable all keyboard shortcuts -- text entry only in text areas. No tabbing between controls. Keyboard shortcuts considered harmful.

Also, for the sake of completeness, randomize all on-screen forms to make it impossible to exploit a fake mouse. Muscle memory considered harmful.

For added security, display an authorization code on the display every half an hour, and expect the user to do a XOR with a one-time pad, then enter it on the keyboard. Or morse-code it with the mouse.

Assume that required devices are hardwired when you remove IO ports. It's kind of stupid to remove all IO ports except one :)

Keyboards can be hubs with hostile code implanted in them. They can also have built in key loggers.

From the article:

> Quit blaming the victim.

Where do we draw the line between blaming the victim and chiding people for doing stupid things?

For example, a drunk driver is not a 'victim' in any sense, even if the only one injured in the wreck is the driver.

OTOH, we have all those little topics that make people go insane.

Can we even debate this concept without turning this into a flamewar?

I think you missed the whole point of the blog post, which is that it isn't "stupid" to plug in a USB stick; it's "stupid" that the OS makes this unsafe.

It's not the OS. It's the hardware. While USB devices are somewhat more difficult to use for exploits like this, any FireWire or PCMCIA device has full access to the RAM through DMA channel (1)

Worth repeating: they can read ANY page in RAM. Including those which contain user key hashes, session hashes and any password which happens to be stored in clear in memory.

While OS can protect process' memory from all other processes, the DMA is one level closer to the metal. No matter what OS you're running, plugging random devices to your system means the game is over.

(1) HW virtualization mitigates some of these risks: I'm not familiar with the details of it. But since most of the machines are running without the HW virtualization still, they are still vulnerable.

edited for formatting

We're not talking about Firewire, we're talking about USB. I don't even think we need to get into IOMMU mitigations for Firewire security.

There are vectors beyond "autorun" for attacking machines with USB devices (for instance, automatically mounting filesystems exposes the filesystem to malicious block inputs) but these are squarely in the OS's bailiwick.

Is this unsafe even on OS X or Linux?

I believe the main issue is that the stick can be configured so that Windows will automatically run an executable on the USB stick when it's plugged in, so OS X and Linux wouldn't be affected by that.

This is only half the problem, and it is trivial to defeat. What we should really be worried about is malware that acts as a USB keyboard, since that's much harder to protect against.

It's also much harder to reliably launch an attack from, but in the case of a targeted attack where the OS is known it wouldn't be too difficult to come up with something that could sneak some nasties in with a low chance of detection.

Huh, never thought about that --- pretty neat.

Wow... damn nice place for a key logger.

Sorry, to be clear, I was asking whether Linux or OS X also have the same silly idea of "Let's execute an arbitrary program on the USB stick whenever it's plugged in!"

I don't know the answer because I don't use Linux for day-to-day work (I work in gamedev, whose primary platform is Windows) and I'm too poor too afford a Macbook.

OSX will open some newly mounted disks in Finder, but it won't automatically execute code. This doesn't mean it's safe against malicious hardware, though.

GNOME can be set up to do so

Linux certainly does not.

Probably. The exact vulnerability used here (autorun) is closed up on Linux, but that only protects against the one attack.

Do we think there are no vulnerabilities in the USB code, the drivers for any particular USB device, filesystems, or any other pieces of code a USB device can invoke? I am very doubtful.

Taken directly from Bruce's article:

> The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer.

The entire point is that it shouldn't be considered "stupid" to plug in a USB drive. As he says more than once: that's what they're for.

You have a valid point, but the problem is also that you cannot safely check the contents of a USB stick on e.g. Windows by default. That is the system's fault, not the user's.

That they plugged it into a corporate network prior to checking elsewhere first is, yes, stupid. And people need to be taught better about things like that - Stuxnet wouldn't have been half the threat if people didn't plug things into business computers without taking precautions. That they plugged it into a computer is not.

In this particular case, you can think what you want of the people plugging in strange USB sticks, but no amount of calling them idiots will ever solve the problem.

A drunk driver has not been the target of an attack. Whether or not we blame the victim in this case we can debate, but as the target of an attack I believe it is safe to refer to them as the victim.

> Where do we draw the line?

50% is a start.

I couldn't help thinking of Family Guy skit about James Woods going "Ooo a piece of candy!"

If I found a random USB drive on the ground I would probably format it with a device that any malicious software isn't targeting, such as a game console.

You can't blame people for shooting other people, that's what guns are for! Shooting people are guns intended purpose. It's the clothing manufactures fault for not making all shirts out of Kevlar. They should make it safer to be shot.

Feeding the troll...

Guns have uses besides shooting people.

USB sticks have no use besides being plugged into a USB port, and USB ports have no use besides having things plugged in to them, hence it should be safe to plug things into them.

We are surrounded by devices that will break or do us harm if used unsafely. Articles like this one seem to point out the obvious "why not just make it impossible to be unsafe?" Yet this is not the case (or even a stated goal) in any other type of system. Why is it that once computers are involved people expect to abdicate responsibility?

Since you didn't like my analogy there are plenty of others. Would you put any random tire on your car and expect it to transport you safely? If I put diesel instead of gas in my car is it the station's fault because the connectors are the same?

Incidentally, I could make a very effective denial-of-service attack by putting a high-voltage battery inside what appears to be a USB stick. And no software is going to protect you from the results of massively overvolting sensitive electronics.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact