CommunityMy FDL

Thursday Watercooler

 

A USB drive designed to look like a sushi roll

USB powered sushi — and everything else using the USB standard — is vulnerable to hidden malware.

In tonight’s video, a small-scale cocoa bean farmer and his workers get to taste the end result of their work — chocolate — for the first time in their lives!

Farmer N’Da Alphonse grows cocao and has never seen the finished product. ‘To be honest I do not know what they make of my beans,’ says farmer N’Da Alphonse. ‘I’ve heard they’re used as flavoring in cooking, but I’ve never seen it. I do not even know if it’s true.’

Thanks to MyFDL’s KateCA for suggesting this video.

Be careful what you put in your computer. According to an article in Wired’s Threat Level, the security of USB devices is fundamentally broken.

Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.

That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken. The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.

‘These problems can’t be patched,’ says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. ‘We’re exploiting the very way that USB is designed.’

[…] They spent months reverse engineering the firmware that runs the basic communication functions of USB devices—the controller chips that allow the devices to communicate with a PC and let users move files on and off of them. Their central finding is that USB firmware, which exists in varying forms in all USB devices, can be reprogrammed to hide attack code. ‘You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s “clean,”‘ says Nohl. But unless the IT guy has the reverse engineering skills to find and analyze that firmware, ‘the cleaning process doesn’t even touch the files we’re talking about.’

Bonus: Samuel Beckett Motivational Cat Posters via Dangerous Minds

Housekeeping notes:

  • Please review our About Us page if you need a refresher on site rules, and
  • We encourage you to use our flag system — if you see an abusive comment, user or post, please flag it rather than replying. We review every flag and take the best action available to us.
  • If you have questions or concerns about Firedoglake-specific issues, please limit their discussion to Watercooler posts rather than starting new posts or making off-topic comments in others. But remember,
  • Firedoglake editors and staff are not allowed to comment on any moderation decisions.

The Watercooler is an open conversation. Ask questions, share links and your thoughts.

Photo by Joi Ito released under a Creative Commons license.

Previous post

Late Night: The Untouchables

Next post

Late Late Night FDL: Can't We Be Friends

Kit OConnell

Kit OConnell

Kit O’Connell is a gonzo journalist and radical troublemaker from Austin, Texas. He is the Associate Editor and Community Manager of Shadowproof. Kit's investigative journalism has appeared in Truthout, MintPress News and Occupy.com.