Security researchers Karsten Nohl and Jakob Lell called into question the safety and security of using USB to connect devices to computers during a session at Blackhat. They demonstrated how any USB device could be used to infect a computer without the user’s knowledge, something they there is no practical way to defend against.
Indeed, USB devices have been used for this purpose for many years now. Some of the earliest examples included the infamous iPod Slurpie, which when plugged in to charge would index the host machine and any network shares it was connected to and copy all .doc and .xls files. Then there was the solid state drive in a USB mouse. Connecting the mouse performed the same as the Slurpie.
These devices were and still are used to evade good endpoint control technologies which only allowed white-listed devices to connect through the USB port. With a small development board, 20 minutes of reading docs and some simple code you can make your USB device look like anything and have it perform any task once connected.
So, are USB devices “critically flawed” ?
Well, not really. The issue lays within the way they are consumerised. Presently not many people actually want secure USB devices and as such the manufacturers of devices are not bothering with security. To highlight the point, a 16gb USB key from a supermarket is less than £10. A secure 16gb USB key from a firm like IronKey starts at £80. That is a massive difference in cost.
Author - Peter Bassill
No comments:
Post a Comment