Security quotes of the week

[Posted November 12, 2014 by jake]

There were lots of businesses, stores, malls, warehouses and parking lots, but I was horrified by the sheer number of baby cribs, bedrooms, living rooms and kitchens; all of those were within homes where people should be safest, but were awaiting some creeper to turn the “security surveillance footage” meant for protection into an invasion of privacy.

— "Ms. Smith" visits a site that aggregates the feeds from security cameras with default credentials

As expected, Karsten Nohl 's new BadUSB exposure info presented at #PacSec14 is not pretty. In the survey of 8 common USB chipset manufacturers and 52 chipset families, about half of your devices, including chargers, storage, cameras, CD-ROM drives, SD card adapters, keyboards, mice, phones, and so on, are all likely to be proven easily reprogrammable and trivially used to piggyback/host multi-platform (portable to different OSes, and even different kinds of devices) attack software - and the others are not necessarily safe, it's just more work to make the attack software.

The depressing part is there is no real solution on the horizon - even the "fuse bit" solutions some folks are touting can be easily bypased by reprogramming/deleting the entire devices. More depressing is that this problem seems so hard that while lots of people are working on attacks, the problem is frustrating enough that very few are working on solutions.

Most of these devices have 32k of firmware. Karsten's attack code including DHCP server and network stack was only a couple of K.... So, yes, your USB charger can attack your phone and your mouse can attack your laptop.

— Dragos Ruiu on a presentation about BadUSB

Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag—called STARTTLS—from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.¹

— Jacob Hoffman-Andrews of the EFF

Security quotes of the week

Posted Nov 13, 2014 16:50 UTC (Thu) by proski (subscriber, #104) [Link] (1 responses)

STARTTLS is often abbreviated as TLS, even in Gmail settings. The users are told that SSL is obsolete and TLS is secure. Thus the users are tricked into assuming that something is secure whereas it's actually a protocol that allows downgrading to plain text.

It would have been much better if TLS was called SSL v4, v5 etc. Then the message to the users would have been - use at least version 3, then - at least version 4 and so on.

Likewise, WPA should have been WEP2, WEP3 etc. Some users still think that WEP is secure. Adding another TLA makes things confusing to them, much more than a version number would have been.

Gmail

Posted Nov 13, 2014 19:29 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

Can you say where in Gmail settings you see this confusion?

BadUSB and the FSF position on firmwares

Posted Nov 13, 2014 17:37 UTC (Thu) by gioele (subscriber, #61675) [Link] (8 responses)

> […] about half of your devices, including chargers, storage, cameras, CD-ROM drives, SD card adapters, keyboards, mice, phones, and so on, are all likely to be proven easily reprogrammable and trivially used to piggyback/host multi-platform (portable to different OSes, and even different kinds of devices) attack software […]

I hope that one of the good by-products of BadUSB will be making people understand the position of the FSF on firmwares: if it is not upgradable it is hardware, it is upgradable it is software.

BadUSB and the FSF position on firmwares

Posted Nov 13, 2014 21:36 UTC (Thu) by pizza (subscriber, #46) [Link] (6 responses)

> I hope that one of the good by-products of BadUSB will be making people understand the position of the FSF on firmwares: if it is not upgradable it is hardware, it is upgradable it is software.

Unfortunately, it's more subtle than that, and there is no simple answer.

I'd wager that the vast, vast, vast majority of devices out there are technically upgradeable, even if the know-how "security through obscurity". BadUSB has demonstrated that a lack of a vendor/manufacturer-supplied update procedure has no bearing on the device's actual upgradeability and thus vunlerability.

Again, to use my old example of the Prism2/3 wifi adapters; A device with onboard flash for firmware is "Free" according to the FSF, but ones without flash (requiring the PC to send the firmware over) are "Unfree" -- However, the underlying technical capabilities of the hardware are otherwise completely identical; nothing prevents someone with a flash-equipped board from downloading code at runtime.

Honestly, in this day and age, if an engineer designs hardware with embedded software that is not "upgradeable" in some manner, they are a fool.

BadUSB and the FSF position on firmwares

Posted Nov 17, 2014 7:48 UTC (Mon) by robbe (guest, #16131) [Link] (5 responses)

> Honestly, in this day and age, if an engineer designs hardware with
> embedded software that is not "upgradeable" in some manner, they are a
> fool.

Why?

A certain class of low-price product exists that is *never* updated by the consumer (because there are no publically documented procedures), and almost never updated by the vendor (because it's cheaper to just replace the device). These are not expected to be upgraded, and consequently flashing them should not be possible via USB.

I think that's the actual novelty of BadUSB that was questioned elsethreads. The semi-knowledgable of course knew that complex devices like phones could be reprogrammed by malware. That it is possible for almost any "dumb" USB gadget to be reflashed just by USB-connecting them.

BadUSB and the FSF position on firmwares

Posted Nov 17, 2014 13:45 UTC (Mon) by itvirta (guest, #49997) [Link] (2 responses)

Not being able to reprogram something during the development stage would indeed be foolish,
but a simple appliance being upgradeable in the field does seem equally foolish!
No normal person even thinks of reprogramming their keyboards...

BadUSB and the FSF position on firmwares

Posted Nov 17, 2014 22:15 UTC (Mon) by lsl (subscriber, #86508) [Link] (1 responses)

Actually, I'd love to do that. Making key mapping adjustments directly at the source sounds great. Certainly better than doing it at the X level and then missing them when typing at a VC without X running. Even if you configure it there, too, your custom mappings are still lacking when interacting with the firmware or bootloader.

So, if there was a reasonable way to modify my keyboard firmware, I'd probably do it. Not sure about that "normal person" bit, though.

BadUSB and the FSF position on firmwares

Posted Nov 17, 2014 23:45 UTC (Mon) by mathstuf (subscriber, #69389) [Link]

Yeah. I'd love to be able to make the caps lock key repeatable. Currently there's no repeat on it for sensible reasons[1], but when it is rebound (to backspace in my case), repeat makes more sense.

[1]If CAPS LOCK is "cruise control for cool", imagine how cool CeNtIpEdE TyPiNg could be.

BadUSB and the FSF position on firmwares

Posted Nov 17, 2014 18:55 UTC (Mon) by pizza (subscriber, #46) [Link] (1 responses)

> A certain class of low-price product exists that is *never* updated by the consumer (because there are no publically documented procedures), and almost never updated by the vendor (because it's cheaper to just replace the device). These are not expected to be upgraded, and consequently flashing them should not be possible via USB.

Whether or not it's *intended* to be updated by the end-user, or even if the vendor intends to update it in the field, has no bearing on whether or not the technical capability is there.

Simply put, at production time the software has to get loaded into the device somehow, and that technical capability doesn't go away just because the device is deployed in the field.

I see BadUSB as a (perhaps all-too-predictable) bug in implementation, not one of design.

BadUSB and the FSF position on firmwares

Posted Jan 24, 2015 10:26 UTC (Sat) by ssokolow (guest, #94568) [Link]

That's what programming fuses are for. You set the programmer to upload the program and then blow the programming fuses as part of the manufacturing process.

Even if it's something like an Atmel AVR chip (what Arduinos use) which, as far as I know, doesn't have a true programming fuse (just a non-volatile "disable programming" fuse bit), you'll have to do high-voltage programming to reset it and no sane device design will include the extra voltage step-up circuitry necessary to do that without disassembly.

BadUSB and the FSF position on firmwares

Posted Nov 15, 2014 1:57 UTC (Sat) by foom (subscriber, #14868) [Link]

If only....

Unfortunately, that is not the FSF's position. On the contrary, the FSF position is actively harmful to hardware security. (as I've written before, e.g. https://lwn.net/Articles/611334/)

They try to convince device manufacturers to *add* persistent storage to devices that otherwise don't require it (so that the device can be used without the "firmware" contaminating the user's pristine Free-Software-Only hard drive (...I mean the data the user can see on the hard drive; of course the HD has its own non-free firmware too)).

The FSF doesn't mind whether the hardware uses a ROM or upgradeable Flash for its firmware, just so long as the storage is persistent, and hidden away in the device.

BadUSB

Posted Nov 13, 2014 23:32 UTC (Thu) by mogendavido (guest, #99770) [Link] (4 responses)

This "BadUSB" thing seems to me to be a "tempest in a teapot". If I can convince someone to plug a USB device that I've provided into their computer, it doesn't matter whether what's inside the legitimate version is "secure" or not. I can rip out the guts and replace it with *anything* I want (including C4!).

At my local drugstore, there's a whole bin of tiny unpackaged brightly colored USB cell phone chargers. It would be trivial for a vaguely competent embedded software programmer, not to mention a state actor, to buy a bunch and replace the guts with their own creation and then surreptitiously drop them back into the bin. So what if it didn't even work correctly -- the purchaser will just assume they bought a broken one and return it where it will most likely just get tossed.

If I'm a Ted Kaczynski sicko, I could seed that bin with "USB bombs" that will go off as soon as they're plugged in.

My conclusion is that all the propose solutions I've seen essentially constitute "technical masturbation" until the question of physical security is addressed (possibly similar to how OTC drug manufactures addressed their issue with product tampering). Even then, you still haven't solved the "dropping USB sticks in the parking lot" social engineering trick. Or am I missing something that has caused this to get so much coverage?

BadUSB

Posted Nov 14, 2014 0:17 UTC (Fri) by mjg59 (subscriber, #23239) [Link] (2 responses)

BadUSB means that if you can convince someone to plug a USB device that *they've* provided into *your* computer, it can then compromise any of their own computers they plug it into afterwards.

BadUSB

Posted Nov 14, 2014 0:56 UTC (Fri) by mogendavido (guest, #99770) [Link] (1 responses)

That phenomenon has been known about for quite awhile. I don't know how prevalent it is in the US, but my son tells me that in many parts of Europe, after plugging a USB stick into one of those photo printing kiosks, it will be measurably heavier from all the malware it picked up ;-)

In this case, the "bad guy" has pwned the kiosk computer and, if you want to print photos, he doesn't have to work very hard to convince you to plug your USB stick into "his" computer.

BTW, I'm not claiming that security compromise via USB isn't a problem. What I don't understand is the sudden apparent hysteria about something that's been known for a long time. It *seems* very much like seeing a newspaper headline stating "People Outside When It's Raining Can Get Wet!!!"

BadUSB

Posted Nov 14, 2014 1:04 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

That's not the same case. Having a USB stick infested with malware is (a) harmless as long as your own machines have up to date anti-malware, and (b) easy to fix (just format the stick again). BadUSB can't be blocked by existing anti-malware techniques and there's no straightforwardly verifiable way to restore the stick to a good state.

The ease with which single-purpose USB devices can be subverted into attacking host operating systems was not "known for a long time". The reason that this was treated as news is that it *was* news.

BadUSB

Posted Nov 14, 2014 4:17 UTC (Fri) by raven667 (subscriber, #5198) [Link]

The novel part is taking over usb devices such as mice or keyboards or flash drives or printers that the attacker doesn't have physical access to, if they get malware on your machine, or any machine you use your device on they can further subvert peripherals and use them to attack other systems and to reinfect systems after you clean them.