The Market Ticker
Commentary on The Capital Markets

This isn't good at all....

When creators of the state-sponsored Stuxnet worm used a USB stick to infect air-gapped computers inside Iran's heavily fortified Natanz nuclear facility, trust in the ubiquitous storage medium suffered a devastating blow. Now, white-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can't be detected by today's defenses.

This just plain sucks.

What they've done here is figure out that (unfortunately) many of the common USB controller chips are reprogrammable in the field and there is no verification of what's loaded to them.  Apparently there is also enough storage (or, in the case of a pen drive, lots of storage!) to do some fairly evil things.

At the core of this problem is the fact that a USB device has an identifying "class" and vendor ID.  If the "class" is one the computer knows it will attach it, usually without prompting of any sort.  This is especially bad if the "class" presented is what is known as a "HID", or "Human Input Device" -- like a mouse or worse, a keyboard.

Yes, you can have more than one keyboard connected, and all are active at once.  And yes, this is as bad as you think it might be.

The worst part of it is that various virus and anti-spyware programs can't detect it because the code doesn't run on the host machine, it runs on the device.  All the computer sees is a "keyboard" -- but it's not really a keyboard, it's your USB pen drive that sends a key sequence down that invokes something (e.g. a browser to go to a specific bad place.)

This can be detected if you're paying attention, but most people don't.  You can see what classes a particular device attached, but few people will look and current operating systems don't prompt, with good cause.  How do you answer such a prompt if you're plugging in a keyboard -- that isn't yet allowed to attach?  Ah, there's a chicken and egg problem, eh?

In any event there ARE defenses against this, but they will require significant operating system patches and then a paradigm to be taken care of with USB -- which will help, but not prevent these sorts of exploits.  As it sits right now, unfortunately, mainstream operating systems are wide open to this sort of abuse.

For example, if my keyboard is plugged into USB Port 2, and it has a Vendor ID of "X" and a device type of HID/Keyboard, then any other port, or this port, that sees a different vendor ID and/or ANY HID/Keyboard device would bring up a warning that a user input device, specifically a keyboard, was attempting to attach.  You could then say "Yes" or "No", and if the device that popped up that prompt was a webcam or USB data stick go looking for your sledge hammer to get a bit of an upper-body workout taking care the problem.

But as it sits right now the only way you'll catch it is if the vendor and device ID don't match a loaded set of drivers and thus the system has to go looking for them -- in which case you will get a warning.  Sadly, for the common abuses of this (e.g. keyboards and mice in particular) you almost-certainly already have such a driver on the system and thus you're unlikely to catch it.

Yeah, this is a problem.....  and a pretty nasty problem at that.

View this entry with comments (registration required to post)

My view: If this is how Ford views security and the iPhone short Ford to zero.

“We are going to get everyone on iPhones,” Tatchio said. “It meets the overall needs of the employees because it is able to serve both our business needs in a secure way and the needs we have in our personal lives with a single device.”

Given what is publicly known about the fact that any IOS device that is connected to another data-bearing device transfers all of its trust envelope to that second device this means that an IOS device in a corporate environment now becomes only as secure as a personal computer in said employee's home that is not under control of the corporate IT department.

Read this again.

Now contemplate this -- said Ford employee, with a device that Ford, the company believes is "secure", connects said phone to their personal computer at home to transfer some music.  Said computer at home has a virus on it that it picked up when that person, on their own time and in the privacy of their own home, surfed to some porn site on the Internet.

That virus sends the trust records for the iPhone back to a hacker in China!

The device's security has now been permanently compromised; said hacker can now, any time the device is on a network where he also has presence (say, a public WiFi point) access huge amounts of data off said device, including the contact lists, messages, pictures and similar items, along with (gulp!) OAUTH tokens. The latter, by the way, is identical in effect to having someone's password for social media accounts; this allows the impersonation of that individual on those accounts.

Secure my ass.

That Ford published such nonsense tells me exactly how Ford the company looks at data security issues at an enterprise level.  The company has publicly declared that fellating employee egos takes precedence over enterprise data security.

A company that takes this position deserves what befalls them as a consequence.

View this entry with comments (registration required to post)

Gee, I wonder if anyone thought this one through....

So... for those who can think (if you can't don't bother replying to this thread, you know what will happen) what is the one thing that would change the outcome depicted here, given the time line and events presented?

Thank you for the pro gun video Mr. Bloomberg.

View this entry with comments (registration required to post)


View this entry with comments (registration required to post)

Time for this one again....


The devices came from manufacturers of TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.

All of the devices included remote smartphone applications which were used to control them.

It was found that 90 per cent of the devices collected personal information, 70 per cent transmitted that data on an unencrypted network and 60 per cent had insecure user interfaces. Eight out of ten failed to require a strong enough password.

Good luck folks.  As soon as you start bringing this crap into your home you are giving criminals access to the most-intimate portions of your life and worse, you may be putting your safety at risk -- as I recently warned.

The obvious -- being able to open your garage door and thus gain access to the house and rob it, is only the beginning of the vulnerabilities.

No, manufacturers will not fix this.  They have no incentive to do so; indeed, they have every incentive not to do so as they want and use that data themselves!

View this entry with comments (registration required to post)

Main Navigation
Full-Text Search & Archives
Archive Access
Get Adobe Flash player
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.