Security experts have been haunted by the prospect of unpatchable, potent, fundamental bug in USB devices; the tension only heightened when sourcecode for an exploit went live last week.
Now there's a technique for partially mitigating some of the harm in some USB devices -- cold comfort. And to be certain it works, you need to cover your USB devices with epoxy. But it's a start -- and chances are that there were bad guys and spy agencies who were award of this and exploiting it in the wild long before its disclosure to the general public so we need to get started on fixing it in any event.
Rather than try to prevent any of those specific attacks, Caudill and Wilson’s fix is meant to prevent firmware changes altogether. Their patch code, which they’ve released on Github, does this by disabling “boot mode” on a USB device, the state in which its firmware is meant to be reprogrammed. Without boot mode, Caudill says it would become far harder to pull off any BadUSB attack, and would virtually eliminate the threat of malware that spreads from USB stick to PC and vice versa. “By making that change, you can drastically change the risk associated with this,” says Caudill. “It makes any type of self-replicating, worm-type malware very, very difficult to use.”
Caudill and Wilson’s firmware patch is far from universal: it only works for one version of USB code, the latest USB 3.0 firmware distributed by the Taiwanese firm Phison, the world’s top manufacturer of USB controller chips. That’s the same USB maker whose code Nohl reverse-engineered for his presentation in August, and that Caudill and Wilson targeted with the demonstration exploit code they released last month at the Derbycon hacker conference. They’re working now to extend the fix to all Phison USB firmware.
That Unpatchable USB Malware Now Has a Patch … Sort Of [Andy Greenberg/Wired]
Journalist’s Resource published this great comic by Josh Neufeld, explaining the basic concepts behind differential privacy, the data collection method used to prevent bad actors from de-anonymizing the information gleaned from the 2020 Census. The original source includes some other great resources on differential privacy, but since the comic itself is made available under a […]
Last spring, a Baltimore underwent a grinding, long-term government shutdown after the city's systems were hijacked by ransomware. This was exacerbated by massive administrative incompetence: the city had not allocated funds for improved security, training or cyberinsurance, despite having had its emergency services network taken over by ransomware the previous hear, and five city CIOs […]
I’m not the kind of person who possesses the programming or IT knowledge to run my own servers and host my own email. But I can manipulate some things on the internet or on local networks, like how to access the gateway to your router and make some changes in there, even if I […]
There are plenty of productive ways to spend time while stuck indoors. While it’s undoubtedly fun to binge all 15 seasons of Supernatural or sink days of playtime into an Overwatch campaign, learning something new is definitely a more meaningful and long-term beneficial use of open hours. And if you’re going to invest time in […]
If you’ve ever had any musical aspirations — or even if your talent extends no further than turning on the radio — you’ve probably dreamed the “impossible” dream. You dream that maybe you could record some of your songs at home, post them online, build an armada of fan support, attract major label attention and […]
If you’re charting the fortunes of a business, one glance at the right columns can instantly detail that company’s health. If you want to see their current roster of customers, a spreadsheet can bring those clients into sharp focus. Make no mistake — the world of business is still dominated by the all-powerful spreadsheet. It’s […]