david wong

Hey ! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

BadUSB August 2014

An interesting read about how any usb device could be a potential threat. Some scary extracts:

Once reprogrammed, benign devices can turn malicious in many ways, including:

  • A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
  • The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
  • A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.

And a scarier one...

No effective defenses from USB attacks are known.

Once infected, computers and their USB peripherals can never be trusted again.

Some proof of concept should be introduced in a week at the incoming Black Hat convention. This is gonna be good :)

EDIT:

There's actually something similar that you can already buy: The USB Rubber Duck

rubber duck

Well done! You've reached the end of my post. Now you can leave me a comment :)