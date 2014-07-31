(Adds comment from Phison attorney)
By Jim Finkle
BOSTON, July 31 USB devices such as keyboards,
thumb-drives and mice can be used to hack into personal
computers in a potential new class of attacks that evade all
known security protections, a top computer researcher revealed
on Thursday.
Karsten Nohl, chief scientist with Berlin's SR Labs, noted
that hackers could load malicious software onto tiny, low-cost
computer chips that control functions of USB devices but which
have no built-in shields against tampering with their code.
"You cannot tell where the virus came from. It is almost
like a magic trick," said Nohl, whose research firm is known for
uncovering major flaws in mobile phone technology.
The finding shows that bugs in software used to run tiny
electronics components that are invisible to the average
computer user can be extremely dangerous when hackers figure out
how to exploit them. Security researchers have increasingly
turned their attention to uncovering such flaws.
Nohl said his firm has performed attacks by writing
malicious code onto USB control chips used in thumb drives and
smartphones. Once the USB device is attached to a computer, the
malicious software can log keystrokes, spy on communications and
destroy data, he said.
Computers do not detect the infections when tainted devices
are inserted because anti-virus programs are only designed to
scan for software written onto memory and do not scan the
"firmware" that controls the functioning of those devices, he
said.
Nohl and Jakob Lell, a security researcher at SR Labs, will
describe their attack method at next week's Black Hat hacking
conference in Las Vegas, in a presentation titled: "Bad USB - On
Accessories that Turn Evil."
Thousands of security professionals gather at the annual
conference to hear about the latest hacking techniques,
including ones that threaten the security of business computers,
consumer electronics and critical infrastructure.
Nohl said he would not be surprised if intelligence
agencies, like the National Security Agency, have already
figured out how to launch attacks using this technique.
Last year, he presented research at Black Hat on
breakthrough methods for remotely attacking SIM cards on mobile
phones. In December, documents leaked by former NSA contractor
Edward Snowden demonstrated that the U.S. spy agency was using a
similar technique for surveillance, which it called "Monkey
Calendar."
An NSA spokeswoman declined to comment.
SR Labs tested the technique by infecting controller chips
made by major Taiwanese manufacturer, Phison Electronics Corp
, and placing them in USB memory drives and
smartphones running Google Inc's Android operating
system.
Alex Chiu, an attorney with Phison, told Reuters via email
that Nohl had contacted the company about his research in May.
"Mr. Nohl did not offer detailed analysis together with work
product to prove his finding," Chiu said. "Phison does not have
ground to comment (on) his allegation."
Chiu said that "from Phison's reasonable knowledge and
belief, it is hardly possible to rewrite Phison's controller
firmware without accessing our confidential information."
Similar chips are made by Silicon Motion Technology Corp
and Alcor Micro Corp. Nohl said his firm did
not test devices with chips from those manufacturers.
Google did not respond to requests for comment. Officials
with Silicon Motion and Alcor Micro could not immediately be
reached.
Nohl believed hackers would have a "high chance" of
corrupting other kinds of controller chips besides those made by
Phison, because their manufacturers are not required to secure
software. He said those chips, once infected, could be used to
infect mice, keyboards and other devices that connect via USB.
"The sky is the limit. You can do anything at all," he said.
In his tests, Nohl said he was able to gain remote access to
a computer by having the USB instruct the computer to download a
malicious program with instructions that the PC believed were
coming from a keyboard. He was also able to change what are
known as DNS network settings on a computer, essentially
instructing the machine to route Internet traffic through
malicious servers.
Once a computer is infected, it could be programmed to
infect all USB devices that are subsequently attached to it,
which would then corrupt machines that they contact.
"Now all of your USB devices are infected. It becomes
self-propagating and extremely persistent," Nohl said. "You can
never remove it."
Christof Paar, a professor of electrical engineering at
Germany's University of Bochum who reviewed the findings, said
he believed the new research would prompt others to take a
closer look at USB technology, and potentially lead to the
discovery of more bugs. He urged manufacturers to improve
protection of their chips to thwart attacks.
"The manufacturer should make it much harder to change the
software that runs on a USB stick," Paar said.
