[onerng talk] amusing for USB RNGs :)
iang at iang.org
Sat Aug 2 08:47:08 BST 2014
On that thread, over on the Crypto list it was suggested that we could
make a pass-thru USB adaptor that would prevent the rewriting capability.
Is that possible? If so, could it be merged with the OneRNG design?
On 1/08/2014 13:02 pm, ianG wrote:
> This thumbdrive hacks computers. “BadUSB” exploit makes devices turn “evil”
> Researchers devise stealthy attack that reprograms USB device firmware.
> by Dan Goodin - Jul 31, 2014 1:21 pm UTC
> When creators of the state-sponsored Stuxnet worm used a USB stick to
> infect air-gapped computers inside Iran's heavily fortified Natanz
> nuclear facility, trust in the ubiquitous storage medium suffered a
> devastating blow. Now, white-hat hackers have devised a feat even more
> seminal—an exploit that transforms keyboards, Web cams, and other types
> of USB-connected devices into highly programmable attack platforms that
> can't be detected by today's defenses.
> Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices
> new, covert capabilities. In a demonstration scheduled at next week's
> Black Hat security conference in Las Vegas, a USB drive, for instance,
> will take on the ability to act as a keyboard that surreptitiously types
> malicious commands into attached computers. A different drive will
> similarly be reprogrammed to act as a network card that causes connected
> computers to connect to malicious sites impersonating Google, Facebook
> or other trusted destinations. The presenters will demonstrate similar
> hacks that work against Android phones when attached to targeted
> computers. They say their technique will work on Web cams, keyboards,
> and most other types of USB-enabled devices.
> "Please don't do anything evil"
> "If you put anything into your USB [slot], it extends a lot of trust,"
> Karsten Nohl, chief scientist at Security Research Labs in Berlin, told
> Ars. "Whatever it is, there could always be some code running in that
> device that runs maliciously. Every time anybody connects a USB device
> to your computer, you fully trust them with your computer. It's the
> equivalent of [saying] 'here's my computer; I'm going to walk away for
> 10 minutes. Please don't do anything evil."
> View topic http://lists.onerng.info/r/topic/574o2KDOAMuHkDcA3XspOH
> Leave group mailto:onerng-talk at lists.onerng.info?Subject=unsubscribe
> Start groups http://OnlineGroups.net
More information about the Discuss