Inscrit le: 02 Oct 2010
|Posté le: Jeu 20 Jan - 09:41 (2011) Sujet du message: Researchers turn USB cable into attack tool
|Researchers turn USB cable into attack tool
Two researchers have figured out a way to attack laptops and smartphones through an innocent-looking USB cable.
Angelos Stavrou, an assistant professor of computer science at George Mason University, and student Zhaohui Wang wrote
software that changes the functionality of the USB driver so that they could launch a surreptitious attack while someone is
charging a smartphone or syncing data between a smartphone and a computer.
Basically, the exploit works by adding keyboard or mouse functionality to the connection so an attacker can then start typing
commands or click the mouse in order to steal files, download additional malware, or do other things to take control of the
computer, Stavrou told CNET in an interview. The exploit is enabled because the USB protocol can be used to connect any
device to a computing platform without authentication, he said.
He and his partner were scheduled to demonstrate an attack at the Black Hat DC conference today.
The exploit software they wrote identifies what operating sysetm is running on the device the USB cable is connected to. On
Macintosh and Windows machines, a message pops up saying the system has detected a new human interface device, but there is
no easily recognizable way to halt the process, Stavrou said. The Mac pop-up can be quickly removed by an attacker with a
command sent via the smartphone so the laptop owner may not even see it, while the Windows pop-up lasts only one or two
seconds in the lower left corner, making that an ineffective warning too, he said.
wow power leveling
Linux machines offer no warning, so users will have no idea that something out of the ordinary is happening, particularly
since the regular keyboard and mouse continue to function normally during an attack, Stavrou said.
"The operating system should present a pop-up and ask if the user really wants to connect the device" and specify what type
of device is being identified to the system, he said.
The researchers wrote the exploit for Android devices only at this point. "It can be done for iPhone, but we didn't do it
yet," Stavrou said. "It can work on any computing device that uses USB," and it can work between two smartphones by
connecting a USB cable between then, he said.
"Say your computer at home is compromised and you compromise your Android phone by connecting them," he said. "Then, whenever
you connect the smartphone to another laptop or computing device I can take over that computer also, and then compromise
other computers off that Android. It's a viral type of compromise using the USB cable."
The original compromise can happen by downloading the exploit from the Web or running an app that is compromised. The
researchers have created exploit software to run on a computer, and an exploit to run on Android that is a modification of
the Android operating system kernel. Scripts can then be written for the actual attack.
Antivirus software wouldn't necessarily stop this because it can't tell that the activities of the exploit are not controlled
or sanctioned by the user, Stavrou said. "It's hard to separate good behavior from bad behavior when it comes from the
keyboard," he said.
There's not much a person can do to protect against this at this time, according to Stavrou. The operating systems should
have the capability for devices to inspect USB traffic and alert users about what exactly is happening over the connection
and give them the option of refusing an action, he said.