Doubts about USB security are ill-founded

There has recently been a lot of media attention surrounding research published by Karsten Nohl and Jakob Lell of SRLabs. This research has attempted to demonstrate how USB devices could potentially be a means for introducing malware into computing and portable electronics platforms. It has subsequently gone on to imply that there isn’t any effective method to protect against this particular vulnerability. Their provocative, if not bordering on inflammatory, comments that USB is ‘critically flawed’ and computer/portable electronic device users will not be able to ‘trust anything anymore after plugging in a USB stick’ are not in any way realistic however. Things therefore need to be put straight.

The two researchers, located in Berlin, have made demonstrations showing that USB memory thumb drives which appear to be completely empty, have been formatted as well as virus scanned could still have undetected malicious code upon them. This would be hidden within the firmware of their interface ICs.

Based on their findings they have implied that this is the end for USB thumb drives and many other USB accessories, and there is the prospect that it may even be necessary that ‘businesses should stop using them’ altogether. They have even suggested that, despite its huge prevalence (with over 6 billion ports in operation around the globe), the findings of their research basically signify the end of USB as a data transfer medium. This is a bold statement and furthermore it is completely unjustifiable. In truth USB is simply no more at risk to malicious attack than any other means of transferring data, such as via wireless communication (Bluetooth/Wi-Fi) or Internet connections.

Though the research conducted at SRLabs highlights the fact that there is an increasing danger posed by all manner of cyber attacks in every element of modern society, this certainly does not mean that the days of USB are numbered. It should be pointed out that concerns about susceptibility of firmware to manipulation of this kind are usually centred on microcontroller-based products where there is the possibility for the microcontroller unit to be reprogrammed on the fly in order to perform some additional unwanted functions. Though it can be applied to some USB interface ICs on the market, as long as OEMs producing USB peripherals chose to incorporate better quality ones into their designs then the threat is mitigated.

The SRLabs researchers have gone on the record saying that there are ‘no effective defences from USB attacks’, but this is actually far from correct. Certain established semiconductor manufacturers addressing the USB market already have the proven technology necessary to combat the issues raised here.

The popular USB bridge ICs offered by FTDI Chip are vendor class, rather than memory stick (mass storage) class. This device class cannot be customised in order to appear as an alternative device type. Since these ICs are hardwired (relying on fixed function ASIC implementations), they do not have any firmware whatsoever. As a result there is no place for this malicious code to be placed. All the control of communications is done totally in hardware. Some ICs in its portfolio make use of a small EEPROM memory resource, but this is merely for storing settings – it is not capacious enough for any form of malware to be held there. As a result of all this, FTDI Chip’s USB Bridge ICs cannot be reprogrammed to do something other than what they were originally designed to do, and the possibility of it being corrupted is therefore eliminated. Because they are vendor class they require a specific FTDI driver/API if they are to be accessed.

So there are USB ICs currently available, constructed upon hardware state machine architectures, rather than being microcontroller based, which are impossible to reprogram them. The reason that the aforementioned research omits details of how the industry can take steps to overcome the issue by specifying such ICs makes it somewhat evident that this whole affair is more about self promotion than acting in the public interest.

It is not unusual of course for those within the IT security sector to pull off publicity stunts such as this – with the intent more often than not of simply serving their own agenda. There has always been a tendency to make exaggerated (and generally poorly informed) claims in order to cajole people into investing in new software packages and suchlike. The problem is that by resorting to scaremongering tactics can in many cases lead to an overreaction.

Fred Dart, Ceo, FTDI Chip

Contenuti correlati

• 
  USB: una risposta a tutte le esigenze di connettività e di erogazione di potenza

  Obiettivo di questo articolo è sottolineare la crescente pervasività dell’interfaccia USB, delineare l’evoluzione di questo standard e illustrare i cambiamenti delle tipologie dei connettori USB Leggi l’articolo completo su Embedded 89
• 
  Cosa c’è da sapere sui connettori USB e sui cavi USB

  Ryan Smoot Il termine USB è l’abbreviazione di Universal Serial Bus. Come rapido promemoria, un “bus” è una disposizione di circuito o un sistema di comunicazione che viene utilizzato per trasferire dati tra i componenti di un...
• 
  Le migliori procedure per fornire potenza con USB4

  Le prese USB si trovano ormai ovunque e a tutti coloro che hanno uno smartphone sarà certamente capitato di ritrovarsi a fissare una di quelle porte chiedendosi se avrebbe mai ricaricato il proprio dispositivo Leggi l’articolo completo...
• 
  L’evoluzione di USB Type C nelle applicazioni “power only”

  Sin dalla loro introduzione, avvenuta oltre due decenni fa, i connettori USB e i relativi standard sono stati oggetto di continue evoluzioni relative sia alla velocità di trasferimento dati e all’erogazione di potenza, sia allo stesso connettore...
• 
  Linear Technology: nuovo transceiver USB µModule

  LTM2894 di Linear Technology è un isolatore USB µModule (micromodule) rinforzato per la protezione dai differenziali di tensione massa-massa e i transienti in common mode. Le applicazioni per questo componente riguardano i sistemi, nei settori industriale o...
• 
  Test a radiofrequenza con strumenti palmari USB

  Gli apparecchi elettronici che lavorano nella radiofrequenza, primi fra tutti gli smartphone, hanno una potenziale predilezione per ricevere o emettere radiazioni elettromagnetiche da o verso l’ambiente se non sono adeguatamente protetti da involucri isolanti opportunamente testati in...
• 
  Mon-K Data Protection: sistema operativo per la navigazione anonima

  Mon-K Data Protection ha presentato Secure-K Personal Edition, sistema operativo cifrato racchiuso in un dispositivo USB dotato di sicurezza a livello militare, derivato dalla versione Enterprise Edition. Al suo interno Secure-Mail, Secure-Chat e Secure-Web per criptare email, chat...
• 
  Micro interfacce e motori video per applicazioni portatili

  Le connessioni USB sono diventate un punto di riferimento stabile per qualsivoglia apparecchio elettronico e a maggior ragione per quelli portatili perché consentono di avere in un’unica interfaccia a basso costo la versatilità di interconnessione che tempo...
• 
  RS Components: componenti elettronici per USB 3.0 SuperSpeed

  RS Components ha annunciato la disponibilità delle soluzioni FTDI dedicate alla conversione dei segnali da USB3.0 a FIFO, che comprendono diversi circuiti integrati e schede di valutazione per facilitare la realizzazione di progetti richiedenti lo scambio di dati...
• Isolamento USB semplice robusto e pronto all’uso…

  …è il titolo del nuovo video di Linear Technology disponibile sul nostro sito Tech-Plus.it. Il video riassume le principali caratteristiche di LMT2884, il nuovo transceiver USB 2.0 isolato con alimentazione isolata di Linear, le performance che è in...