antdudeMatrix Ant Premium Member join:2001-03-25 US
2 recommendations |
antdude
Premium Member
2014-Nov-21 10:29 pm
Now e-cigarettes can give you malware» www.theguardian.com/tech ··· omputers from » boingboing.net/2014/11/2 ··· -ma.html"Better for your lungs, worse for your hard drives, e-cigarettes can potentially infect a computer if plugged in to charge..." Wow. :/ |
|
TheMG Premium Member join:2007-09-04 Canada
1 recommendation |
TheMG
Premium Member
2014-Nov-22 2:15 am
Quick security fix, if you really want to use a PC to charge such devices, get a USB extension cable and cut the two data wires. The device will still be able to charge but won't be able to exchange data with the PC. |
|
Bill_MIBill In Michigan MVM join:2001-01-03 Royal Oak, MI TP-Link Archer C7 Linksys WRT54GS Linksys WRT54G v4
1 recommendation |
said by TheMG:get a USB extension cable and cut the two data wires I've been predicting extension cables would be a great place to hide a chip with malware, too. Mask (tape off) the data lines, instead - the large connector (USB A, data on middle 2 pins) will be where the chip is. |
|
1 recommendation |
Snowden revealed that the 3-letter agencies have a catalog of stuff like this already for penetrating so-called air-gapped systems. USB cables with additional electronics in the connector. Hidden wifi in printers, etc. Thumb-drives that auto-run malware, etc. Not just the traditional auto-run stuff, but malicious usb protocols firmware that exploit buffer overflows in the usb driver itself.
Kinda scary when you realize that even innocuous off the stuff things can be malicious
|
|
1 recommendation |
StuartMW
Premium Member
2014-Nov-22 4:58 pm
said by lawsoncl:Kinda scary when you realize that even innocuous off the stuff things can be malicious Maybe floppies weren't so bad after all |
|
KearnstdSpace Elf Premium Member join:2002-01-22 Mullica Hill, NJ
1 recommendation |
to antdude
seems like good incentive to just plug the ecig into a phone charger brick since they are USB too. |
|
joewho Premium Member join:2004-08-20 Dundee, IL
1 recommendation |
to antdude
This is crazy. I charge my e-cig on the computer. Now I'm looking at it differently. |
|
Ian1 Premium Member join:2002-06-18 ON
1 recommendation |
to antdude
I think this illustrates the problem of blending power and data into 1 connector. It seems reasonable for someone to just think of it as charging, without considering USB's other purpose.
I can see IT departments disabling USB ports or issuing firm rules about asking them first before plugging something into USB. There are all kinds of "Made in China" USB desk toys. |
|
6 recommendations |
to antdude
Always practice safe hex
|
|
CamaroQuestion everything Premium Member join:2008-04-05 Westfield, MA
2 recommendations |
to antdude
Have to give them credit, that is very imaginative. |
|
KearnstdSpace Elf Premium Member join:2002-01-22 Mullica Hill, NJ
1 recommendation |
to Ian1
My guess is they will take the nuclear option and find a way to disable all but the ones with mouse and keyboard attached.
Relying on people to ask first almost always fails and tracking compliance is nearly impossible.
I could see cubicals with USB outlets that are power only becoming more popular though. People could plug in their phones or USB desk toys or ecigs and not put any risk on the computers. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC
3 recommendations |
to antdude
|
|
siljaline
1 recommendation |
to antdude
Some are disputing the accuracy and efficacy in the content of the Guardian article. FUD: E-Cig chargers said to be delivering malware» www.csoonline.com/articl ··· are.html |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN 1 edit |
to antdude
I just picked up a 5-Port Family-Sized Wall Charger Multi Port USB Charger. It was mentioned n the 2014 Ars Technica gift guide. My main reason was for some upcoming travel. Better to have one charger for everything than a handful for the phones, iPad, Kindles. |
|
|
to siljaline
said by siljaline:Some are disputing the accuracy and efficacy in the content of the Guardian article. I just did graduate to becoming nicotine-free thanks to e-cigs. I can attest that not all e-cig chargers are created equally. I won't be at all surprised to learn that some are susceptible to being infected. IOW - some are "smarter" than others. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
said by sweller:I just did graduate to becoming nicotine-free thanks to e-cigs. I can attest that not all e-cig chargers are created equally. I won't be at all surprised to learn that some are susceptible to being infected. Good to hear e-Cigs helped you kick smokes. said by sweller:IOW - some are "smarter" than others. It's a differing point of view, which is why I posted the CSO Online info. Not all security bloggers think alike. |
|
siljaline
1 recommendation |
to antdude
It is what it is ~ Now cyber criminals use E-cigarettes to spread malware ~ » www.techworm.net/2014/11 ··· are.html |
|
angussf Premium Member join:2002-01-11 Tucson, AZ |
to antdude
Clearly you need to practice safe hex with a USB Condom: The Original USB Condom | int3.cc »int3.cc/products/usbcondoms
or buy a charge-only cable here: PortaPow Specialised 5ft 22AWG Charge Only Micro USB Cable »www.amazon.com/PortaPow- ··· 088HTYUE
|
|
|
StuartMW
Premium Member
2014-Nov-25 12:17 pm
said by angussf:...or buy a charge-only cable here... Many years ago I made my own USB connector (male-female) that only passed through power. I used it to power my MP3 player at work since it would enter mass storage mode when connected to a PC. I could use any standard USB cable (of any type) with that connector. I still have it...somewhere... |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
to antdude
E-cigarettes fingered as source of NASTY VIRUSquote: E-cigarettes have been fingered as the source of a new computer virus. "IT guy" Jrockilla told the Talesfromtechsupport forum that he suspects the malware was "hard coded" into the USB charger of his boss's electronic toker.
In his post, he says:
The executives system was patched up to date, had anti-virus and up-to-date anti-malware protection. Web logs were scoured and all attempts made to identify the source of the infection were to no avail. Finally, after all traditional means of infection were covered, IT started looking into other possibilities. It finally asked the executive have there been any changes in your life recently? The executive answer was, well yes, I quit smoking two weeks ago and switched to e-cigarettes"... [...]
» www.theregister.co.uk/20 ··· ight_be/ |
|
BlackbirdBuilt for Speed Premium Member join:2005-01-14 Fort Wayne, IN |
to antdude
I recall something like this occurred some years back when the "digital picture frames" first became popular. When users hooked them up via USB ports to transfer pictures/photos off their computers, they were hacked by malware embedded in the picture frames. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
I do recall that time when some devices and objects had malware in the werks, but that was a day when a pass or two with Ad-aware of SpyBot S&D did the trick. |
|
Bill_MIBill In Michigan MVM join:2001-01-03 Royal Oak, MI |
The USB spec was too early to have much security and we're paying for it now. Yet there's STILL an awful lot of convenience-over-security with USB handling that's hard to believe today. |
|
Nanaki (banned)aka novaflare. pull punches? Na join:2002-01-24 Akron, OH |
Nanaki (banned)
Member
2014-Dec-1 6:45 pm
new bioses and mother boards along with os implemented stuff could lock down usb ports from being a malware vector at least potentially it could be done. But all mother boards until suck a thing happens would remain vulnerable. |
|
Bill_MIBill In Michigan MVM join:2001-01-03 Royal Oak, MI TP-Link Archer C7 Linksys WRT54GS Linksys WRT54G v4
1 recommendation |
Maybe in theory. But BIOS evolved with so little accountability, so many bugs and a "good enough" attitude. That's why it's ignored by every modern o/s I can think of. It's not really the place to be putting security reliance requiring anything complex.
The problem with USB remains the promiscuous protocol it has. Microsoft has been battling it for ages and I recall they had a little trouble changing operation because violating the USB spec was initially resisted. I don't think that's a problem any more but I could be wrong. "USB" is a trademark getting in the way of security as far as I'm concerned. |
|
1 recommendation |
to antdude
On USB ports and security; scary stuff. » www.wired.com/2014/07/us ··· ecurity/ |
|
Bill_MIBill In Michigan MVM join:2001-01-03 Royal Oak, MI TP-Link Archer C7 Linksys WRT54GS Linksys WRT54G v4
1 recommendation |
There ya go. Anyone thinking a memory stick will stay a "Mass Storage Device" forever can be quite mistaken. These guys demonstrated how devices can be reprogrammed to becoming a network adapter or a keyboard. And both at the same time! While it's at it, here's the memory with some other code. The USB spec allows these things to auto-configure. That alone gives me the willies of the power it has - and all for convenience. |
|
|
scross
Member
2014-Dec-2 7:27 am
Some years back I was reviewing a piece of high-end computer equipment - one of those situations where they were trying to go mass-market with the hardware (using identical or very similar hardware configurations aimed at different markets) in order to save on manufacturing costs. I noted that the equipment I was looking at had a USB port, but the docs for it said that it was disabled and not usable, at least for the high-end environments. I never did get an answer at the time as to why this was so, just that they had no idea when the USB port would be enabled, if ever. A review of the security implications here tells me all that I need to know about that now. I'm guessing that to be competitive in the lower-end markets (which probably expected and demanded such a thing) they had to provide that USB port and enable it. But in the higher-end markets (which didn't expect or demand it, and in fact would have been appalled by the security implications of it) they wisely chose not to do that. I'm a bit surprised that they didn't just go ahead and remove it or seal it up or whatever for the high-end environments, though, because it no doubt led to a lot of questions - both of the "Why can't we use it?" variety and the "Why the hell is that thing there?" variety. |
|
BlackbirdBuilt for Speed Premium Member join:2005-01-14 Fort Wayne, IN |
said by scross:Some years back I was reviewing a piece of high-end computer equipment - one of those situations where they were trying to go mass-market with the hardware (using identical or very similar hardware configurations aimed at different markets) in order to save on manufacturing costs. I noted that the equipment I was looking at had a USB port, but the docs for it said that it was disabled and not usable, at least for the high-end environments. I never did get an answer at the time as to why this was so, just that they had no idea when the USB port would be enabled, if ever. A review of the security implications here tells me all that I need to know about that now. ... In manufacturing, when tooling and provisioning costs are relevant, it can be cheaper to make one overall design that carries a physical USB connector (with case cutouts, board layout, etc, etc), whether "enabled" or not, than to have different sets of tooling and different parts provisioning for different-featured models. The question in my mind would be whether or not the USB port was only 'disabled' in software but wired-in and interfaced otherwise, or whether it was physically unconnected or had its interface chip missing off the board... a BIG difference, security-wise. Cost-wise, I'd not be surprised to see a one-size-fits-all physical design that only software-enabled certain features in different models... economy of scale being what it often is. |
|
|
StuartMW
Premium Member
2014-Dec-2 8:50 am
said by Blackbird:... or whether it was physically unconnected or had its interface chip missing off the board... These days hardware is "so cheap" that off-the-shelf hardware includes everything. The costs of making/warehousing different builds isn't worth it. In many products the (price) difference is in the loaded firmware/software. For example if you want USB you pay extra to have the (software) driver and support included. |
|