dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1677

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

2 recommendations

antdude

Premium Member

Now e-cigarettes can give you malware

»www.theguardian.com/tech ··· omputers from »boingboing.net/2014/11/2 ··· -ma.html

"Better for your lungs, worse for your hard drives, e-cigarettes can potentially infect a computer if plugged in to charge..."

Wow. :/
TheMG
Premium Member
join:2007-09-04
Canada

1 recommendation

TheMG

Premium Member

Quick security fix, if you really want to use a PC to charge such devices, get a USB extension cable and cut the two data wires. The device will still be able to charge but won't be able to exchange data with the PC.

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

1 recommendation

Bill_MI

MVM

said by TheMG:

get a USB extension cable and cut the two data wires

I've been predicting extension cables would be a great place to hide a chip with malware, too. Mask (tape off) the data lines, instead - the large connector (USB A, data on middle 2 pins) will be where the chip is.
lawsoncl
join:2008-10-28
Spirit Lake, ID

1 recommendation

lawsoncl

Member


Snowden revealed that the 3-letter agencies have a catalog of stuff like this already for penetrating so-called air-gapped systems. USB cables with additional electronics in the connector. Hidden wifi in printers, etc. Thumb-drives that auto-run malware, etc. Not just the traditional auto-run stuff, but malicious usb protocols firmware that exploit buffer overflows in the usb driver itself.

Kinda scary when you realize that even innocuous off the stuff things can be malicious

StuartMW
Premium Member
join:2000-08-06

1 recommendation

StuartMW

Premium Member

said by lawsoncl:

Kinda scary when you realize that even innocuous off the stuff things can be malicious

Maybe floppies weren't so bad after all
Kearnstd
Space Elf
Premium Member
join:2002-01-22
Mullica Hill, NJ

1 recommendation

Kearnstd to antdude

Premium Member

to antdude
seems like good incentive to just plug the ecig into a phone charger brick since they are USB too.
joewho
Premium Member
join:2004-08-20
Dundee, IL

1 recommendation

joewho to antdude

Premium Member

to antdude
This is crazy. I charge my e-cig on the computer. Now I'm looking at it differently.

Ian1
Premium Member
join:2002-06-18
ON

1 recommendation

Ian1 to antdude

Premium Member

to antdude
I think this illustrates the problem of blending power and data into 1 connector. It seems reasonable for someone to just think of it as charging, without considering USB's other purpose.

I can see IT departments disabling USB ports or issuing firm rules about asking them first before plugging something into USB. There are all kinds of "Made in China" USB desk toys.

StuartMW
Premium Member
join:2000-08-06

6 recommendations

StuartMW to antdude

Premium Member

to antdude
Always practice safe hex



Camaro
Question everything
Premium Member
join:2008-04-05
Westfield, MA

2 recommendations

Camaro to antdude

Premium Member

to antdude
Have to give them credit, that is very imaginative.
Kearnstd
Space Elf
Premium Member
join:2002-01-22
Mullica Hill, NJ

1 recommendation

Kearnstd to Ian1

Premium Member

to Ian1
My guess is they will take the nuclear option and find a way to disable all but the ones with mouse and keyboard attached.

Relying on people to ask first almost always fails and tracking compliance is nearly impossible.

I could see cubicals with USB outlets that are power only becoming more popular though. People could plug in their phones or USB desk toys or ecigs and not put any risk on the computers.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

3 recommendations

siljaline to antdude

Premium Member

to antdude
Very long thread on Reddit
»www.reddit.com/r/talesfr ··· e_again/

My Bud Jesper's Tweet:
»twitter.com/jesperjurcen ··· 54890240
siljaline

1 recommendation

siljaline to antdude

Premium Member

to antdude
Some are disputing the accuracy and efficacy in the content of the Guardian article.
FUD: E-Cig chargers said to be delivering malware
»www.csoonline.com/articl ··· are.html

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

1 edit

Kilroy to antdude

MVM

to antdude
I just picked up a 5-Port Family-Sized Wall Charger Multi Port USB Charger. It was mentioned n the 2014 Ars Technica gift guide. My main reason was for some upcoming travel. Better to have one charger for everything than a handful for the phones, iPad, Kindles.

sweller
join:2009-04-25
Tucson, AZ

sweller to siljaline

Member

to siljaline
said by siljaline:

Some are disputing the accuracy and efficacy in the content of the Guardian article.

I just did graduate to becoming nicotine-free thanks to e-cigs. I can attest that not all e-cig chargers are created equally. I won't be at all surprised to learn that some are susceptible to being infected.

IOW - some are "smarter" than others.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline

Premium Member

said by sweller:

I just did graduate to becoming nicotine-free thanks to e-cigs. I can attest that not all e-cig chargers are created equally. I won't be at all surprised to learn that some are susceptible to being infected.

Good to hear e-Cigs helped you kick smokes.
said by sweller:

IOW - some are "smarter" than others.

It's a differing point of view, which is why I posted the CSO Online info.
Not all security bloggers think alike.
siljaline

1 recommendation

siljaline to antdude

Premium Member

to antdude
It is what it is
~ Now cyber criminals use E-cigarettes to spread malware ~
»www.techworm.net/2014/11 ··· are.html

angussf
Premium Member
join:2002-01-11
Tucson, AZ

angussf to antdude

Premium Member

to antdude
Clearly you need to practice safe hex with a USB Condom:
The Original USB Condom | int3.cc
»int3.cc/products/usbcondoms
or buy a charge-only cable here:
PortaPow Specialised 5ft 22AWG Charge Only Micro USB Cable
»www.amazon.com/PortaPow- ··· 088HTYUE

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by angussf:

...or buy a charge-only cable here...

Many years ago I made my own USB connector (male-female) that only passed through power. I used it to power my MP3 player at work since it would enter mass storage mode when connected to a PC. I could use any standard USB cable (of any type) with that connector. I still have it...somewhere...

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to antdude

Premium Member

to antdude
E-cigarettes fingered as source of NASTY VIRUS
quote:
E-cigarettes have been fingered as the source of a new computer virus. "IT guy" Jrockilla told the Talesfromtechsupport forum that he suspects the malware was "hard coded" into the USB charger of his boss's electronic toker.

In his post, he says:

The executive’s system was patched up to date, had anti-virus and up-to-date anti-malware protection. Web logs were scoured and all attempts made to identify the source of the infection were to no avail. Finally, after all traditional means of infection were covered, IT started looking into other possibilities. It finally asked the executive “have there been any changes in your life recently”? The executive answer was, “well yes, I quit smoking two weeks ago and switched to e-cigarettes"... [...]
»www.theregister.co.uk/20 ··· ight_be/

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird to antdude

Premium Member

to antdude
I recall something like this occurred some years back when the "digital picture frames" first became popular. When users hooked them up via USB ports to transfer pictures/photos off their computers, they were hacked by malware embedded in the picture frames.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline

Premium Member

I do recall that time when some devices and objects had malware in the werks, but that was a day when a pass or two with Ad-aware of SpyBot S&D did the trick.

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI

Bill_MI

MVM

The USB spec was too early to have much security and we're paying for it now. Yet there's STILL an awful lot of convenience-over-security with USB handling that's hard to believe today.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

new bioses and mother boards along with os implemented stuff could lock down usb ports from being a malware vector at least potentially it could be done. But all mother boards until suck a thing happens would remain vulnerable.

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

1 recommendation

Bill_MI

MVM

Maybe in theory. But BIOS evolved with so little accountability, so many bugs and a "good enough" attitude. That's why it's ignored by every modern o/s I can think of. It's not really the place to be putting security reliance requiring anything complex.

The problem with USB remains the promiscuous protocol it has. Microsoft has been battling it for ages and I recall they had a little trouble changing operation because violating the USB spec was initially resisted. I don't think that's a problem any more but I could be wrong. "USB" is a trademark getting in the way of security as far as I'm concerned.
scross
join:2002-09-13
USA

1 recommendation

scross to antdude

Member

to antdude
On USB ports and security; scary stuff.

»www.wired.com/2014/07/us ··· ecurity/

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

1 recommendation

Bill_MI

MVM

There ya go. Anyone thinking a memory stick will stay a "Mass Storage Device" forever can be quite mistaken.

These guys demonstrated how devices can be reprogrammed to becoming a network adapter or a keyboard. And both at the same time! While it's at it, here's the memory with some other code. The USB spec allows these things to auto-configure. That alone gives me the willies of the power it has - and all for convenience.
scross
join:2002-09-13
USA

scross

Member

Some years back I was reviewing a piece of high-end computer equipment - one of those situations where they were trying to go mass-market with the hardware (using identical or very similar hardware configurations aimed at different markets) in order to save on manufacturing costs. I noted that the equipment I was looking at had a USB port, but the docs for it said that it was disabled and not usable, at least for the high-end environments. I never did get an answer at the time as to why this was so, just that they had no idea when the USB port would be enabled, if ever. A review of the security implications here tells me all that I need to know about that now.

I'm guessing that to be competitive in the lower-end markets (which probably expected and demanded such a thing) they had to provide that USB port and enable it. But in the higher-end markets (which didn't expect or demand it, and in fact would have been appalled by the security implications of it) they wisely chose not to do that. I'm a bit surprised that they didn't just go ahead and remove it or seal it up or whatever for the high-end environments, though, because it no doubt led to a lot of questions - both of the "Why can't we use it?" variety and the "Why the hell is that thing there?" variety.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird

Premium Member

said by scross:

Some years back I was reviewing a piece of high-end computer equipment - one of those situations where they were trying to go mass-market with the hardware (using identical or very similar hardware configurations aimed at different markets) in order to save on manufacturing costs. I noted that the equipment I was looking at had a USB port, but the docs for it said that it was disabled and not usable, at least for the high-end environments. I never did get an answer at the time as to why this was so, just that they had no idea when the USB port would be enabled, if ever. A review of the security implications here tells me all that I need to know about that now. ...

In manufacturing, when tooling and provisioning costs are relevant, it can be cheaper to make one overall design that carries a physical USB connector (with case cutouts, board layout, etc, etc), whether "enabled" or not, than to have different sets of tooling and different parts provisioning for different-featured models. The question in my mind would be whether or not the USB port was only 'disabled' in software but wired-in and interfaced otherwise, or whether it was physically unconnected or had its interface chip missing off the board... a BIG difference, security-wise. Cost-wise, I'd not be surprised to see a one-size-fits-all physical design that only software-enabled certain features in different models... economy of scale being what it often is.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by Blackbird:

... or whether it was physically unconnected or had its interface chip missing off the board...

These days hardware is "so cheap" that off-the-shelf hardware includes everything. The costs of making/warehousing different builds isn't worth it.

In many products the (price) difference is in the loaded firmware/software. For example if you want USB you pay extra to have the (software) driver and support included.