26 Software Bugs in USB Devices

2. July, 2020

Computer mouses, keyboards, USB sticks and hubs, power banks, chargers – the USB interfaces of computers and smartphones are in great demand. The risks that USB accessories can involve are rarely questioned. However, the USB interface is very susceptible to misuse due to its flexibility. From a technical point of view, it is relatively easy to simulate USB input devices, to load USB sticks with malicious software or to eavesdrop on input via manipulated devices and interfaces. Even systems that are well protected per se can thus be infected and manipulated.

Hardware and software problems possible

Not only the hardware, but also the software of the various USB devices can cause problems. Security researchers recently found 26 new software bugs in USB driver stacks. The distribution of the bugs across the operating systems was striking – 18 vulnerabilities affect the Linux operating system platform, ten of which are classified as security-critical and have already been patched. The effects on Windows and MacOS ranged from a system freeze to a reboot to a crash (Blue Screen of Death).

Fuzzing: Creative bug hunting

The USB vulnerabilities were discovered by fuzzing. Data is transferred to the interface via a simulated USB device according to the principle of random input. In the test routines, random and invalid inputs are deliberately generated to check the behavior of the underlying driver software. Already in 2017, a Google researcher discovered 79 bugs in USB drivers using fuzzing.

These observations suggest that various security problems can occur via a direct physical connection. A concrete example of this is the security gap discovered in 2019 in the popular Logitech Presenters, when the USB Found Adapter allowed unauthorized input for attackers. In this case only the hardware replacement of the USB dongle helped.

Precautions and protection

One essential point to get the all-clear: In order to exploit these weak points, a physical connection must be available. The most important tip: Do not connect unknown USB accessories to your system! This applies especially to USB input devices from unknown sources, such as found USB sticks or other USB input devices. Public USB charging stations, for example for smartphones, also carry risks.

In addition to updates of the operating system, please also pay attention to updates of your accessories.[1] Serious manufacturers offer software and hardware updates even after purchase, which is well worth the additional costs compared to “no-name” products.

 

[3] https://www.us-cert.gov/ncas/tips/ST08-001

HarfangLab Guard
MITRE ATT&CK Framework
v.l.n.r.: Joe Pichlmayr (CEO IKARUS) – Anouck Teiller (CSO HarfangLab) –Alexander van der Bellen (Bundespräsident Österreich) - Frédéric Joureau (Erster Botschaftsrat der französischen Botschaft in Wien) – Christian Fritz (COO IKARUS)
EDR
Cyber Kill Chain
Business Email Compromise
Prognosen für die zehn größten Cybersecurity-Bedrohungen für 2030
E-Mail Verschlüsselung
Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Bedrohung
Indicators of Attack
Gefahren durch vertrauenswürdige Services
Threat Intelligence
SQL Injection
SMTP Smuggling

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500
sales@ikarus.at

SUPPORT HOTLINE

Support hotline:
+43 1 58995-400
support@ikarus.at

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download