26 Software Bugs in USB Devices

2. July, 2020

Computer mouses, keyboards, USB sticks and hubs, power banks, chargers – the USB interfaces of computers and smartphones are in great demand. The risks that USB accessories can involve are rarely questioned. However, the USB interface is very susceptible to misuse due to its flexibility. From a technical point of view, it is relatively easy to simulate USB input devices, to load USB sticks with malicious software or to eavesdrop on input via manipulated devices and interfaces. Even systems that are well protected per se can thus be infected and manipulated.

Hardware and software problems possible

Not only the hardware, but also the software of the various USB devices can cause problems. Security researchers recently found 26 new software bugs in USB driver stacks. The distribution of the bugs across the operating systems was striking – 18 vulnerabilities affect the Linux operating system platform, ten of which are classified as security-critical and have already been patched. The effects on Windows and MacOS ranged from a system freeze to a reboot to a crash (Blue Screen of Death).

Fuzzing: Creative bug hunting

The USB vulnerabilities were discovered by fuzzing. Data is transferred to the interface via a simulated USB device according to the principle of random input. In the test routines, random and invalid inputs are deliberately generated to check the behavior of the underlying driver software. Already in 2017, a Google researcher discovered 79 bugs in USB drivers using fuzzing.

These observations suggest that various security problems can occur via a direct physical connection. A concrete example of this is the security gap discovered in 2019 in the popular Logitech Presenters, when the USB Found Adapter allowed unauthorized input for attackers. In this case only the hardware replacement of the USB dongle helped.

Precautions and protection

One essential point to get the all-clear: In order to exploit these weak points, a physical connection must be available. The most important tip: Do not connect unknown USB accessories to your system! This applies especially to USB input devices from unknown sources, such as found USB sticks or other USB input devices. Public USB charging stations, for example for smartphones, also carry risks.

In addition to updates of the operating system, please also pay attention to updates of your accessories.[1] Serious manufacturers offer software and hardware updates even after purchase, which is well worth the additional costs compared to “no-name” products.

 

[3] https://www.us-cert.gov/ncas/tips/ST08-001

Christian Fritz - Loipersdorf 2021
top 3 security vulnerabilities
Nozomi-Dashboard_BlackMatters
IBM
save remote
Cyber Versicherungen
Defense in Depth
private
Qlocker 01

Ransomware Qlocker: How to restore your data (for the most part)

Two Austrian security experts analyzed the method the hackers used and found out, that they made a mistake.
Fax
Beat The Best
malicious-code

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 (0) 1 58995-0
Sales Hotline:
+43 (0) 1 58995-500

SUPPORT HOTLINE

Support hotline:
+43 (0) 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm

Remote maintenance software:
AnyDesk Download