Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Latest News

      Experts Warn of USB Risks

      Written by

      Paul F. Roberts
      Published July 25, 2005
      Share
      Facebook
      Twitter
      Linkedin

        eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

        Vulnerabilities in USB drivers for Microsoft Corp.s Windows could allow an attacker to take control of locked workstations by using a specially programmed USB device, according to an executive from SPI Dynamics Inc., a security vendor whose researchers discovered the security hole.

        The vulnerabilities that could let an attacker circumvent Windows security and gain administrative access to the machines are the latest examples of a growing danger posed by peripheral devices that use USB, FireWire and wireless networking connections, experts say. They also underscore the need for security administrators to look beyond the obvious for threats to their networks.

        The buffer overflow flaw is in device drivers that Windows loads whenever USB devices are inserted into computers running Windows 32-bit operating systems, including Windows XP and Windows 2000, said Caleb Sima, chief technology officer and founder of SPI, in Atlanta.

        SPI is still testing the hole and hasnt informed Microsoft, of Redmond, Wash., about the problem. The company will be demonstrating the vulnerability at this weeks Black Hat USA conference in Las Vegas, but it will not release details of the security hole, Sima said.

        The flaw lies within the USB protocol, not Windows, said David Dewey, a research engineer at SPI. Standards developed by USB Implementers Forum Inc., the nonprofit organization that governs USB, dont consider security, Dewey said.

        For example, an attacker who knows of a vulnerability in a USB device driver can program one USB device—such as a portable memory stick—to pose as the kind of device that uses the vulnerable driver and then plug the device into the host system and trigger the exploit when the host system loads the flawed driver, said Darrin Barrall, an SPI researcher.

        “Like many hardware drivers, USB drivers are written with very little data validation and security awareness. Theyre bare-bones drivers that focus on [speed],” Dewey said.

        Best of all for attackers, the device drivers run with system-level privileges, giving an attacker full control of the host system once the exploit has been triggered. SPI researchers tested their attacks on Windows systems, but any operating system that is USB-compliant is probably vulnerable, Dewey said.

        A spokesperson for Microsofts Security Response Center confirmed that the company has not received a vulnerability report from SPI. The company strongly encouraged researchers to contact the MSRC if they have a vulnerability to report.

        Researchers at Safend Ltd., of Tel Aviv, Israel, have discovered similar holes in USB and other protocols used by peripheral devices, said CEO Gil Sever, as he demonstrated a USB storage device programmed to automatically copy recently accessed files when inserted into a Windows PC.

        USB-usted!

        How many of these devices are connected to your LAN?

        • Apple Computer Inc. iPod With 20GB to 60GB drives on later models, iPods can easily be used to “slurp” data and files or to copy an entire disk image from corporate systems
        • PDAs and smart phones Bluetooth wireless connections can be used to transfer malicious code to laptops and desktops or to grab files, while built-in e-mail and instant messaging features provide an uncontrolled gateway to the rest of the Internet
        • Photo-smart printers With Ethernet and USB ports, these devices can be easily connected to corporate networks, but slots for a variety of portable media—such as memory sticks, CompactFlash and multimedia cards—could be used to introduce malicious code to a host system or network through the printer
        Paul F. Roberts
        Paul F. Roberts

        Get the Free Newsletter!

        Subscribe to Daily Tech Insider for top news, trends & analysis

        Get the Free Newsletter!

        Subscribe to Daily Tech Insider for top news, trends & analysis

        MOST POPULAR ARTICLES

        Artificial Intelligence

        9 Best AI 3D Generators You Need...

        Sam Rinko - June 25, 2024 0
        AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
        Read more
        Cloud

        RingCentral Expands Its Collaboration Platform

        Zeus Kerravala - November 22, 2023 0
        RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
        Read more
        Artificial Intelligence

        8 Best AI Data Analytics Software &...

        Aminu Abdullahi - January 18, 2024 0
        Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
        Read more
        Latest News

        Zeus Kerravala on Networking: Multicloud, 5G, and...

        James Maguire - December 16, 2022 0
        I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
        Read more
        Video

        Datadog President Amit Agarwal on Trends in...

        James Maguire - November 11, 2022 0
        I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
        Read more
        Logo

        eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

        Facebook
        Linkedin
        RSS
        Twitter
        Youtube

        Advertisers

        Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

        Advertise with Us

        Menu

        • About eWeek
        • Subscribe to our Newsletter
        • Latest News

        Our Brands

        • Privacy Policy
        • Terms
        • About
        • Contact
        • Advertise
        • Sitemap
        • California – Do Not Sell My Information

        Property of TechnologyAdvice.
        © 2024 TechnologyAdvice. All Rights Reserved

        Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.