Last year there were a number of announcements about how some usb firmware could be hijacked and no way for a user to really know if it was secure or not.
Given that, is there any way to be really confident that gnubby is very very secure?
I am not implying that the firmware inside the gnubby can necessarily be over-written or that gnubby is insecure. I’m asking whether there is any way a user can have more confidence in gnubby than just assuming it must be ok.
If the boat has several holes in it, the boat is eventually going to sink. But in this case it is more like the boat might have some holes in it, so it might be safe but it might not (because of holes or something else – an electric storm for example?). As long as there is no way to tell if the device is compromised, there is nothing but hope. Typically security is a many layered concept which does allow for some peace of mind (in that even if one layer is breached you still have some defences for the time being). The problem here is: if the device is compromised you should assume nothing is safe (this goes for malware on your computer, too). Whether it is completely compromised or not is another matter but even if it isn’t it could be (assume the worst).
I know that isn’t any real comfort but that is the unfortunate reality of it: if it is impossible to detect then you can never be 100% sure it hasn’t been compromised; you may very well be fine but if you cannot detect it you cannot detect it. You should always be careful though and that – combined with following safe computer practises – is your best defence here.
Your risk would depend on where you obtained the USB key, who loaded it and whether they can be trusted, who wrote the software and whether they can be trusted, and maybe most of all your value as a target.
USB keys, disk and solid state storage, and other computer components have contained microcontrollers or microprocessors for some time, and more than a few of them can be updated – either to correct errors or to enable them for use to find secrets. Such malware is difficult to detect and protect against. To be sure, the computer should be restricted to an older Pentium processor, floppy disk drives, no Ethernet card, pre-IDE hard disks and no USB. For extra security, it can be operated in an electromagnetically shielded room on battery power.
Modifying the firmware in such devices is not trivial, and getting them into a mass distribution chain would be difficult. The most likely user would be an intelligence agency such as the US CIA or Russian FSB, who might go the substantial effort and expense of developing the malicious firmware, installing it on removable devices, and delivering it to specific high value targets. The second most likely might be a well heeled criminal organization aiming to plant such devices to tap into the banking or financial system. Another alternative would be that someone with access to a device (think microcomputer here) maker’s manufacturing process could plant malware in large numbers of devices before they are released to the distribution chain. Devices containing the malware might be used to collect individual personal information that could be used for blackmail or theft. This is much less likely than the first two because both the probability of successful placement and the expected gain from that are low.
The shorter answer is that you should be concerned if any nation-state’s intelligence or security service is really interested in you, or if your net worth is very high and your assets are potentially accessible through your computers. In any case, it would be unwise to accept a USB or similar device from an untrusted source or use a “found” device. US Department of Defense rules generally restrict use of USB devices with government owned or operated equipment.
Please login first to submit.