Archive for the 'USB' Category

Karsten Nohl Interview

Monday, August 31st, 2015

Atlas Obscura has an article about Karsten Nohl (PhD 2009):
Exit Interview: I’m A Crypto-Specialist Working To Secure the Internet For A Billion People, Jeremy Berke, 28 July 2015.

One of the things we’re building is a PayPal competitor–with a modest target of having a few hundred million customers. Everything in India is always on a massive scale. If you could get rid of PayPal passwords, and instead just have a fingerprint–if you could pay for goods at a store with just your fingerprint, that would simplify people’s lives a lot. It would also have the secondary effect of saving some of the security problems, like phishing, that we currently encounter. And this government database is a huge enabler.

If we already have a mandate to collect everybody’s fingerprints, why not use it in the customer’s benefit? The privacy risk is always there. That’s the law and I can’t argue with that. But if the law is already creating this risk, why not create opportunity in the same step?

Updates from Karsten’s BadUSB

Tuesday, November 18th, 2014

Karsten Nohl’s research on USB security is covered in The Good News and Bad News About USB Security — Only half have an unpatchable flaw, but we don’t know which half, Wired and Slate Magazine, 12 Nov 2014:

Nohl’s BadUSB attack, which he revealed at the Black Hat security conference in August, takes advantage of the fact that a USB controller chip’s firmware can be reprogrammed. That means a thumb drive’s controller chip itself, rather than the Flash storage on that memory stick, can be infected with malware that invisibly spreads to computers, corrupts files stored on the drive, or quietly begins impersonating a USB keyboard to type commands on the victim’s machine.



Nohl says that means combatting BadUSB will require device-makers to clearly label the chips their products use. “You’d never get away with this in a laptop. People would go crazy if they bought a computer and it wasn’t the chip they saw in the review they read,” he says. “It’s just these USB devices that come as black boxes.”

For the technical details, see https://opensource.srlabs.de/projects/badusb.