| ▲ | Ask HN: How concerned should we be about USB security? |
| 2 points by turkishdelight 12 hours ago | 10 comments |
| I had an ISP tech come by and set up service at my house, and I needed to access my router over Ethernet. My laptop doesn't have an Ethernet port, so I borrowed his Ethernet/USB dongle, I got everything set up and called it a day. But I've started getting a little concerned about using this untrusted dongle on my laptop, especially from a internet service tech who may or may not be plugging his dongle into all manner of devices around town. How concerned should I be about this? Should I trash my laptop and any accessories I've plugged into it since? This device is my central point of failure, I log into my banking accounts, admin accounts, it's my journaling medium -- you get the idea. |
|
| ▲ | pwg 12 hours ago | parent | next [-] |
| Unless you are being targeted as a North Korean spy by the likes of the NSA, that dongle is likely nothing more than an ethernet to USB translator chip with nothing nefarious going on anywhere. > Should I trash my laptop and any accessories I've plugged into it since? Only likely to empty your bank-account of the funds necessary for new items. |
| |
| ▲ | turkishdelight 12 hours ago | parent [-] | | I guess I'm primarily concerned with compromised firmware, not a special-made device. I'm not sure how realistic of a concern that is. Not that I'm a very interesting target, but I'd rather not have all my devices infected with malicious firmware. I figure that something like that would likely have state-level backing, and something that sophisticated could very easily get baked into brand new hardware at the fab without anybody knowing. | | |
| ▲ | Bender 12 hours ago | parent | next [-] | | People can speculate all day but unless you are doing hardware level diagnostics there is no way to put your mind at ease. For charging devices one can either buy "USB condoms" or just make on by cutting every wire except those used for power. It also would not hurt to check if your BIOS has options related to disabling updates to the BIOS via USB/UEFI, just don't forget you did that if the option exists. For your case of USB to Ethernet data is required so the only other way beyond hardware diagnostics and dumping firmware is to do extensive background checks on everyone working for your ISP, FTE's, contractors, executives and all the board members. Doing that without their knowledge is very expensive not to mention does not cover all the people in the shipping logistics path. Consumer hardware rarely has a full chain of custody with attestation. There may be some fringe cases where a USB hub may help mitigate some threats such as over-voltage. Realistically at some point one has to either trust the device or avoid technology all together. There are communities of people that avoid technology so for what it's worth you would not be alone if pursuing that route. If the concerns are related to organizations or governments snooping Microsoft Windows Recall, MacOS mediaanalysisd have negated the need for hardware snooping like the good ol' days of KeyGhost. One tiny update could in theory upload AI summaries. Incremental updates tend to stay out of the news. | |
| ▲ | pwg 12 hours ago | parent | prev [-] | | An ethernet<->usb dongle that an ISP tech support guy is likely to have is more likely going to be a single purpose translator without upgradable firmware (because this makes it the cheapest possible, and these types of devices rapidly fall to the "cheapest possible" price point). You also did not say what OS you are running on your laptop. If it is any later version of MS Windows, then you have infinitely more to worry about from Microsoft OS level spyware/malware/adware provided in a future Microsoft OS update than from a USB<->Ethernet dongle a random ISP tech. guy happened to have. > that sophisticated could very easily get baked into brand new hardware at the fab without anybody knowing. While possible, this is unlikely baked into /every/ device. It would more likely be a /special run/ at the request of Spy agency X and targeted for a specific shipment to a particular target. If for no other reason than the fab is going to want to be paid extra for the /special service/ provided. | | |
| ▲ | turkishdelight 11 hours ago | parent [-] | | He had an Anker dongle IIRC (and I run Debian or Arch, depending). I think the BadBIOS episode infected me with that security researcher's (apparent) paranoia. | | |
| ▲ | pwg 11 hours ago | parent [-] | | Then you are most likely (as in 99.99% likely) simply being paranoid for nothing. |
|
|
|
|
|
| ▲ | JohnFen 12 hours ago | parent | prev | next [-] |
| It's good practice to avoid plugging anything you don't trust into a USB port (whether it's a memory stick or not -- even just a plain cable presents a potential risk). But in your case, I agree with slater. You're probably fine, but maybe do a scan of your machine and keep an eye on things for a while. |
|
| ▲ | austin-cheney 12 hours ago | parent | prev | next [-] |
| Extremely concerned. The military has outlawed USB storage devices for over 20 years. Personally I still use USB storage devices in limited contexts, like a source of music in my car or for installing a new OS. |
| |
| ▲ | bediger4000 12 hours ago | parent [-] | | The DoD is more interested in keeping data from leaking than keeping malware out. DoD has air gapped networks to prevent leaks mostly. |
|
|
| ▲ | slater 12 hours ago | parent | prev [-] |
| I'd say keep an eye on your network traffic, but no need to trash your laptop just yet. |
