USB Drives a Security Risk

Friday, March 15, 2013 @ 02:03 PM gHale


The driver software Huawei ships with its 3G/4G USB sticks has potential attack vector written all over it, a researcher said.

The various components – drivers, configuration software, update mechanisms – are all of insufficient quality, said Russian security researcher Nikita Tarakanov during a presentation at the Black Hat Europe conference this week.

RELATED STORIES
Control System Malware Alert
Malware on Oil Rigs
Add One More Fire to the List
Poughkeepsie NY Utility Hacked
Security Checklist for CEOs

The Huawei software installs an application and driver auto-update component on every computer, Tarakanov said. The researcher said the service in question will contact a server in the Netherlands and query it for updates every 15 minutes. Apparently, the web server is still running on Microsoft’s outdated Internet Information Server (IIS) version 6.0, which is part of Windows Server 2003. Tarakanov pointed out that whoever hacked that machine could infect millions of computers worldwide with malicious software.

After the presentation, three Huawei representatives, who were unaware of the issue, told heise Security in a published report they had assumed the update server’s security was adequate.

One more issue with the update component is the relevant service contains a vulnerability that makes it easy for potential attackers to escalate their privileges under Windows, Tarakanov said. Whether the service is vulnerable to remote attacks remains unclear. Another problem cropped up courtesy of iOS and PHP expert Stefan Esser just before the presentation: Installing the update component (ouc.app) gives unrestricted write access to the /usr/local directory under Mac OS X, which potentially allows malware to inject into the system directory. His discovery became a last minute addition to the presentation.

The Huawei representatives told heise Security their company would work to provide updates to solve the disclosed problems as soon as possible. They also said they didn’t know long this would take or how the new software versions would reach customers.



Leave a Reply

You must be logged in to post a comment.