USB + μC = Peril?

You hear about people finding USB drives and popping them into a computer to see what’s on them, only to end up loading some sort of malware onto their computer. It got me to thinking, given this notorious vulnerability, is it really a great idea to make electronics projects that plug into a computer’s USB port? Should I really contribute to the capitulation-by-ubiquity that USB has become?

A of couple years ago I was working on an innocuous project, a LED status light running off of USB. It ran off USB because I had more complicated hopes for it–some vague notion about some kind of notification thing and also it was cool to have access to 5 V right from the ‘puter. This was about the time that those little RGB LEDs connected to USB were all the rage, like blink(1), which raised $130,000 on Kickstarter. I just wanted to make a status light of some sort and had the parts, so I made it.

My version was a small rectangular PCB from OSHPark packing a Tiny85, with a 10 mm RGB LED providing pretty much all of the functionality — no spare pins broken out. Honestly, for the amount of code on it, even the Tiny85 was overpowered. I recall thinking at the time, could my creation be misused for evil? Could some wicked programmer include malware alongside my LED-lighting Arduino sketch?

It’s absurd, of course. My meager engineering skills ought not interest anyone. On the other hand, couldn’t some heartless poltroon, the hardware equivalent of a script kiddie, make my creation into a malware-spewing Typhoid Mary of a project? It has always been the realistic consequence of building anything–that it could be misused. I’d be thrilled to the point of giddiness if someone remade one of my projects into something cool, but I’d really hate for a USB light I designed to turn into some vector into someone’s computer. But how much of that is my responsibility?

If you think I’m the only one who thinks this, go to SparkFun or Adafruit and count all of the boards with microcontrollers and USB A male plugs. Even the tiny boards like the Huzzah and Gemma use USB cables, rather than plugging directly into the computer. Granted, they are microcontrollers that realistically would be connected to a project and it might not be possible to physically move them into position and plug them in. Also requiring a charging cable does not in any way make a microcontroller board work any differently than one plugged right into the computer. I’m left wondering if I’m spazzing out over nothing, and there’s nothing we can do about our tendency to treat any electronic gizmo with a shiny case as being safe to plug into the same computer we use to pay bills.

If there is no data transfer taking place, and I’m just getting power, wouldn’t it be enough to disable (or not connect) the data pins of the USB on the circuit board? Or maybe we really have no business connecting a data connection to a microcontroller if we’re not reflashing the chip with fresh code–think I’m paranoid? Maybe you should just get power from a wall wart and leave the USB cord in the drawer. It’s one thing to urge our friends and family to steer clear of mystery plugs, but as engineers and tinkerers, do we not owe the community the benefit of our knowledge?

Of course, Hackaday contains numerous examples of USB projects, including canary for USB ports, tips on protecting your ports with two microcontrollers, a guide to stopping rubber ducky attacks, and removing security issues from untrusted USB connections. Also, has anyone used the USB condom?

Friends, let me know your thoughts on the subject. Am I a freak to steer clear of USB-powered project like my dumb LED? Leave your comments and weigh in with your opinions.

56 thoughts on “USB + μC = Peril?

    1. Yeah, this is silly. It’s perfectly safe to plug your own programmed mc into your own USB port. If you find one on the street somewhere, don’t go jamming it into your holes. Let in unknown data, you take an unknown risk. Simple as that.

      Also I really don’t see the relevance of whether the usb port is male of female like it mentions in the article. Using a cable instead of plugging it in directly provides no security benefit whatsoever. What is this?

  1. Malware infection via USB device is not a design flaw with USB but rather a design flaw with the OS behavior. Automatically executing binaries from a remote source is a foolish default behavior. I would go so far as to claim that automatically mounting an unrecognized device is foolish behavior. The first time it sees a mass storage device with a new serial number, it should ask if you want to mount it (yes/no/alway). USB isn’t perfect but it is pretty good for a lot of things. Windows is good and it’s bad at a lot of things including security.

    1. “The first time it sees a mass storage device with a new serial number, it should ask if you want to mount it (yes/no/alway).”

      A malicious device might also appear as a HID (using an emulated hub) that responds that, yes, you would like to mount the new volume, thanks.

  2. 1) If it ain’t yours don’t plug it in to your computer.
    2) Lock down how your computer handles new devices plugged in to your computer
    3) You don’t have to just worry about malware, you also have to worry about malicious hardware designed to burn out your computer in which case see point #1

    1. A recent thought process I went through:

      – This build takes a lot of space, why not dump it on a thumb drive?
      – ./configu- huh? Operation not permitted?
      – Oh, fstab mounted it without execute permissions by default. That’s annoying. Now I have to manually mount it and I can’t let it go to sleep or anything while building.
      – Hey, I should just make fstab automatically mount USB drives with exec-
      – Oh, right. Shit.

        1. A gpg-signed copy of the volume serial # would be more secure, that way it’s not a simple file that can be copied to any drive without thought. An attacker could still work it out, but they’d need to know they’re attacking you specifically. You could probably extend it a little by using usb manu+device ID as well as the volume serial #.

          You’d generate the files with a simple script that would use your own gpg key to generate the file and write it to the usb device specified.

          I don’t know enough about mount offhand to know if you can embed a ‘run after mounting’ script to do the verification, if not you might be able to hook something on inotify to do the job.

      1. If the author was serious he would not be on the internet since the risk of that is actually real.
        But wait, maybe he mails in his articles on USB sticks.
        But then again, even at home away from USB and the internet there is still the risk of stepping on a piece of Lego.

  3. I worked at a company in the early 2ks, and the CTO fired off a scathing email saying nobody should use serial or usb for anything… it’s all outdated. Everything should be Ethernet! Which makes sense at least on the security front. Maybe wifi would be the today’s equivalent of the same argument.

        1. It’s so crazy, it just might work!

          But, in retrospect, you still are plugging a black box of harware into your computer regardless of how you do it, it reminds me of the days of the floppy when viruses spread from computer to computer via MBR on the disk.

  4. I’ve used the “USB condoms”, but with modern charging using the D+ and D- voltages to determine fast v. slow, you are only get the minimal if you leave them detached. They could be filtered for power state only (zeners, LC).

    It is also reasonable to do a DC-DC converter to boost the 4.8v at the end of the long wire back to 5v isolating it at the same time. The data lines would be more tricky, especially if they are high-speed. There are isolators (I even have one old wireless USB hub).

  5. Any hacker who wants to do harm through a USB port doesn’t need your board to do it. Arduino-type microcomputers in a USB stick form factor (complete with thumbdrive-like plastic cases) are already out there in mass production, with better capabilities than your device. Yes, you’re being a freak. Shut up now.

  6. What does the actual cable have to do with anything? Exactly why would plugging a board with a USB-A connector directly into a port be any safer than a board connected trough a USB mini or micro cable?

    Why would you only connect a microcontroller to a PC when reflashing code? Has it occurred to you that some devices actually use the data connection for other things? Some devices act as human interface devices, or storage, and there are a million other reasons to use USB other than flashing your shiny Arduino.

    If you really want to make sure a device can only get power, either plug it into a USB charging adapter, or make a trivially easy board with a USB-A plug and socket, with only the power pins connected.

    1. I’m trying not to hate, but what did you use to design that board? MS Paint?!? It’s got to be the crappiest design I’ve seen in a while. Weird angles (especially the close-to-horizontal bugs me), inconsistent trace widths, insufficient clearance, a single useless via, acid traps all over the place, and your decoupling capacitor seems to be missing. I didn’t even know they made through-hole USB connectors.

      1. They make through-hole USB connectors of the big A and B types, and semi-through-hole C (the surface-mount-only ones can’t be soldered by hand). A few through-hole mini and micro USB connectors are available too. Surely that’s not something you’re complaining about, though; if the rest of the board is THT why shouldn’t the USB connector be?

        1. I was merely surprised a the existence of through-hole USB connectors, considering there are very few through-hole USB compliant devices; a quick search turned up about 25 different microcontrollers, all from Microchip (I specifically searched for hardware USB interfaces; this board uses an ATTiny, with V-USB, I assume).

          There is nothing wrong with designing through-hole boards (for hobby purposes), my dislike of the board isn’t because of that, it’s because it was carelessly thrown together. I get that the designer was an absolute beginner, but it doesn’t take an expert to at least draw neatly.

          John is rightfully concerned about someone weaponizing his board; it can easily be used as a Denial-of-Service attack against actual engineers, and it doesn’t need to be connected to a PC for that.

  7. The reactions to this post are probably a bit undeserved. USB, as a standard, is fairly insecure. In almost all cases, devices that are plugged in are treated as secure, which obviously is an issue. Not that it would make much of a difference, because people are rather cavalier about what they plug into their computer or install on it. There are plenty of tutorials on how to install the drivers for a CH340G chip on a system, but almost no one also considers the potential security consequences of installing low level drivers from sources that may or may not be legit. Not to mention what dark secrets fake USB chips supposedly from other manufacturers may harbour.

    This is a widespread problem too. In office environments, people happily plug in phones to computers to charge them, creating potential issues both ways. Thumb drives are also shared without thought, and plugged into everything and anything without much thought.

  8. Everyone remember: building skills is an ongoing process.

    No one just starts out writing FUD for Business Insider. It takes years of training to work that close to the LD50 level of cognitive dissonance. Setting up a chain of weak arguments and specious reasoning, only to knock it all down like a row of dominos with a last-line equivalent of “it was all just a dream”, is a craft that has to be honed with practice.

    I admit to not understanding why anyone would want to hone that skill myself, but hey, this is a website dedicated to people who get excited about building a 4-bit CPU with discrete logic. Different tastes.. just sayin’.

    We all know that the Editorial Powers That Be at Hackaday want items that hit the blog page to be more ‘edgy’, or whatever word kids are using finger quotes around these days. We have Brian “the PC wars called.. uuh-gain.. to say you still haven’t returned that Apple-hate hardon you borrowed in 1992” Benchoff. There was the sad little “let’s hook electrodes to the corpse of the emacs -vs- vi flamewar and see if we can make it twitch” piece. We’ve seen the “X is the future” and “One True Foo” memes.

    Yes, that kind of thing is often clumsy, lacking in subtlety, and occasionally grating. But we have to remember that Hackaday will never achieve its true purpose of being the trailer-park training camp for tomorrow’s Business Insider tech pundits if we don’t allow them to practice today.

    1. Addendum, for clarity: the comments above are not directed toward the author of this piece, but toward the empty space where a Hackaday editor should have been. Private critique saves authors from public comments like those above.

  9. I don’t like this article. Connecting a microcontroller to a usb port is trivial. It can be used maliciously, but it is also the basis of billions of usb devices. Besides, some fancier flash drives can be reprogrammed to be malicious as well and they are a mass market product. Hell, even some SD cards support firmware updates. It is usually a 8051 core doing the wear levelling assisted by a dedicated hardware block for high speed io. The firmware is usually small and easy to reverse engineer. You can get the initial flash tool on many Chinese forums dedicated to electronics production. It should not be too difficult to make one that backdoors exes installed stored on it…

  10. What is this article about? What is atmega doing there? Whats that led for?
    Captain please explain? And for power supply dont bea noob get an lab grade benchtop power supplies to power your project or an externally powered usb hub for usb boards. Dont be a noob invest in proper tools

    1. Or one of those rechargeable USB battery packs, from the pound shop. Big Clive recommends. But he would, he’s a cheapskate.

      The LED is there to give off light, the Atmel chip is there to control what colours, and to take colour requests through USB. You have a program / driver on the PC, where you get to control the LED’s colour. That’s it.

      You can use it as a status / notification light, if you want one. That’s what it’s for, not a new idea by far. Some people find them useful I suppose.

      Actually a Bluetooth one would be good. You could use it with your phone then, and keep it somewhere visible to notify you what’s happening. And also use with your PC via a USB Bluetooth adaptor.

  11. I’m not trying to be mean, but this post is nothing more than meaningless fluff. It has no real content, just speculation about a topic the author clearly knows nothing about. There are many qualified writers at Hackaday that could intelligently discuss the topic of usb security, but a guy who may not have ever designed a circuit board before asking if his project is dangerous really doesn’t keep with the quality of posts I would expect from Hackaday.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s