As the common saying goes, “all networked computers are vulnerable to exploits, but some networked computers are more vulnerable than others”. While not the exact wording from Animal Farm, the saying does have plenty of merit nonetheless. Sure, there are some viruses and issues with Linux distributions but by far most of the exploits target Windows, if only because more people use it daily than any other operating system. The latest Windows 10 exploit, discovered by [jonhat], is almost comically easy too, and involves little more than plugging in a mouse.
While slightly comforting in that an attacker would need physical access to the device rather than simple network access, it is very concerning how simple this attack is otherwise. Apparently plugging in a Razer mouse automatically launches Windows Update, which installs a driver for the mouse. The installation is run with admin privileges, and a Power Shell can be opened by the user simply by pressing Shift and right-clicking the mouse. While [jonhat] originally tried to let the company know, they weren’t responsive until he made the exploit public on Twitter, and are now apparently working on solving the issue.
Others have confirmed the exploit does in fact work, so hopefully there is a patch released soon that solves the issue. In the meantime, we recommend not allowing strangers to plug any devices into your personal computers as a general rule, or plugging in anything where its origins are unknown. Also remember that some attacks don’t required physical or network access at all, like this one which remotely sniffs keystrokes from a wireless keyboard with less than stellar security, also coincidentally built by Microsoft.
Just over a year ago, FTDI, manufacturers of the most popular USB to serial conversion chip on the market, released an update to their drivers that bricked FTDI clones. Copies of FTDI chips abound in the world of cheap consumer electronics, and if you’ve bought an Arduino for $3 from a random online seller from China, you probably have one of these fake chips somewhere in your personal stash of electronics.
After a year, we have the latest update to FTDI gate. Instead of bricking fake chips, the latest FTDI drivers will inject garbage data into a circuit. Connecting a fake FTDI serial chip to a computer running the latest Windows driver will output “NON GENUINE DEVICE FOUND!”, an undocumented functionality that may break some products.
FTDI gate mk. 1 merely bricked fake and clone chips, rendering them inoperable. Because fakes and clones of these chips are extremely common in the supply chain, and because it’s very difficult to both tell them apart and ensure you’re getting genuine chips, this driver update had the possibility to break any device using one of these chips. Cooler heads eventually prevailed, FTDI backed down from their ‘intentional bricking’ stance, and Microsoft removed the driver responsible with a Windows update. Still, the potential for medical and industrial devices to fail because of a random driver update was very real.
The newest functionality to the FTDI driver released through a Windows update merely injects unwanted but predictable data into the serial stream. Having a device spit out “NON GENUINE DEVICE FOUND!” won’t necessarily break a device, but it is an undocumented feature that could cause some devices to behave oddly. Because no one really knows if they have genuine FTDI chips or not – this undocumented feature could cause problems in everything from industrial equipment to medical devices, and of course in Arduinos whose only purpose is to blink a LED.
Right now, the only option to avoid this undocumented feature is to either use Linux or turn off Windows Update. Since the latter isn’t really a great idea, be prepared constantly roll back the FTDI driver to a known good version.