5

A major telecommunications device manufacturer ships its USB modem with helper software and drivers so that the user can connect to the internet and send/receive SMS.

Since recent versions of Windows no longer execute autorun.inf files automatically, they have included a component with the driver that executes autorun.inf files automatically from similar devices; autorun.inf files from USB drives do not seem to get executed by the driver. (I assume that it checks the device ID before executing the autorun.inf file.)

Are there any risks associated with such a driver component?

  • If you believe the file has actually been validated by the ISP, then you're *most likely* worrying for nothing. This is probably the least risky software you would normally install. – Julie Pelletier Oct 07 '16 at 07:22
  • 3
    @JulliePelletier: the ISP probably can be trusted enough not to do anything deliberately malicious. However, I think the OP question here is whether malicious malware author can take advantage of this behavior to spread some security issue. – Lie Ryan Dec 06 '16 at 12:35
  • 1
    @JuliePelletier ISPs (especially the scammers... err I mean mobile carriers) are probably the worst in terms of security. They have zero decent competition (due to the barrier of entry being so high), their only priority is money and if an insecure autorun re-implementation means less support calls they'll do it in a second, even though it is a huge security disaster. – André Borie Jan 05 '17 at 12:48

3 Answers3

1

Autorun used to be enabled by default in Windows XP, and would execute any file referenced by autorun.inf when a storage drive is plugged in. It used to be really easy to execute malware from an USB drive, just reference it in the autorun file and let Windows do the rest.

It was disabled in Windows Vista and later for obvious reasons, and yet this software reimplements its functionality, most likely as a cheap workaround so they don't have to print an information leaflet telling users to run the software manually.

Checking USB IDs is not sufficient as a rogue device can enumerate as any device, including the original modem's, and yet present a rogue file. Checking for a signature is risky as well, as you don't know how well the associated private key is protected (I wouldn't entrust anyone thinking this software is a good idea with a private key). There may also be vulnerabilities in the code that checks the device itself.

Finally we don't know how this is implemented. If this run as a service under the system user, then this would not only run potentially untrusted code from USBs but also run it as SYSTEM. Worse, this could be implemented as a device driver which means malicious code could be run with even higher privileges.

This device is a bad idea altogether - throw it in the bin and get a mobile<->Wi-FI bridge, those don't require any shady drivers and appear just like any untrusted host on the network, something you can defend against with a firewall.

André Borie
  • 12,826
  • 3
  • 42
  • 76
1

Of course: Knowing this, attacker could build fake usb devices with same ID for making autorun able to run his malware...

F. Hauri - Give Up GitHub
  • 4,266
  • 2
  • 22
  • 34
0

Best practice is to disable it completely. but it cannot be said anything about it, unless you try to analyze what is it doing in the background. you can install a utility called Process Explorer, and analyze specific process, open it file handles and network connection to analyze what is it doing(if you want to do analysis on your own)

Hamza Islam
  • 204
  • 1
  • 9