Bitdefender Researcher Demonstrates USB Stick That Can BSOD Any Windows 10 Device Even If Locked
What makes this exploit so intriguing is that Tivadar's proof-of-concept showed that he could force a BSOD even if the Windows machine was locked. Tivadar writes, "One can generate [a BSOD] using a handcrafted NTFS image. This Denial of Service type of attack, can be drive from user mode, limited user account or Administrator."
He was able to verify his findings using Windows 7 Enterprise, Windows 10 Pro and Windows 10 Enterprise. The attack is possible because Auto-Play is enabled by default, which causes the operating system to automatically access the USB thumb drive, which executes the code found on the NTFS image. However, even disabling Auto-Play won't completely save you from a BOSD according to Tivadar.
Any program that attempts to access the USB thumb drive (for example, an automatic system scan by Windows Defender) would trigger a BSOD. This could be a particularly nasty way of messing with a friend or coworker by plugging a USB thumb drive into the back of their desktop without them knowing. Or imagine a scenario where you're engaged in a high-profile gaming tournament and someone decides to "take you out" with a BSOD. Other more nefarious attacks could be carried out through this method as you might imagine as well. Scenarios where people lose valuable work are obvious. However, if this vulnerability finds its way to server level operating systems (which was not proven out yet), an entire infrastructure could theoretically be brought down.
Tivadar is especially troubled that this can occur with a locked machine. "I strongly believe that this behavior should be change; no USB stick/volume should be mounted when the system is locked. If this kind of crash was exploitable, and [the] attacker could love malware even if the system is locked, this could open thousands of possible scenarios."
So, what was Microsoft's response to Tivadar's findings? Much ado about nothing according to the boys and gals in Redmond. "Hey Marius, your report requires either physical access or social engineering, and as such, does not meet the bar for servicing down-level (issuing a security patch)," a Microsoft security researcher wrote back to Tivadar after his initial disclosure last year. "Your attempt to responsibly disclose a potential security issue is appreciated and we hope you continue to do so.”
Tivadar has quietly sat by for nearly a year following his initial content with Microsoft and apparently still isn't content with the inaction on the issue; hence his recent posting of documentation [PDF], sample videos and the NTFS image file to GitHub.
What say you, HotHardware readers? Do you think that Tivadar is right to be concerned about the potential for abuse with USB thumb drives, or do you side with Microsoft in that if someone has physical access to your computer, you've already lost?