Slashdot Mirror

← Back to Stories (view on slashdot.org)

New 'USG' Firewalls Protect USB Drives From Malicious Attacks (zdnet.com)

Posted by EditorDavid on from the sanitizing-your-sticks dept.

A developer has created the USG, "a small, portable hardware USB firewall...to prevent malicious USB sticks and devices laden with malware from infecting your computer." An anonymous reader quotes ZDNet: The problem is that most computers automatically trust every USB device that's plugged in, which means malicious code can run without warning... Cars, cash registers, and some ATMs also come with USB ports, all of which can be vulnerable to cyberattacks from a single USB stick. That's where the USG firewall comes in...a simple hardware serial link that only accepts a very few select number of safe commands, which prevents the device from executing system commands or intercepting network traffic. That means the data can flow from the USB device, but [it] effectively blocks other USB exploits.
The firmware has been open sourced, and the technical specifications have also been released online "to allow anyone to build their own from readily available development boards."

67 comments

  1. good thing is that you can stack them USG-USG-USB by kiviQr · · Score: 2

    Just in case first gets hacked you can stack them USG-USG-USG-USG-...-USB

  2. So what is it for? by NotInHere · · Score: 1

    Sorry, but couldn't get past all that sheep speak (aka dumbed down language). What exactly is that bridge for? Preventing badusb? Actually checking for malware files stored on the usb stick's filesystem? Preventing computers to flash the usb stick's firmware to make attacks permanent?

    1. Re:So what is it for? by Anonymous Coward · · Score: 0

      All I heard from the summary is "Windows is a bad OS, buy our hardware to protect your computer".

    2. Re:So what is it for? by Swave+An+deBwoner · · Score: 1
      You'd have to read the wiki article at the first link four words into the slashdot summary, but yeah, that's what the developer says:

      https://github.com/robertfisk/USG/wiki

      The USG isolates BadUSB devices from your computer, while still passing through the data you need.

    3. Re:So what is it for? by gweihir · · Score: 1

      It is about preventing an USB stick from claiming to be something else, e.g. a keyboard or a network card. Not that that helps any if there is a malicious executable on the stick...

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:So what is it for? by guruevi · · Score: 2

      Even trudging through the code, it's hard to decipher what it actually does besides implement a basic USB host and USB target and then proxy the commands (with some minor filtering for things that aren't "spec"). I'm supposing that you plug it in, and you have to program it yourself to accept a certain device or range of devices which you 'trust' but even then, it's not going to prevent someone from making a USB thing that emulates your USB thing and does malicious things.

      I'm sure you can eventually turn it into an anti-virus by putting in a number of patterns that 'known bad' USB devices do but then the same issue arises with AV - you either spend a massive amount of money and time on analyzing every bit pattern passing by and statistically analyze whether it fits within a 'good' thing or you whitelist/blacklist certain things.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    5. Re:So what is it for? by arth1 · · Score: 1

      Until they get slammed by ZyXEL for using USG as a name for a firewall. Anyone not doing even basic research here deserves to be slammed too.

    6. Re:So what is it for? by Hognoxious · · Score: 1

      It only has 4 pins. If we can find which one carries the Evil Bit can't we just snip it?

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    7. Re:So what is it for? by Anonymous Coward · · Score: 0

      I must be gettin old too, the same junk parapalegicgraph bugged my mind too. A photo could be worth a thousand words, absent that..
      "an expensive diy or pre-built mail-order only software controlled electronic hardware condom for usb devices who use unknown firmware "
      A dongle-looking usb extension. MALE to your computer's USB on one side FEMALE to untrusted USB (aka DEAD DROP) device on the other

      I'll wait since I am not buying lots of USB stuff

    8. Re:So what is it for? by Anonymous Coward · · Score: 0

      You desire one, two, three or four chances to get it right?
      Just curious

  3. So... by Wolfrider · · Score: 1

    --Will the USG device protect against a thumbdrive that would fry your *computer* (electrically) if you plugged it in?

    --
    .
    == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
    1. Re: So... by Anonymous Coward · · Score: 0

      Depends on how you build it. It is a device you make, if you want to guard against fucked up voltage, do it.

    2. Re:So... by currently_awake · · Score: 2

      Assuming the bridge doesn't connect to the computers USB power rails, yes. Once.

  4. USB1 only by sirsnork · · Score: 5, Informative

    Sadly it's only USB1, so basically useless for moving files, which I imagine is the designed purpose. A cool device certainly, but at USB1 speeds more of a cool research project than something actually useful

    --

    Normal people worry me!
    1. Re:USB1 only by retroworks · · Score: 1

      Thank you sirsnork for participating on Slashdot. Comments like yours bring me back. I have no mod points at the moment.

      --
      Gently reply
    2. Re: USB1 only by Anonymous Coward · · Score: 0

      Go forth. Earn modpoints. Be merry, you shiftless layabout.

       

    3. Re:USB1 only by Anonymous Coward · · Score: 0

      The FAQ does mention this, and basically says, if you want it faster, fund him to develop a USB2+ one :)

  5. Bad Keyboard Still Possible by mentil · · Score: 4, Interesting

    As far as I could glean from the article, the USG does nothing to stop USB devices from registering as a keyboard and then emulating keypresses to open up a back door. Having a physical switch on the USG that indicates 'this device is a keyboard' could stop that... for malicious devices that aren't actually USB keyboards.

    I'm also skeptical hat the 'short list of approved commands' is 100% safe and there are no driver vulnerabilities linked to any of those commands. Also, if you plug a new USB device in thru this USG and it doesn't work, are you going to say 'too bad, probably infected', or are you going to remove the USG and try again?

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re: Bad Keyboard Still Possible by Anonymous Coward · · Score: 1

      Simply lock the computer when you leave it to prevent fake keyboard.
      This is more for blocking something like the Bash Bunny. That thing will backdoor a locked computer by pretending it's a USB NIC.

    2. Re:Bad Keyboard Still Possible by AmiMoJo · · Score: 1

      I'm also skeptical hat the 'short list of approved commands' is 100% safe and there are no driver vulnerabilities linked to any of those commands.

      Me too. USB doesn't use "commands". There are no USB commands. Perhaps they mean that they filter SCSI commands for USB flash drives or something.

      In any case, many of the vulnerabilities are likely to be down to malformed descriptors. Descriptors tell the computer what the USB device is and in the case of standard things like keyboards and flash drives there are descriptors that give the parameters required to talk to it. Driver vulnerabilities will mostly be in the way these descriptors are parsed.

      It also does nothing to block higher level vulnerabilities, like a flash drive with malformed filesystem that exploits a bug in the filesystem handler.

      In short it's basically useless.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Bad Keyboard Still Possible by thegarbz · · Score: 2

      As far as I could glean from the article, the USG does nothing to stop USB devices from registering as a keyboard and then emulating keypresses to open up a back door.

      No it doesn't. As far as I can understand what it does do is prevent a USB mass storage device, or a USB network card, or a USB monitor, etc, etc, pretending to be both what it is and also a keyboard at the same time. It also prevents it from changing at some point while being used to do something malicious and then changing back. What you are describing is a different attack vector to the BadUSB exploit this is designed to prevent.

      People picking up dirty USB sticks in the carpark will only continue to use those USB sticks if they actually work as USB sticks. If they plug it in an the only thing that comes up is a keyboard they will toss it in the bin (if they are poor at security) or light up their entire computer with thermite (if they are good at security). No one is dropping USB keyboards in a car park.

    4. Re:Bad Keyboard Still Possible by thegarbz · · Score: 2

      It is as useless as a virus scanner is at preventing a user from writing their password on a post-it on the screen. That is to say, both you and the GP are talking about a different attack vector than the BadUSB vulnerability which relies on being able to enumerate two different devices at once at run time on the same bus and do something malicious while pretending to do something else. E.g. a USB mass storage device that logs keystrokes. This device here will prevent either the keylogging or the USB mass storage functionality from working. The former is safe for the PC, the second is an indicator that something isn't right to the user.

      And these pretending to other devices attacks are a relevant attack vector as malicious USB sticks are used for targeted espionage. Sure you could make a malicious keyboard, but then you actually have to get that keyboard to the victim and dropping it in a parking lot is unlikely to do you much good.

    5. Re:Bad Keyboard Still Possible by jabuzz · · Score: 1

      True, but the next step is to put a hub in the middle integrated into the USB stick. So you see a USB hub plugged into a port with a USB mass storage device and a USB keyboard attached. We are then right back to square one. I guess the firewall could be programmed to reject hubs to prevent this, but it's all getting rather messy. The better solution is to stop using USB anything to move data about; the network is the computer remember.

    6. Re:Bad Keyboard Still Possible by thegarbz · · Score: 1

      That's not too silly and I've done this myself. I built a device which presents to the OS as a USB hub as a quick and dirty way to work around two microcontrollers communicating on one USB bus without having to design and program a bus system between them.

      This would easily defeat this device as far as I can see.

  6. why by Anonymous Coward · · Score: 0

    don't don't usb devices, or the devices they are plugged into, already include such protection?

    captcha: excrete

    1. Re:why by wonkey_monkey · · Score: 2

      Because there are some USB devices which have a legitimate purpose for doing all of these "bad" things, so they'd be rendered useless.

      --
      systemd is Roko's Basilisk.
    2. Re: why by Anonymous Coward · · Score: 0

      Who says they don't?
      And what does that have to do with a device built just to be bad? Nothing, that's what.

    3. Re:why by fibonacci8 · · Score: 2

      I'll bite... Name one device that presents itself as one type of device to the user and then presents itself as a different type of device to the USB subsystem inside the computer that could be described as "a legitimate purpose". Some devices do, but that doesn't fit any definition of the word "legitimate" that I've encountered. Intentionally hiding things from users is the opposite of legitimate.

      --
      Inheritance is the sincerest form of nepotism.
    4. Re:why by x0ra · · Score: 1

      mass storage + serial interface to the same device.

    5. Re:why by SandorZoo · · Score: 1

      Ubikeys look like secuity dongles, but present themeselves as keyboards so instead of retyping a long one-time-key, you just press a button and it "types" it for you. All without needing OS specific drivers. But they doen't look like a keyboard.

    6. Re:why by thegarbz · · Score: 1

      I have yet to see a device like this. I have seen plenty of devices which will enumerate as different devices on connect by user request (e.g. reboot in firmware download mode, hold down something while plugging it in etc), but I've yet to come across a device that actually will attempt to enumerate both states at once.

    7. Re:why by heypete · · Score: 3, Informative

      I have Huawei USB cellular modem that identifies itself simultaneously as:
      1. USB mass storage, if one has a microSD card in the internal slot. This is handy for storing files and whatnot on the stick.
      2. As a CD-ROM drive with a virtual CD containing the drivers needed for the cellular modem functionality, so the user can install the drivers needed while only possessing the stick itself (e.g. no real CD, no internet download, etc.).
      3. As a cellular modem.

    8. Re:why by BronsCon · · Score: 1

      And, even if this was disallowed, USB hubs still exist. The device could just as well present itself as a hub with those three things connected. Like you, I don't know why people are getting all worked up over this as though it's something they could actually protect against.

      "Accept the things I cannot change" and all that.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  7. An even better version by Anonymous Coward · · Score: 0

    A friend who works for the NSA said he could build an even better one for me! I plugged it in and now I'm amazingly, wonderfully safe. Safer than anyone. There isn't anybody on earth safer than me.

    Donald

  8. A waste of money by techno-vampire · · Score: 1

    I've never yet seen an OS where you can't turn autorun off. Once you've done that, why do you need this?

    --
    Good, inexpensive web hosting
    1. Re:A waste of money by Mr0bvious · · Score: 1

      USB devices can be more than file systems.

      Having autorun off is not going to stop a USB device pretending to be a keyboard or mouse or whatnot.

      --
      Never happened. True story.
    2. Re:A waste of money by thegarbz · · Score: 1

      It's not auto-running a file on a filesystem. It's automatically talking to the firmware on the USB controller, something that every OS needs to allow for a USB device to function.

    3. Re:A waste of money by thegarbz · · Score: 1

      You can prevent Windows from installing new USB devices by type.

      Mind you if you're keyboard then breaks you're screwed without some form of remote access or a PS/2 port.

    4. Re:A waste of money by _Sharp'r_ · · Score: 1

      Why can't you just use a different USB driver for your OS that filters, alerts on, requires additional permission for, or blocks whatever you want, rather than buying a new piece of hardware?

      I mean, I get the voltage thing to fry a port, but that's a DOS attack no worse than someone who is physically there just smashing the port/computer. Why not just secure the USB device driver in the first place?

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
    5. Re:A waste of money by thegarbz · · Score: 1

      This device won't prevent the frying of the port.

      And yes you can prevent BadUSB by diligently disabling auto-installation of new USB devices (no need for a driver, you can do that in Group Policy). You can even do it on a per ID basis. However I mentioned what could go wrong in another thread: Say you've locked down the system by ID to prevent auto-install of new USB HID devices (the key-logging portion of this attack).

      And your keyboard / mouse combination breaks.

      What now? You need the exact same make and model keyboard and mouse to make your computer responsive again. Or you need to buy a second set in advance and ensure they are installed in the OS. Plugging in a new one is now not an option because the new one will be rejected, and god forbid you use those ultra common Dells because something that common just seems rife for emulation.

      You can prevent the attack while simultaneously killing one of the main reasons we switched to USB in the first place: near universal driverless plug and play.

  9. The problem is most Windows computers by najajomo · · Score: 1

    "The problem is that most computers automatically trust every USB device that's plugged in, which means malicious code can run without warning"

    Windows only I presume ..

    1. Re:The problem is most Windows computers by Anonymous Coward · · Score: 0

      Windows makes the problem worse but that's not the final conclusion. It's bad that Windows blindly trusts USB devices and tries to Autorun from them but this is something that's been true since floppy disks and it's not unique to USB. All operating systems have a problem because they trust any other type of device to be the thing that it says on the box. If you have a device that traps other I/O then it would have been trusted by anything. The OS doesn't know what the device is, it can't read the box.

      What might be better is if the OS keeps a whitelist of devices that it's seen and prompts if it sees a new device with some information about what the device actually wants to try and do or be. This might confuse though, some VR rigs have lighthouses that are essentially web cameras but the user doesn't necessarily know that. Some devices might actually need to be things that don't immediately make sense until you realize how they actually work. This is a security/usability trade-off.

  10. Disable auto-anything by Anonymous Coward · · Score: 0

    Well, part of the problem is that computers are set up to just automatically trust any piece of hardware that is plugged into USB, and even to just automatically run any executable that might be on it. Seems to me the problem isn't with USB as much as it is with stupid Windows trust defaults.

  11. USB sticks are inherently dangerous by Sla$hPot · · Score: 0

    All unsigned USB sticks a wide open to all type os exploits.
    When an unsigned USB stick is being attacked
    and firmware upgraded with malicious code you are screwed.
    You might even end up with the big package, rootkit, bot-client, you name it.
    Throw everything out, there is nothing else to do.
    Perhaps also move to a different part of the country.
    Unsigned USB sticks should always be thrown out before it is too late.
    Better put them in a hydralic press.
    You can not scan USB stick firmware, so forget it
    Just make sure your USB stick firmware is signed

    1. Re:USB sticks are inherently dangerous by Sla$hPot · · Score: 0

      For those that thinks, this won't happen to me.
      Check this out: https://www.youtube.com/watch?...
      And to get an idea about the extend of devices affected: https://github.com/brandonlw/P...

  12. Over charging protection? by gurps_npc · · Score: 1

    This device does not stop the worst of the USB issues the Capacitor killer that draws in electricity, charges a capacitor, then releases it all back into the PC at high voltage and capacity, frying the computer.

    --
    excitingthingstodo.blogspot.com
  13. If you read the link to the article.. by Neuronwelder · · Score: 1

    The USG admits it's not high level. But to me it's a start. And a start is better than having nothing. (I wonder if if protects against bad memory sticks that fry your computer??)

  14. Bootstrapping after a keyboard replacement by tepples · · Score: 1

    What might be better is if the OS keeps a whitelist of devices that it's seen and prompts if it sees a new device with some information about what the device actually wants to try and do or be.

    When your desktop PC's keyboard breaks, good luck adding the replacement you purchased to its whitelist.

    1. Re:Bootstrapping after a keyboard replacement by BronsCon · · Score: 1

      Plug it in, use the mouse to click "OK" on the prompt.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    2. Re:Bootstrapping after a keyboard replacement by Anonymous Coward · · Score: 0

      Imagine booting for the first time, with no input devices or having both keyboard and mouse break.

    3. Re:Bootstrapping after a keyboard replacement by tepples · · Score: 1

      And use what to enter your password so that the OS knows the click on OK is coming from an administrator?

    4. Re:Bootstrapping after a keyboard replacement by BronsCon · · Score: 1

      The on-screen keyboard that Windows has had since at least as far back as XP.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    5. Re:Bootstrapping after a keyboard replacement by BronsCon · · Score: 1

      Imagine booting for the first time and not having enabled this yet, or this being a Windows driver-based security measure that doesn't take effect until Windows loads its drivers, allowing the new keyboard to be used to boot into a mode where this protection is temporarily disabled in case of this very situation. My IQ is up there, but I'm no super-genius, and it only took me about 5 seconds to solve both of those problems.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  15. Will it protect the PC from the USB Killer device? by ayesnymous · · Score: 1

    There was an article here a few months ago about a USB Killer device that will send a stream of electricity to whatever device it's plugged into, destroying the USB port at minimum, or the entire device at worst.

  16. Re:Will it protect the PC from the USB Killer devi by Anonymous Coward · · Score: 0

    I recently designed a power conditioning board for a high speed camera flash at work. This primarily involved transient voltage suppression (for ESD type events) and undervoltage / overvoltage lockout (prevents turn-on outside the nominal 10.8V-13.2V range). The board tolerates inputs up to 33V. When I asked my coworker if that was OK, he replied, "Seems fine; you have to stop at some point. Any device will be destroyed by a sufficiently high input voltage."

    The board I made doesn't have one, but my favorite protection device is the overvoltage crowbar. It intentionally blows up a fuse protecting the device if the input voltage is above a certain level. The reference circuit on wikipedia is a good one: https://en.wikipedia.org/wiki/Crowbar_(circuit)

  17. USG? by c10 · · Score: 1

    It's probaly more drywall than firewall.

  18. Re: Will it protect the PC from the USB Killer dev by Anonymous Coward · · Score: 0

    We have a spark gap for over voltage protection on a particularly rustic piece of equipment. Has directions to adjust for altitude and seasonal humidity. I really want to try it, but do want to stay employed.

  19. Completely Useless by Anonymous Coward · · Score: 0

    When was the last time that you plugged a random USB dongle into your computer? I have purchased all of my USB drives and devices and know what they do.

    If anyone has physical access to my computer, they can simply stick a keyboard in and type away.

    Those two reasons are enough to lead me to conclude that USG is completely useless. Now if someone can protect computers from PEBKACs...

  20. On-screen keyboard failures by tepples · · Score: 1

    I don't see how a user could use the on-screen keyboard to authenticate to Windows when the elevation prompt covers up the on-screen keyboard or when pressing Ctrl+Alt+Del on the login or lock screen does not cause the password prompt to appear.

    Nor does it help if the user replaced a broken mouse at the same time.

    1. Re:On-screen keyboard failures by BronsCon · · Score: 1

      Come to think of it, I don't recall ever having to type my password into a UAC prompt. I'll grant your point about the mouse, but also point out that Windows' driver-based protection measures can't take effect until Windows has loaded those drivers. If actually ever implemented, it should be possible to boot into safe mode with that protection disabled to add a device to the whitlist; the extra paranoid can unplug all but the new keyboard before doing so.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    2. Re:On-screen keyboard failures by BronsCon · · Score: 1

      You know, I realize I didn't address your point fully. Let me clarify: non-admin users should not be modifying system security functions in the first place. If the issue you mention affects you, you are a non-admin user and should not be adding USB devices to any whitelist; you should be contacting an admin user, who can log in with the on-screen keyboard and add the new keyboard to the whitelist simply by clicking the "OK" button on the UAC prompt.

      Alternately, since you purport to know the administrator password in the first place, in order to be able to type it into the UAC prompt in the presence of a working keyboard, why don't you just sign in with that account yourself?

      TL;DR: Admins don't see UAC password prompts; if you see them, you are not an admin and shouldn't be doing this in the first place.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    3. Re:On-screen keyboard failures by tepples · · Score: 1

      pressing Ctrl+Alt+Del on the login or lock screen does not cause the password prompt to appear

      an admin user, who can log in with the on-screen keyboard

      Not if Windows fails to show the login prompt in the first place because it fails to respond to Ctrl+Alt+Del on the on-screen keyboard.

    4. Re:On-screen keyboard failures by BronsCon · · Score: 1

      ... which wouldn't affect safe mode with this protection temporarily disabled. You're smarter than this. Stop, think, and quit embarassing yourself.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    5. Re:On-screen keyboard failures by kaatochacha · · Score: 1

      On a daily basis, I'm forced to modify system security functions under non admin accounts using admin credentials.

    6. Re:On-screen keyboard failures by BronsCon · · Score: 1

      That's highly unusual. Have you considered that you are either doing something wrong, or doing something that most users don't do (e.g. unusual)? In any case, though, you have admin credentials in order to be able to do that, which means you could sign in to an admin account to add the new keyboard and/or mouse to the whitelist.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  21. Re:Will it protect the PC from the USB Killer devi by Anonymous Coward · · Score: 0

    https://github.com/robertfisk/USG/wiki#q-can-the-usg-protect-me-from-the-usb-killer

  22. USGS by Anonymous Coward · · Score: 0

    If the United States Geological Survey (USGS) implemented this, on more than one computer, would it be the USGS USGs?

    Yes. Yes it would!