Slashdot Mirror

← Back to Stories (view on slashdot.org)

New 'USG' Firewalls Protect USB Drives From Malicious Attacks (zdnet.com)

Posted by EditorDavid on from the sanitizing-your-sticks dept.

A developer has created the USG, "a small, portable hardware USB firewall...to prevent malicious USB sticks and devices laden with malware from infecting your computer." An anonymous reader quotes ZDNet: The problem is that most computers automatically trust every USB device that's plugged in, which means malicious code can run without warning... Cars, cash registers, and some ATMs also come with USB ports, all of which can be vulnerable to cyberattacks from a single USB stick. That's where the USG firewall comes in...a simple hardware serial link that only accepts a very few select number of safe commands, which prevents the device from executing system commands or intercepting network traffic. That means the data can flow from the USB device, but [it] effectively blocks other USB exploits.
The firmware has been open sourced, and the technical specifications have also been released online "to allow anyone to build their own from readily available development boards."

48 of 67 comments (clear)

  1. good thing is that you can stack them USG-USG-USB by kiviQr · · Score: 2

    Just in case first gets hacked you can stack them USG-USG-USG-USG-...-USB

  2. So what is it for? by NotInHere · · Score: 1

    Sorry, but couldn't get past all that sheep speak (aka dumbed down language). What exactly is that bridge for? Preventing badusb? Actually checking for malware files stored on the usb stick's filesystem? Preventing computers to flash the usb stick's firmware to make attacks permanent?

    1. Re:So what is it for? by Swave+An+deBwoner · · Score: 1
      You'd have to read the wiki article at the first link four words into the slashdot summary, but yeah, that's what the developer says:

      https://github.com/robertfisk/USG/wiki

      The USG isolates BadUSB devices from your computer, while still passing through the data you need.

    2. Re:So what is it for? by gweihir · · Score: 1

      It is about preventing an USB stick from claiming to be something else, e.g. a keyboard or a network card. Not that that helps any if there is a malicious executable on the stick...

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:So what is it for? by guruevi · · Score: 2

      Even trudging through the code, it's hard to decipher what it actually does besides implement a basic USB host and USB target and then proxy the commands (with some minor filtering for things that aren't "spec"). I'm supposing that you plug it in, and you have to program it yourself to accept a certain device or range of devices which you 'trust' but even then, it's not going to prevent someone from making a USB thing that emulates your USB thing and does malicious things.

      I'm sure you can eventually turn it into an anti-virus by putting in a number of patterns that 'known bad' USB devices do but then the same issue arises with AV - you either spend a massive amount of money and time on analyzing every bit pattern passing by and statistically analyze whether it fits within a 'good' thing or you whitelist/blacklist certain things.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    4. Re:So what is it for? by arth1 · · Score: 1

      Until they get slammed by ZyXEL for using USG as a name for a firewall. Anyone not doing even basic research here deserves to be slammed too.

    5. Re:So what is it for? by Hognoxious · · Score: 1

      It only has 4 pins. If we can find which one carries the Evil Bit can't we just snip it?

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  3. So... by Wolfrider · · Score: 1

    --Will the USG device protect against a thumbdrive that would fry your *computer* (electrically) if you plugged it in?

    --
    .
    == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
    1. Re:So... by currently_awake · · Score: 2

      Assuming the bridge doesn't connect to the computers USB power rails, yes. Once.

  4. USB1 only by sirsnork · · Score: 5, Informative

    Sadly it's only USB1, so basically useless for moving files, which I imagine is the designed purpose. A cool device certainly, but at USB1 speeds more of a cool research project than something actually useful

    --

    Normal people worry me!
    1. Re:USB1 only by retroworks · · Score: 1

      Thank you sirsnork for participating on Slashdot. Comments like yours bring me back. I have no mod points at the moment.

      --
      Gently reply
  5. Bad Keyboard Still Possible by mentil · · Score: 4, Interesting

    As far as I could glean from the article, the USG does nothing to stop USB devices from registering as a keyboard and then emulating keypresses to open up a back door. Having a physical switch on the USG that indicates 'this device is a keyboard' could stop that... for malicious devices that aren't actually USB keyboards.

    I'm also skeptical hat the 'short list of approved commands' is 100% safe and there are no driver vulnerabilities linked to any of those commands. Also, if you plug a new USB device in thru this USG and it doesn't work, are you going to say 'too bad, probably infected', or are you going to remove the USG and try again?

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re: Bad Keyboard Still Possible by Anonymous Coward · · Score: 1

      Simply lock the computer when you leave it to prevent fake keyboard.
      This is more for blocking something like the Bash Bunny. That thing will backdoor a locked computer by pretending it's a USB NIC.

    2. Re:Bad Keyboard Still Possible by AmiMoJo · · Score: 1

      I'm also skeptical hat the 'short list of approved commands' is 100% safe and there are no driver vulnerabilities linked to any of those commands.

      Me too. USB doesn't use "commands". There are no USB commands. Perhaps they mean that they filter SCSI commands for USB flash drives or something.

      In any case, many of the vulnerabilities are likely to be down to malformed descriptors. Descriptors tell the computer what the USB device is and in the case of standard things like keyboards and flash drives there are descriptors that give the parameters required to talk to it. Driver vulnerabilities will mostly be in the way these descriptors are parsed.

      It also does nothing to block higher level vulnerabilities, like a flash drive with malformed filesystem that exploits a bug in the filesystem handler.

      In short it's basically useless.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Bad Keyboard Still Possible by thegarbz · · Score: 2

      As far as I could glean from the article, the USG does nothing to stop USB devices from registering as a keyboard and then emulating keypresses to open up a back door.

      No it doesn't. As far as I can understand what it does do is prevent a USB mass storage device, or a USB network card, or a USB monitor, etc, etc, pretending to be both what it is and also a keyboard at the same time. It also prevents it from changing at some point while being used to do something malicious and then changing back. What you are describing is a different attack vector to the BadUSB exploit this is designed to prevent.

      People picking up dirty USB sticks in the carpark will only continue to use those USB sticks if they actually work as USB sticks. If they plug it in an the only thing that comes up is a keyboard they will toss it in the bin (if they are poor at security) or light up their entire computer with thermite (if they are good at security). No one is dropping USB keyboards in a car park.

    4. Re:Bad Keyboard Still Possible by thegarbz · · Score: 2

      It is as useless as a virus scanner is at preventing a user from writing their password on a post-it on the screen. That is to say, both you and the GP are talking about a different attack vector than the BadUSB vulnerability which relies on being able to enumerate two different devices at once at run time on the same bus and do something malicious while pretending to do something else. E.g. a USB mass storage device that logs keystrokes. This device here will prevent either the keylogging or the USB mass storage functionality from working. The former is safe for the PC, the second is an indicator that something isn't right to the user.

      And these pretending to other devices attacks are a relevant attack vector as malicious USB sticks are used for targeted espionage. Sure you could make a malicious keyboard, but then you actually have to get that keyboard to the victim and dropping it in a parking lot is unlikely to do you much good.

    5. Re:Bad Keyboard Still Possible by jabuzz · · Score: 1

      True, but the next step is to put a hub in the middle integrated into the USB stick. So you see a USB hub plugged into a port with a USB mass storage device and a USB keyboard attached. We are then right back to square one. I guess the firewall could be programmed to reject hubs to prevent this, but it's all getting rather messy. The better solution is to stop using USB anything to move data about; the network is the computer remember.

    6. Re:Bad Keyboard Still Possible by thegarbz · · Score: 1

      That's not too silly and I've done this myself. I built a device which presents to the OS as a USB hub as a quick and dirty way to work around two microcontrollers communicating on one USB bus without having to design and program a bus system between them.

      This would easily defeat this device as far as I can see.

  6. Re:why by wonkey_monkey · · Score: 2

    Because there are some USB devices which have a legitimate purpose for doing all of these "bad" things, so they'd be rendered useless.

    --
    systemd is Roko's Basilisk.
  7. A waste of money by techno-vampire · · Score: 1

    I've never yet seen an OS where you can't turn autorun off. Once you've done that, why do you need this?

    --
    Good, inexpensive web hosting
    1. Re:A waste of money by Mr0bvious · · Score: 1

      USB devices can be more than file systems.

      Having autorun off is not going to stop a USB device pretending to be a keyboard or mouse or whatnot.

      --
      Never happened. True story.
    2. Re:A waste of money by thegarbz · · Score: 1

      It's not auto-running a file on a filesystem. It's automatically talking to the firmware on the USB controller, something that every OS needs to allow for a USB device to function.

    3. Re:A waste of money by thegarbz · · Score: 1

      You can prevent Windows from installing new USB devices by type.

      Mind you if you're keyboard then breaks you're screwed without some form of remote access or a PS/2 port.

    4. Re:A waste of money by _Sharp'r_ · · Score: 1

      Why can't you just use a different USB driver for your OS that filters, alerts on, requires additional permission for, or blocks whatever you want, rather than buying a new piece of hardware?

      I mean, I get the voltage thing to fry a port, but that's a DOS attack no worse than someone who is physically there just smashing the port/computer. Why not just secure the USB device driver in the first place?

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
    5. Re:A waste of money by thegarbz · · Score: 1

      This device won't prevent the frying of the port.

      And yes you can prevent BadUSB by diligently disabling auto-installation of new USB devices (no need for a driver, you can do that in Group Policy). You can even do it on a per ID basis. However I mentioned what could go wrong in another thread: Say you've locked down the system by ID to prevent auto-install of new USB HID devices (the key-logging portion of this attack).

      And your keyboard / mouse combination breaks.

      What now? You need the exact same make and model keyboard and mouse to make your computer responsive again. Or you need to buy a second set in advance and ensure they are installed in the OS. Plugging in a new one is now not an option because the new one will be rejected, and god forbid you use those ultra common Dells because something that common just seems rife for emulation.

      You can prevent the attack while simultaneously killing one of the main reasons we switched to USB in the first place: near universal driverless plug and play.

  8. Re:why by fibonacci8 · · Score: 2

    I'll bite... Name one device that presents itself as one type of device to the user and then presents itself as a different type of device to the USB subsystem inside the computer that could be described as "a legitimate purpose". Some devices do, but that doesn't fit any definition of the word "legitimate" that I've encountered. Intentionally hiding things from users is the opposite of legitimate.

    --
    Inheritance is the sincerest form of nepotism.
  9. The problem is most Windows computers by najajomo · · Score: 1

    "The problem is that most computers automatically trust every USB device that's plugged in, which means malicious code can run without warning"

    Windows only I presume ..

  10. Re:why by x0ra · · Score: 1

    mass storage + serial interface to the same device.

  11. Over charging protection? by gurps_npc · · Score: 1

    This device does not stop the worst of the USB issues the Capacitor killer that draws in electricity, charges a capacitor, then releases it all back into the PC at high voltage and capacity, frying the computer.

    --
    excitingthingstodo.blogspot.com
  12. Re:why by SandorZoo · · Score: 1

    Ubikeys look like secuity dongles, but present themeselves as keyboards so instead of retyping a long one-time-key, you just press a button and it "types" it for you. All without needing OS specific drivers. But they doen't look like a keyboard.

  13. Re:why by thegarbz · · Score: 1

    I have yet to see a device like this. I have seen plenty of devices which will enumerate as different devices on connect by user request (e.g. reboot in firmware download mode, hold down something while plugging it in etc), but I've yet to come across a device that actually will attempt to enumerate both states at once.

  14. If you read the link to the article.. by Neuronwelder · · Score: 1

    The USG admits it's not high level. But to me it's a start. And a start is better than having nothing. (I wonder if if protects against bad memory sticks that fry your computer??)

  15. Re:why by heypete · · Score: 3, Informative

    I have Huawei USB cellular modem that identifies itself simultaneously as:
    1. USB mass storage, if one has a microSD card in the internal slot. This is handy for storing files and whatnot on the stick.
    2. As a CD-ROM drive with a virtual CD containing the drivers needed for the cellular modem functionality, so the user can install the drivers needed while only possessing the stick itself (e.g. no real CD, no internet download, etc.).
    3. As a cellular modem.

  16. Bootstrapping after a keyboard replacement by tepples · · Score: 1

    What might be better is if the OS keeps a whitelist of devices that it's seen and prompts if it sees a new device with some information about what the device actually wants to try and do or be.

    When your desktop PC's keyboard breaks, good luck adding the replacement you purchased to its whitelist.

    1. Re:Bootstrapping after a keyboard replacement by BronsCon · · Score: 1

      Plug it in, use the mouse to click "OK" on the prompt.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    2. Re:Bootstrapping after a keyboard replacement by tepples · · Score: 1

      And use what to enter your password so that the OS knows the click on OK is coming from an administrator?

    3. Re:Bootstrapping after a keyboard replacement by BronsCon · · Score: 1

      The on-screen keyboard that Windows has had since at least as far back as XP.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    4. Re:Bootstrapping after a keyboard replacement by BronsCon · · Score: 1

      Imagine booting for the first time and not having enabled this yet, or this being a Windows driver-based security measure that doesn't take effect until Windows loads its drivers, allowing the new keyboard to be used to boot into a mode where this protection is temporarily disabled in case of this very situation. My IQ is up there, but I'm no super-genius, and it only took me about 5 seconds to solve both of those problems.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  17. Will it protect the PC from the USB Killer device? by ayesnymous · · Score: 1

    There was an article here a few months ago about a USB Killer device that will send a stream of electricity to whatever device it's plugged into, destroying the USB port at minimum, or the entire device at worst.

  18. Re:why by BronsCon · · Score: 1

    And, even if this was disallowed, USB hubs still exist. The device could just as well present itself as a hub with those three things connected. Like you, I don't know why people are getting all worked up over this as though it's something they could actually protect against.

    "Accept the things I cannot change" and all that.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  19. USG? by c10 · · Score: 1

    It's probaly more drywall than firewall.

  20. On-screen keyboard failures by tepples · · Score: 1

    I don't see how a user could use the on-screen keyboard to authenticate to Windows when the elevation prompt covers up the on-screen keyboard or when pressing Ctrl+Alt+Del on the login or lock screen does not cause the password prompt to appear.

    Nor does it help if the user replaced a broken mouse at the same time.

    1. Re:On-screen keyboard failures by BronsCon · · Score: 1

      Come to think of it, I don't recall ever having to type my password into a UAC prompt. I'll grant your point about the mouse, but also point out that Windows' driver-based protection measures can't take effect until Windows has loaded those drivers. If actually ever implemented, it should be possible to boot into safe mode with that protection disabled to add a device to the whitlist; the extra paranoid can unplug all but the new keyboard before doing so.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    2. Re:On-screen keyboard failures by BronsCon · · Score: 1

      You know, I realize I didn't address your point fully. Let me clarify: non-admin users should not be modifying system security functions in the first place. If the issue you mention affects you, you are a non-admin user and should not be adding USB devices to any whitelist; you should be contacting an admin user, who can log in with the on-screen keyboard and add the new keyboard to the whitelist simply by clicking the "OK" button on the UAC prompt.

      Alternately, since you purport to know the administrator password in the first place, in order to be able to type it into the UAC prompt in the presence of a working keyboard, why don't you just sign in with that account yourself?

      TL;DR: Admins don't see UAC password prompts; if you see them, you are not an admin and shouldn't be doing this in the first place.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    3. Re:On-screen keyboard failures by tepples · · Score: 1

      pressing Ctrl+Alt+Del on the login or lock screen does not cause the password prompt to appear

      an admin user, who can log in with the on-screen keyboard

      Not if Windows fails to show the login prompt in the first place because it fails to respond to Ctrl+Alt+Del on the on-screen keyboard.

    4. Re:On-screen keyboard failures by BronsCon · · Score: 1

      ... which wouldn't affect safe mode with this protection temporarily disabled. You're smarter than this. Stop, think, and quit embarassing yourself.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    5. Re:On-screen keyboard failures by kaatochacha · · Score: 1

      On a daily basis, I'm forced to modify system security functions under non admin accounts using admin credentials.

    6. Re:On-screen keyboard failures by BronsCon · · Score: 1

      That's highly unusual. Have you considered that you are either doing something wrong, or doing something that most users don't do (e.g. unusual)? In any case, though, you have admin credentials in order to be able to do that, which means you could sign in to an admin account to add the new keyboard and/or mouse to the whitelist.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.