Slashdot Mirror
Linux Has a USB Driver Security Problem (bleepingcomputer.com)
Catalin Cimpanu, reporting for BleepingComputer: USB drivers included in the Linux kernel are rife with security flaws that in some cases can be exploited to run untrusted code and take over users' computers. The vast majority of these vulnerabilities came to light on Monday, when Google security expert Andrey Konovalov informed the Linux community of 14 vulnerabilities he found in the Linux kernel USB subsystem. "All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine," Konovalov said. The 14 flaws are actually part of a larger list of 79 flaws Konovalov found in Linux kernel USB drivers during the past months. Not all of these 79 vulnerabilities have been reported, let alone patched. Most are simple DoS (Denial of Service) bugs that freeze or restart the OS, but some allow attackers to elevate privileges and execute malicious code.
you're already pwned
I think i found the problem. Kernel Space drivers are always prone to these kinds of problems. This is not new.
The depth of the problem is newish, but only because someone peeked in and saw flaws.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Linux drivers can mitigate that but they will never stop the problems in the USB spec.
USB has a problem. Even if the kernel is 100% secure, you can use the USB standard to hack devices. This is why secure environments put glue in their USB ports.
"First they came for the slanderers and i said nothing."
Vulnerabilities present and reported in the kernel-based DRIVER FOR A TOY since *2003*
What are you talking about?
"First they came for the slanderers and i said nothing."
Severs in locked data centers - safe
PCs in locked offices / homes - safe
Laptops - safe if you shut it down and have bios password to enable boot, probably safe with encrypted root fs, provided machine is shutdown to begin with.
Laptop in yours own hands - safe
Now all those consumer devices that the manufacture won't let you have access to, ROOTED!
This is a win.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Why can't Linus in his infinite wisdom do the same?
If Linux was a microkernel architecture kernel, it would be safer, but slower by about 20%. So the reason is speed.
I would think that secure environments would keep the case of a computer behind a locked panel, and not generally allow physical access to it at all. This also has the bonus of being a much more reversible state if or when authorized system administrators need to actually use the port for some purpose.
File under 'M' for 'Manic ranting'
secure environments do all that and more: 1) reduce physical access 2) in software blacklist the entire usb chain with the exception of keyboard/mouse. This means no driver will even be loaded no matter what you put in...
I'm assuming these things happen because the USB device drivers load microcode from the USB device? If so why can't these things be sandboxed-- no reason to give them file access or network access or even much memory. If it's a matter of top line speed then let the user decide-- sandbox by default and let the user have a switched labeled "open your mouth and close your eyes-- give me a tiny bit more speede in return for butt neckid security."
Some drink at the fountain of knowledge. Others just gargle.
Pretty much everything on that website is a USB keyboard. Doesn't work if the PC you plug it in to is locked or not logged in. You may as well use the keyboard that's already plugged in.
Screen locked? Not a problem!
"First they came for the slanderers and i said nothing."
Idiot who mistakes all physical access as equitable, news at 11:15!
The first mistake. Having an operating system.
Really? That seems like a lot.
So, i guess it affects android too..
Oh, i see your phone is low on battery, here - have a charger
It's the law to inform the people you may have infected them with an STD, no? Otherwise, what kind of asshole are you?
Stop fucking telling people to "see subject". Everyone else is a better reader/writer than you and you are the last fucking person in the world that should be telling people how to read. Learn to write a fucking post. FFS.
Different OS. If you're using "cifsmount" for /home/ user or something similar you might be vulnerable. If the lock-screen gets you to a desktop that can only run SSH, VNC over SSH, or a locked-down HTTPS-only browser, not so much. Then again, the attack described in that article isn't just a USB thing... someone could probably build a male RJ45 dongle that runs the same attack.
I think you're confusing cryptography and steganography..
If you've already blockaded all physical access to the ports by putting the physical computer behind either a locked panel or door, then policy 2 is superfluous, and only liable to inconvenience people who would otherwise be legitimately authorized to make changes to the system's configuration, and although reversible, is subjectively not significantly better than the aforementioned suggestion of blocking up the ports with glue.
File under 'M' for 'Manic ranting'
So when you plug in a flash drive, you are giving control of your entire computer to it. Every time. Like when your kids give you a USB with something to print from their virus riddled school.
At least Windows is no longer supposed to automatically execute code it finds on the drive (or CD, if that is what the USB is emulating). But it is *long* over due that I should be able to plug in a USB drive and still be safe. May need special ports. Or a rule that Keyboards are only detected on startup. Etc.
I've worked in secure environments and as someone that has obtained security certifications I see all kinds of problems with USB beyond improperly coded drivers. One common practice not that long ago was to disable any USB ports to stop people from plugging in things they weren't supposed to. This was only possible while PS/2 ports for keyboards and mice were still commonplace. (There was also that short period where some Apple computers had both ADB and USB ports.)
I like USB-C. It's quite the improvement over what we've had before. I am a bit concerned on how this affects the security of our devices in the future. Controlling things like someone offering a "charger" for a laptop or cell phone to try to sneak into a device can be managed in many ways. Dedicated ports for video, keyboard, mouse, and even Ethernet had inherent security in that they did only so much which prevented certain security issues. Will all these ports go away and be replaced with USB-C?
Again, I really like USB-C as it adds convenience and capability that nothing else offered before. It also adds security issues that a simple list of "dos and don'ts" cannot cover for many less technically knowledgeable people to follow. Securing computers from many kinds of attacks is going to be an increasingly difficult problem unless we get off this mentality of one port to rule them all.
Maybe we'll see some means to better secure USB. Maybe we'll see computer systems that will allow one to disable anything that is not a HID or power device from being recognized on USB in the firmware. Maybe OS developers will provide better granularity on what USB ports are allowed to do.
Maybe we'll get PS/2 ports back again. Probably not. I do think something has to give. If we can't have the inherent security of feature limited ports then we will need some security through better management of the ports that replace them.
I am armed because I am free. I am free because I am armed.
You need to eject or safely remove your penis.
Three of those "hacks" are just devices that emulate keyboards, that's not unique to USB since something that can emulate PS/2 could do the same. The ability to have storage as part of the USB device does add some capability since files can be copied over but if there is internet access then files can be downloaded. Without internet access and sufficient time at the computer a keyboard emulator (PS/2, ADB, whatever) could input executable scripts or even enter and compile code. This is nothing a person could not do with enough time at a computer manually if they simply memorize enough stuff, and no incriminating USB devices for someone to find. All of these attacks require having a password, or finding an unlocked screen.
One "hack" is also not unique to USB as it takes power from the port to charge a capacitor to zap the port with a higher voltage. USB may have more voltage and/or power to draw from making this kind of an attack more effective but even a VGA port or Ethernet port would be vulnerable. Having access to a battery of some sort can do damage too, as could just wiring any computer data port to a 120 VAC wall plug.
One "hack" is described as a "password stealer" and lacks much for a description, and the link it provides is dead. Best I can gather it's just a keylogger, which is not something that is unique to USB.
One "hack" doesn't even plug into USB to work so I'm not even sure why it's on this list. Sure, it's disguised as a USB power brick but it could have been disguised as just about anything that plugs into a wall outlet. It picks up RF from a common USB wireless keyboard, which I guess is another possible connection to being a "USB hack" but then this would apply to any wireless device that could carry sensitive data.
All in all none of this is unique to USB.
I am armed because I am free. I am free because I am armed.
That's not discreet. The point is to create a device that emulates a usb keyboard which can be automated to inject commands into the system.
This is not unique to USB, any port that allows the connection of a keyboard (PS/2, ADB, whatever) will allow someone to inject commands into a computer at a speed faster than people can type.
If there is a need to keep it discreet then hide it in something that's common to an office environment, like a hollowed out highlighter or dry erase marker. Why not just hide the device in an actual keyboard? Most keyboards I've seen have a hollowed out back, room enough for plenty of circuitry. Even better if the keyboard brought in is one of those fancy ergonomic types as it gives an excuse to bring in your own keyboard ("Oh, this? It's for my carpal tunnel problem.") and can give even more room than a typical keyboard supplied with a PC. These things can be hidden in a mouse (also makes sense for personal preference and being plugged in), a laser pointer (bonus if it's the kind that recharges from USB), a case for eyeglasses, a calculator (a bonus as it provides some input and output if all the electronics are replaced), put it in a pill bottle (bonus as medications have social norms and legal protections against being messed with), and so on.
If someone is discovered at a computer they are not supposed to be using, and the screen has windows popping open and text being blasted into them, then there is nothing "discreet" about hiding the device as a flash drive. If the device needs to be left at the computer so the payload can be delivered later then hide the thing as just about any USB device, such as a mouse, keyboard, hub, or DVD drive. A flash drive left in a computer might lead someone to take it out and try to find the owner that forgot it. A hub or mouse plugged in will likely be left alone.
I am armed because I am free. I am free because I am armed.
I don't know why you got modded as flamebait because this is spot on. There are other mitigations to reduce the USB risk which are appropriate in most cases as it's not usually feasible to block the ports but some risk remains. Ultimately most environments need USB keyboards & mice so if your badUSB device emulates an HP or IBM keyboard then it's likely to get through any USB device control in place.
There are lots of environments where the biggest threat comes from the people who have physical access.
Nope, he isn't.
CLI paste? paste.pr0.tips!
It's also a mouse/keyboard emulator in the background, but the user doesn't easily notice that.
That's just crazy talk. People will notice their mouse pointer moving and things getting typed.
Meanwhile plugging in a foreign PS/2 device has never been a thing, so it would be a rather weird and suspicious thing to do.
People have been plugging in crazy and "suspicious" things all the time. A PS/2 keylogger would be only a short cable with a "ferrite choke" in the middle (which actually contained the electronics) and installed as a "noise filter". In reality it transmitted every keystroke to anyone with the right kind of receiver. The fancier ones had two-way action. A storage device, from floppies to CD-Rs to Zip cartridges, could be left lying around waiting to install software keyloggers, network diversion scripts, or whatever.
Nothing's changed really. Computers got smaller, cheaper, faster, that's all. This made the population of people that could afford these attack devices larger, as well as the population of victims. USB getting adopted widely on MacOS, Windows, and Linux means a single device can attack them all.
They are not hiding the device as a flash drive, the device *is* a flash drive. It works exactly as expected when you plug it in. It's also a mouse/keyboard emulator in the background, but the user doesn't easily notice that.
People will have something that *IS* what it claims to be, but also grab data as it goes by. This might be a large old looking modem that was hollowed out and the insides replaced with a newer modem and a device to store everything that comes and goes. An enterprise level switch or router could be compromised to divert certain kinds of traffic. Those with more money could buy a PCMCIA card with a programmable FPGA in it that could emulate a flash storage while also giving access to the computer buss to do just about anything they could think of and fit on that card. A FireWire "hard drive" could actually be a fully functional computer, plug that in and someone could have access to the main computer memory.
It all depended on the amount of effort someone was willing to put into the attack. Simple ones were pretty basic viruses people could construct using scripts. Put it on a floppy disk and drop it in a hallway. CD-Rs, when they came out made this easier as it enabled hidden tracks, boot files, drivers, and just more space for a payload, as well as being more durable so as to survive being dropped where someone might just as easily step on it as pick it up, or be left in the rain for a bit. Keyloggers and traffic sniffers cost some money. The real pricey stuff, like the FPGA in a PCMCIA card, or a computer in an external drive case, were very expensive. These were custom or semi-custom devices.
Nothing new here. Even the driver security stuff isn't new. Malware drivers were seemingly always a thing, as were security holes in the drivers included in the OS. It's been long enough now that a lot of specifics escape me.
I am armed because I am free. I am free because I am armed.
With a dongle : http://hexus.net/tech/news/per...
With some Linux 'firewalls' : USBGuard, https://github.com/dkopecek/us... , USBauth, https://github.com/kochstefan/...
Nice paper on LWV, that's still paying this week but will become free after 8 days as usual : https://lwn.net/Articles/73830...
HTH,
Hervé
BTW : anyone in region 06 in France wishing to share shipping costs for the dongle?
Herve S.
One solution to that problem is to completely (first to last sector) overwrite the disk with random data, then create a partition table and a legitimate filesystem on top of that, add some legitimate files, map the sectors that constitute free space of that filesystem to a logical contiguous block device, create crypto container on top of that, create filesystem on top of that, mount, enjoy.
CLI paste? paste.pr0.tips!
A stack of hard disks sitting next to my computer and containing a total of around 8 TB actual pseudorandom data beg to differ. Also every hard drive that was bought used and sold by someone with a little knowledge.
CLI paste? paste.pr0.tips!