[sf-lug] USB has critical vunerability.
Rick Moen
rick at linuxmafia.com
Fri Aug 8 19:56:33 PDT 2014
Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):
> Story at URL below.
>
> <http://www.bbc.com/news/technology-28701124>
>
> Hope we will get informed comment on the story and its
> applicability to GNU/Linux.
Malicious code implanted on the stick tricked the machine into
thinking a keyboard had been plugged in. After just a few moments,
the "keyboard" began typing in commands - and instructed the
computer to download a malicious program from the internet. [...]
USB support circuitry on motherboards (the 'USB host controller')
recognises USB keyboards as Human Interface Devices of Usage ID 06
(Keyboard). In Linux, there's a low-level driver for the host
controller, which receives from the hardware low-level
manufacturer-specified information about what the device is (which the
article points out may be a lie). The low-level driver translates that
information into higher-level USB protocol-specific information, which
is propagated into the USB core layer driver 'usbcore' in Linux
kernelspace.
What happens after that depends on your system. Some distros do USB
'hotplug' (which, these days, I believe invokes udev rules), others
don't. (http://linux-hotplug.sourceforge.net/) Also, the usbcore driver
has some built-in functions to be able to probe or disconnect devices
recommended to it at lower levels.
I can't help noticing that many Linux users these days are wildly
enthusiastic for hotplug functionality. I'm not, especially concerning
USB devices, part of the reason being lack of trust for reasons along
the lines the article outlines.
As to whether $YOUR_MOMS_LINUX can be easily tricked by deceptive USB
hardware, I'll not be bold enough to predict that. Instead, motivated
people ought to check. (I'm not volunteering, but agree that it's a
significant threat worth looking into.)
Preventing misbehaviour might be best done using udev rules, like
shown here:
http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices#3.2_Locking_down_Linux_using_UDEV
Personally, I would really like to have NO devices ever autorecognised
as anything without my being told exactly what is about to be activated
in what capacity, is this ok (y/N)?
There's some discussion here, but so far nothing useful that I can see:
http://lwn.net/Articles/607305/
More information about the sf-lug
mailing list