[sf-lug] USB has critical vunerability.

Akkana Peck akkana at shallowsky.com
Sat Aug 9 09:06:10 PDT 2014 

Bobbie Sellers writes:
>     <http://www.bbc.com/news/technology-28701124>
> 
>     Hope we will get informed comment on the story and its
> applicability to GNU/Linux.

I've seen this in a couple of places and I can't see where the news
flash is.  You can make a USB device that looks like a usb-storage
stick but actually acts like a keyboard? Well, sure, remote
presenters ("slide clickers") have been doing that for a decade.
I don't understand how that's a problem with the USB protocol,
or a new security alert.

Figuring out how a malicious USB keyboard device could reliably
compromise a Linux system is a bit harder. Using only the keyboard,
and not knowing where the focus is or what distro or window manager
is running, you have to:
- bring up a terminal window, or some other way to type shell commands;
- type evil commands (probably beginning with sudo and hoping that it
  doesn't prompt for a password);
- do this without the user noticing that a new terminal has popped
  up, focus has shifted there and commands are being typed in it.

Yes, it could be done, and it would work on a few systems, but it
doesn't seem like a very general attack vector.

Rick Moen writes:
> I can't help noticing that many Linux users these days are wildly
> enthusiastic for hotplug functionality.  I'm not, especially concerning
> USB devices, part of the reason being lack of trust for reasons along
> the lines the article outlines.

It would be great if Linux had a sensible alternative to auto-
recognizing hotplugged devices, like it does for storage devices.

For instance, when I plug in a USB stick or SD card, my system
isn't set up to automatically mount it. If I want to mount it,
I type a command like "mount /mnt/sdcard", using an /etc/fstab entry
I've previously set up. If I hadn't set up the fstab entry, I could
still type something like "sudo mount /dev/sdb1 /mnt".

When I plug in a keyboard device (say, my slide presenter), there's
no such option. If I turn off the udev rules that automatically
recognize a new keyboard device, there's no easy way to tell udev
"This device is okay, go ahead and recognize it." I'm doomed to
spend an hour or more fiddling with udev rules and rebooting to get
udev to recognize my new rule.

        ...Akkana

More information about the sf-lug mailing list