[sf-lug] USB has critical vunerability.

GMail mmdmurphy at gmail.com
Sun Aug 10 19:26:56 PDT 2014


Isn't this (sort of) an extension of the USB Rubber Ducky that you can get from Hak5.org??

Sent from Dan.

> On Aug 9, 2014, at 9:25, Jeff Bragg <jackofnotrades at gmail.com> wrote:
> 
> My understanding is that the newsflash is about vulnerability of the firmware, and thus infection/compromise being undetectable by the usual assortment of precautionary interventions such as virus scanners.  Not necessarily news to folks who know some details about how these devices work and interact with an OS, but not something I think average users, even fairly savvy ones, expected to have to worry about.
> 
> 
>> On Sat, Aug 9, 2014 at 9:06 AM, Akkana Peck <akkana at shallowsky.com> wrote:
>> Bobbie Sellers writes:
>> >     <http://www.bbc.com/news/technology-28701124>
>> >
>> >     Hope we will get informed comment on the story and its
>> > applicability to GNU/Linux.
>> 
>> I've seen this in a couple of places and I can't see where the news
>> flash is.  You can make a USB device that looks like a usb-storage
>> stick but actually acts like a keyboard? Well, sure, remote
>> presenters ("slide clickers") have been doing that for a decade.
>> I don't understand how that's a problem with the USB protocol,
>> or a new security alert.
>> 
>> Figuring out how a malicious USB keyboard device could reliably
>> compromise a Linux system is a bit harder. Using only the keyboard,
>> and not knowing where the focus is or what distro or window manager
>> is running, you have to:
>> - bring up a terminal window, or some other way to type shell commands;
>> - type evil commands (probably beginning with sudo and hoping that it
>>   doesn't prompt for a password);
>> - do this without the user noticing that a new terminal has popped
>>   up, focus has shifted there and commands are being typed in it.
>> 
>> Yes, it could be done, and it would work on a few systems, but it
>> doesn't seem like a very general attack vector.
>> 
>> Rick Moen writes:
>> > I can't help noticing that many Linux users these days are wildly
>> > enthusiastic for hotplug functionality.  I'm not, especially concerning
>> > USB devices, part of the reason being lack of trust for reasons along
>> > the lines the article outlines.
>> 
>> It would be great if Linux had a sensible alternative to auto-
>> recognizing hotplugged devices, like it does for storage devices.
>> 
>> For instance, when I plug in a USB stick or SD card, my system
>> isn't set up to automatically mount it. If I want to mount it,
>> I type a command like "mount /mnt/sdcard", using an /etc/fstab entry
>> I've previously set up. If I hadn't set up the fstab entry, I could
>> still type something like "sudo mount /dev/sdb1 /mnt".
>> 
>> When I plug in a keyboard device (say, my slide presenter), there's
>> no such option. If I turn off the udev rules that automatically
>> recognize a new keyboard device, there's no easy way to tell udev
>> "This device is okay, go ahead and recognize it." I'm doomed to
>> spend an hour or more fiddling with udev rules and rebooting to get
>> udev to recognize my new rule.
>> 
>>         ...Akkana
>> 
>> _______________________________________________
>> sf-lug mailing list
>> sf-lug at linuxmafia.com
>> http://linuxmafia.com/mailman/listinfo/sf-lug
>> Information about SF-LUG is at http://www.sf-lug.org/
> 
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20140810/4bec0bcc/attachment.html>


More information about the sf-lug mailing list