Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 08 Aug 2014 10:05:11 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: oss-security@...ts.openwall.com
Subject: Re: BadUSB discussion

On 08/08/2014 10:00 AM, Greg KH wrote:
> On Fri, Aug 08, 2014 at 09:56:34AM -0400, Daniel Kahn Gillmor wrote:
>>
>> For example, you could register keyboards by serial number with the
>> system,
> 
> Most USB keyboards in the system do not have a unique serial number.
> Heck, most USB devices in the system do not have a unique serial number,
> the only USB device that is required to do so is a USB printer,
> everything else is free to not have one at all, or have the same serial
> number for all devices made of that type.
> 
> Never treat a USB serial number as "unique", except for a USB printer,
> sorry.

ugh, that's a shame.  are there any other characteristics we could use
to gin up a phony serial number for this kind of use?  Even making an
allowlist by model number would raise the bar a little bit for a generic
attacker.

Though i suppose you could create a device that claims to be 400
different keyboards at once -- or in a rapid hotplug succession until it
finds the common model that you've already allowed :(

ugh,

	--dkg


Download attachment "signature.asc" of type "application/pgp-signature" (950 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ