Date: Fri, 08 Aug 2014 10:05:11 -0400 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: oss-security@...ts.openwall.com Subject: Re: BadUSB discussion On 08/08/2014 10:00 AM, Greg KH wrote: > On Fri, Aug 08, 2014 at 09:56:34AM -0400, Daniel Kahn Gillmor wrote: >> >> For example, you could register keyboards by serial number with the >> system, > > Most USB keyboards in the system do not have a unique serial number. > Heck, most USB devices in the system do not have a unique serial number, > the only USB device that is required to do so is a USB printer, > everything else is free to not have one at all, or have the same serial > number for all devices made of that type. > > Never treat a USB serial number as "unique", except for a USB printer, > sorry. ugh, that's a shame. are there any other characteristics we could use to gin up a phony serial number for this kind of use? Even making an allowlist by model number would raise the bar a little bit for a generic attacker. Though i suppose you could create a device that claims to be 400 different keyboards at once -- or in a rapid hotplug succession until it finds the common model that you've already allowed :( ugh, --dkg [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ