Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 08 Aug 2014 09:21:19 -0700
From: lazytyped <lazytyped@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: BadUSB discussion

On 08/08/2014 09:17, Greg KH wrote:
> There is a USB firmware download spec, which is quite easy to use, if
> manufacturers actually followed it (side note, I was one of the authors
> of that spec...)  And if USB device manufacturers actually required
> signed firmware to run in their devices, that would solve this issue
> instantly as long as the signing keys don't leak.

Or, for cheap devices like USB dongles, just keep the firmware
read-only. Who's going to update it anyway.

But yes, either the update should be signed and verified, or
hardware-switch controlled or impossible to begin with (read-only). Not
only for USB devices.


      -  twiz

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ