Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 8 Aug 2014 19:00:00 +0400
Subject: Re: BadUSB discussion

On 08-Aug-2014 14:20:21 +0300, Dan Carpenter wrote:

 > I'm surprised we haven't had any discussion about the recent
 > BadUSB articles.

No real reason - everything is trivial. Making custom USB device
is cheap (<= 2 USD for ATtiny85, several discrete elements and
PCB) and fast (2 hours in home environment).

PoC: [800x320 53.3k]

That's real device (hardware RNG for my Linux servers that heavily
depend on it while performing some of their functions); the green
blob covers its' analog part which isn't related to this discussion.

 > We could put a popup


 > if there is a second keyboard attached

How would you distinguish between two devices at the boot time
when each claims it is a keyboard?

 > to check that the person controlling the existing keyboard is
 > aware of the second one.

Laptop has trouble with its' internal keyboard. You plug the
external one and... yes, stay unable to use it.

 > The attack looks like someone who says, "Can you copy some
 > files from my USB flash drive which?" (not knowing it is
 > infected) and then there is a popup, "This newly inserted
 > USB device is trying to type commands, is that ok? y/N?".

I can promote this idea further: kill the plug-and-play support.

That means, every device after being detected by the system must
be explicitly activated by some human activity. Yes, users may
and, most likely, will be fooled to do that (as they are fooled
to connect the attacker's device), but this activation will at
least make the use of untrusted devices more difficult.

Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.