Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 8 Aug 2014 19:00:00 +0400
From: gremlin@...mlin.ru
To: oss-security@...ts.openwall.com
Subject: Re: BadUSB discussion

On 08-Aug-2014 14:20:21 +0300, Dan Carpenter wrote:

 > I'm surprised we haven't had any discussion about the recent
 > BadUSB articles.

No real reason - everything is trivial. Making custom USB device
is cheap (<= 2 USD for ATtiny85, several discrete elements and
PCB) and fast (2 hours in home environment).

PoC: http://pics.rsh.ru/img/usb_device_ne6amlw7.jpg [800x320 53.3k]

That's real device (hardware RNG for my Linux servers that heavily
depend on it while performing some of their functions); the green
blob covers its' analog part which isn't related to this discussion.

 > We could put a popup

Where?

 > if there is a second keyboard attached

How would you distinguish between two devices at the boot time
when each claims it is a keyboard?

 > to check that the person controlling the existing keyboard is
 > aware of the second one.

Laptop has trouble with its' internal keyboard. You plug the
external one and... yes, stay unable to use it.

 > The attack looks like someone who says, "Can you copy some
 > files from my USB flash drive which?" (not knowing it is
 > infected) and then there is a popup, "This newly inserted
 > USB device is trying to type commands, is that ok? y/N?".

I can promote this idea further: kill the plug-and-play support.

That means, every device after being detected by the system must
be explicitly activated by some human activity. Yes, users may
and, most likely, will be fooled to do that (as they are fooled
to connect the attacker's device), but this activation will at
least make the use of untrusted devices more difficult.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.