Date: Fri, 8 Aug 2014 19:00:00 +0400 From: gremlin@...mlin.ru To: oss-security@...ts.openwall.com Subject: Re: BadUSB discussion On 08-Aug-2014 14:20:21 +0300, Dan Carpenter wrote: > I'm surprised we haven't had any discussion about the recent > BadUSB articles. No real reason - everything is trivial. Making custom USB device is cheap (<= 2 USD for ATtiny85, several discrete elements and PCB) and fast (2 hours in home environment). PoC: http://pics.rsh.ru/img/usb_device_ne6amlw7.jpg [800x320 53.3k] That's real device (hardware RNG for my Linux servers that heavily depend on it while performing some of their functions); the green blob covers its' analog part which isn't related to this discussion. > We could put a popup Where? > if there is a second keyboard attached How would you distinguish between two devices at the boot time when each claims it is a keyboard? > to check that the person controlling the existing keyboard is > aware of the second one. Laptop has trouble with its' internal keyboard. You plug the external one and... yes, stay unable to use it. > The attack looks like someone who says, "Can you copy some > files from my USB flash drive which?" (not knowing it is > infected) and then there is a popup, "This newly inserted > USB device is trying to type commands, is that ok? y/N?". I can promote this idea further: kill the plug-and-play support. That means, every device after being detected by the system must be explicitly activated by some human activity. Yes, users may and, most likely, will be fooled to do that (as they are fooled to connect the attacker's device), but this activation will at least make the use of untrusted devices more difficult. -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.