Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 8 Aug 2014 09:49:18 -0700
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Subject: Re: BadUSB discussion

On Fri, Aug 08, 2014 at 09:23:21AM -0700, Dean Pierce wrote:
> Being able to "infect" a USB device (allowing unsigned firmware to be
> flashed on) is bad.

"bad"?  Why is that?  Loads of devices work this way, a whole class of
USB controller chips work exactly in this manner, they require the
firmware to be dowloaded to the device from the host operating system
before they work at all.  They are really common and cheap and used all
over the place and have been on the market since the early 1990's.

> Being able to "infect" a host controller is bad.

And is something that I have never seen anyone say is possible, have
you?  If so, details would be great to have.

> Using a USB device to get DMA, memory dumps, files, etc via loaded drivers
> is bad, whether they are using legitimate code paths or kernel bugs.

How can a USB device get any of those things without the Host operating
system give them to it the device?

> I'm not so worried about the keyboard thing.  That's only interesting
> because it's the automation of exploiting a machine that has already been
> compromised.
> 
> Personally I would prefer disabling USB hotplug while a machine is locked
> (or while there are no active TTYs or something for servers).  Even if HID
> was whitelisted while the machine is locked, it would be a great start.

Then do just that, Linux has allowed you to do this for years, again,
but very few people take advantage of it.

> In regards to the PCI stuff, don't miss Joe's talk at DEFCON on Sunday.
> 
> https://www.defcon.org/html/defcon-22/dc-22-speakers.html#FitzPatrick
> 
> People have much more exposed PCI on their laptops and servers than they
> realize.  It's super cheap, super easy, and when we start selling kits this
> afternoon, it's going to be super accessible.

express card and thunderbolt are pcie, it's fun to play with, glad to
see some "kits" to make it more accessable.

> VTd/IOMMU would be nice to have if implemented properly, but it seems like
> even OSX, the only OS currently using VTd as a security feature, still
> hasn't gotten it quite right.

What exactly do you mean by "get it right"?

> Also firewire attacks are still a thing.  What's up with that?

The hardware is designed to do this, the host operating system can't do
much about bad hardware, sorry.

> ExpressCard and Thunderbolt adapters are super cheap, and Inception is
> still being actively maintained with new targets being added
> regularly.

It makes it easy to back up laptops :)

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.