How serious is this? Could it be used to achieve some cool and unusual functionality at unexpected places? ---------- Forwarded message ---------- From: Thad Floryan Subject: [linux] Interesting USB attack vector discovered -- revert to PS/2 keyboards/mice http://www.extremetech.com/computing/187279-undetectable-indefensible-secur= ity-flaw-found-in-usb-its-time-to-get-your-ps2-keyboard-out-of-the-cupboard which begins: Security researchers have found a fundamental flaw that could affect billions of USB devices. This flaw is so serious that, now that it has been revealed, you probably shouldn't plug a USB device into your computer ever again. There are no known effective defenses against this variety of USB attack, though in the future (months or years, not days) some limited defenses might be possible. This vulnerability, which allows any USB device to take over your computer, mostly exists due to the USB Implementers Forum (the USB standards body) eschewing security in favor of maximizing the versatility, and thus the massively successful adoption, of USB. The USB IF itself notes that your only defense against this new attack vector is to only use USB devices that you 100% trust -- but even then, as we'll outline below, this won't always protect you. This flaw, dubbed BadUSB by Security Research Labs in Berlin, leverages the fact that every USB device has a controller chip. Whether it's your PC, smartphone, external hard drive, or an audio breakout box, there's a USB controller chip in every device that controls the USB connection to other devices. It turns out, according to SR Labs, that these controllers have firmware that can be reprogrammed to do a whole host of malicious things -- and, perhaps most importantly, this reprogramming is almost impossible to detect. This vulnerability mostly stems from the fact that USB, by design, is incredibly versatile. USB can be used to connect just about any kind of peripheral to a host machine -- an ability that is only possible because of USB classes and class drivers. Basically, every USB device under the sun has a class -- a classification that defines the device's function. Some common classes are human-interface devices (HIDs; keyboards, mice), wireless controller (Bluetooth dongles), and mass storage (thumb drives, digital cameras). On the host (your PC, your smartphone) there are class drivers that manage the functions of that particular class of devices. This is why you can plug a USB keyboard into just about any device and it'll work flawlessly. { article continues with pictures at the above URL } Thad =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The 2006 Bruce Schneier article in this regards is here: https://www.schneier.com/blog/archives/2006/06/hacking_compute.html I've mentioned Bruce Schneier here many times before: http://en.wikipedia.org/wiki/Bruce_Schneier And his free monthly (15th of every month since May 1998) CRYPTO-GRAM newsletter can be subscribed-to here (along with getting back issues): http://www.schneier.com/crypto-gram.html Note Bruce is one of the few people with access to the Snowden documents. Following is an interesting comment about this issue I found elsewhere: | There is one comment in the Schneier article, asking the same | question I am. Namely, that Firewire has the RDMA capability, | and USB does not. Nobody responded to this. | | " I'm not sure if USB can actually use DMA. AFAIK, Firewire can | " use DMA, but USB cannot. Can anybody confirm this? | | USB peripherals only respond to queries, or give acks on a | write. There is no RDMA on USB, because it's not a peer to peer | technology. The peripheral cannot say "give me data from physical | address 0x12345678". The peripheral does not possess the ability | to initiate a transaction. Only when the host polls at regular | intervals, does the peripheral get a chance to talk. The host can | send data to the peripheral, as long as the peripheral completed | it's last transaction and is ready for it. The host side DMA | structure, the addresses used, are controlled by the host driver, | with no reason to modify the DMA structures on some request from | the peripheral ("move your buffer to 0x12345678"). | | The article by Simson Garfinkel gives no references to this | purported USB mechanism, no field examples (known exploits of USB | this way). Firewire, on the other hand, the case for that one is | well known. People were using it for debugging, before it was | considered as a security issue. (And it's an issue if the perp | is standing next to the computer and a Firewire port is | available.) --=20 http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist .