>Some suspect USB devices can spoof themselves as being a keyboard, mouse, or other device to give them the ability to download and install anything on any compatible device they are plugged into. Simply having, "autoplay," or similar function turned off in the OS won't prevent this from happening. These devices can also infect other compatible USB devices. They can even run before an antivirus is even loaded into the OS, if the device is plugged into the PC before it is turned on.
What now, god damn it? Is USB the absolute worst of the worst security hole in existence?
>2018 Are they just reconfirming, because this has been known forever.
Andrew Ward
If you have anything using USB, solder it to the USB port so it can't be removed (at least not without damaging the USB port). Then solder the other ports shut.
Tyler Robinson
Which kernels does this concern?
Nathan Flores
Any of them that use USB. Though, it is more a matter of, "it isn't worth it to exploit kernals that no one important uses," type of thing.
Hudson Roberts
I don't understand, it's an inherent problem in the USB protocol itself?
Chase Fisher
Kind of. A USB mouse plugged into a USB port will identify itself as a USB mouse and the OS will allow the USB mouse to move the pointer around. The same applies to keyboards.
Any device can in theory say "Hi, I'm a device with both a keyboard and a mouse" (I've got a wireless remote which is both). If it looks like a USB thumb drive and you think it's a USB thumb drive and it says "Hi, I'm a storage device. I'm also a keyboard and also a mouse" the OS will accept it as being all of those things.
It would be a bit hard to make a "solution" which is also easy to use. I guess you could have a big dialog saying "New keyboard identified, DO YOU TRUST IT?" every time you connect something new.
Anyway, as for firmware attacks.. that's possible. Someone could change the firmware of your external HDD so it starts behaving as a mouse and keyboard too. However, those kinds of attacks are pretty darn hard to pull off. You'd have to know what HDD model you have and make evil firmware just for your HDD and physically grab your HDD and put malware on it. That may actually be a real concern if you are a very high-value target.
In general, I'd say USB attacks - while possible in theory - isn't something to be too concerned about. Let's say you have a fancy gaming keyboard with macro functions and stuff. I could put special firmware on it which records your keystrokes. How do I deploy? Breaking into your home while you're at the gym. But.. why don't I just mirror your HDD while I'm in your home?
John Powell
The threat model is the device emulating a mouse and keyboard and performing commands with keyboard presses.
Kayden Hill
Can't we modify the linux kernel to ask what to do with the new device?
Noah Cook
thanks for the detailed explanation, as for physical access, can't it just identify itself as something that needs network access, or have networking integrated ?
Chase Wilson
>we >skid lmao
Julian Murphy
I'll have you know I'm proficient in every .rc file and have even installed arch linux myself.
Josiah Hughes
i have already tried. Next thing I knew weird stuff started happening and now i am being gangstalked into madness.
Landon Turner
>It would be a bit hard to make a "solution" which is also easy to use. I guess you could have a big dialog saying "New keyboard identified, DO YOU TRUST IT?" every time you connect something new. Yeah, why not? We already so that with BT devices. Apple does that (on both ends) when connecting iPhone to a Mac. Should have been standard behaviour since the start desu.
USB devices can't identify themselves as needing network devices. Of course, if you have keyboard control you could assume the target has network and run commands which uses it.
As for having network built-in.. sure, if you order a device on Amazon and the NSA intercepts it on route then yeah, the device could arrive with special USB firmware and Bluetooth or 4G for remote access. On-route interception is a real thing, btw. Going to a physical store when you need something could be a good idea if you're a high-value target. You're probably not given that you're reading Jow Forums right now..
While you have a valid point there is the issue of >boot new computer >no USB devices are trusted >get dialog asking if you trust mouse and keyboard >can't accept with mouse because mouse isn't trusted >can't accept with keyboard because keyboard isn't trusted do what?
Brandon Young
It's been like this since the old Sandisk switchblade windows-xp days with the autorun cd exploit.
Alexander Fisher
Headless server that can disable ports.
Matthew Wright
Or just have a memorised basic setup during the installation procedure. You're root by default there so no worries.
Asher James
This. This whole concept was dubbed "BadUSB" by the team who gave their talk about it several years who at BlackHat.
Oliver Young
>How do i deploy? At the factory in China
Also, USB attacks made with rubber duckies and alike are mostly pre-planned drive-by attacks, you can program essentially a macro that at superhuman speeds based only on UI limitations can extract all sorts of personal data from non-privileged environments, download exploits on the machine to get privileged access if such are available (and they generally are since manufacturers of OSes and software don't put them as high priority and focus on exploits that give remote unprivileged access instead as without those there's no way to escalate privileges in the first place normally), put a DNS redirect to your home server in, and then put a backdoor to autostart and hide all traces of it in minutes, this is why you don't leave your laptop unattended without locking it
Brandon Sanders
>USB devices can't identify themselves as needing network devices Unless they're USB-C which supports Ethernet as part of it's protocol, hence all the USB-C to Ethernet dongles
Owen Powell
The way google has their servers set up ot doesn't matter if you have direct access. Their motherboards and distribution are fully checksumed from firmware to upgrade. If a rootkit or firmware dropper is installed it will just rollback and format the system. Only hacks against that are application layer based attacks and low level power analysis / microcode attacks. youtube.com/watch?v=paKhx_9iHnc
Jaxson Reyes
Explain this: any keyboard and mouse commands are going to be visible to the user that plugged the device in. Ergo, they will know something is up. So how dangerous is it really?
David Ramirez
>Yeah, why not? We already so that with BT devices. Apple does that (on both ends) when connecting iPhone to a Mac. Should have been standard behaviour since the start desu. Because there isn't really a feasible trust model you can build, say each device comes with a unique ID that's long enough to deter bruteforce attacks, how in the world are you gonna get all the shitty pajeet USB accessory manufacturers to not only comply with this in full but also potentially disable millions of existing USB devices by imposing this requirement? Obviously users would want a "remember this device" feature so just asking anytime anything is plugged in is not gonna fly so there's gonna be some unique identifier, and if it's not unique enough it can be spoofed and that creates a problem
Aiden Taylor
the vector of attack is that you leave your computer unattended, unlocked
Colton Brown
>plug in mouse >mouse won't work before clicking ok
Joshua Reyes
You dont need to go that far, all you would really need is to have the "do you trust this device" popup. The "remember this device" option doesnt have to be some globally secured thing, just have something like a cirtificate signed by the pc thay remembers it that the pc can check for when a new usb device is pluged in.
Ian Ortiz
>In general, I'd say USB attacks - while possible in theory - isn't something to be too concerned about. I bought an MP3 player from AliExpress that tried that shit. Luckily I gimped my main PC so much that it couldn't work properly. However, I forgot about my netbook with WinXP on it and it completely fucked it up when I connected it. The utility power was off because of a storm, when I was doing that, so it never connected to the internet at least. I still had to wipe everything and reinstall. IT also didn't infect anything else inside the netbook because it is a bit of a rare chipset that was very unpopular and had very limited run ("unopenable" full SMD/blob version of ASUS 900SD).
Cameron Bell
>Apple does that (on both ends) when connecting iPhone to a Mac Apple products are also attacked with this sort of thing, fyi.
Charles Stewart
doesn't matter there's still no good solution against it even though there's some good ideas on how to prevent it
Isaiah Taylor
>USB-C which supports Ethernet as part of it's protocol FFFFFFFFFFFFFFF
On win7, when I plug in a new USB keyboard or mouse, the only notification I get is after the driver has installed, "A new device is ready to use" along with "New device detected...", but it happens so fast that both messages pop up in the task bar at the same time. By the time I look down at that set of messages the damage would already be done.
Caleb Sanchez
That's the point, how would a PC know one USB device from another if not by a unique identifier that could not be bruteforced? Certificate signed by PC? what do you mean? Like essentially trusting a signature? Yeah, that requires a unique identifier on the USB side. Or do you mean like the PC assigns each USB device it encounters and trusts a unique identifier? But then how would the PC know one USB device from another if the USB device itself is not the source of the certificate?
Jacob Smith
>USB devices can't identify themselves as needing network devices. How does USB tethering work then?
Logan Stewart
Good informative video.
Nathaniel Gomez
How's this?
1: Physical access to the USB port may be locked with a key, fingerprint reader, or other security metric. This physically blocks anything from being plugged into the port. 2: USB port use can be passphrase protected. 3: USB ports are hardware sandboxed by default. Which exists only for certificate reading. 4: OS checks device's certification using an online database or a database the Administrator has downloaded/created. 5a: Device can't be moved out of sandbox until OS verifies certificate or Administrator bypasses certification requirement. Other requirements may be implemented on a case to case basis. 5b: Option to move device into a VM sandbox, of the Administrator's choice, instead of out of the hardware sandbox. This would allow the VM to have access, but not anything else.
Christopher Miller
>I bought an MP3 player from AliExpress that tried that shit. what really? which one?
Not just that. It can come from anything you buy. Especially, if it is an off brand from China or Amazon marketplace vender or second hand device from ebay or similar site. The next legit mouse or keyboard may have that shit installed on it. You'd install it, because it is a fucking mouse or keyboard right? Then x amount of time passes and it suddenly activates that shit when you least expect it. Not only least expect it, but when it is activating this shit much later instead of instantly, you may never realize that the mouse/keyboard is the source of the problem and continue to use it after wiping and reinstalling.
