oss-sec mailing list archives
Re: BadUSB discussion
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Fri, 08 Aug 2014 10:05:11 -0400
On 08/08/2014 10:00 AM, Greg KH wrote:
On Fri, Aug 08, 2014 at 09:56:34AM -0400, Daniel Kahn Gillmor wrote:For example, you could register keyboards by serial number with the system,Most USB keyboards in the system do not have a unique serial number. Heck, most USB devices in the system do not have a unique serial number, the only USB device that is required to do so is a USB printer, everything else is free to not have one at all, or have the same serial number for all devices made of that type. Never treat a USB serial number as "unique", except for a USB printer, sorry.
ugh, that's a shame. are there any other characteristics we could use to gin up a phony serial number for this kind of use? Even making an allowlist by model number would raise the bar a little bit for a generic attacker. Though i suppose you could create a device that claims to be 400 different keyboards at once -- or in a rapid hotplug succession until it finds the common model that you've already allowed :( ugh, --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- BadUSB discussion Dan Carpenter (Aug 08)
- Re: BadUSB discussion Florian Weimer (Aug 08)
- Re: BadUSB discussion Daniel Kahn Gillmor (Aug 08)
- Re: BadUSB discussion Greg KH (Aug 08)
- Re: BadUSB discussion Daniel Kahn Gillmor (Aug 08)
- Re: BadUSB discussion Greg KH (Aug 08)
- Re: BadUSB discussion Eddie Chapman (Aug 08)
- Re: BadUSB discussion Greg KH (Aug 08)
- Re: BadUSB discussion Eddie Chapman (Aug 08)
- Re: BadUSB discussion Greg KH (Aug 08)
- Re: BadUSB discussion Eddie Chapman (Aug 08)
- Re: BadUSB discussion Greg KH (Aug 08)
- Re: BadUSB discussion Eddie Chapman (Aug 08)
- Re: BadUSB discussion Daniel Kahn Gillmor (Aug 08)
- Re: BadUSB discussion lazytyped (Aug 09)
- Re: BadUSB discussion Florian Weimer (Aug 08)
- Re: BadUSB discussion Dean Pierce (Aug 08)