oss-sec mailing list archives

Re: BadUSB discussion

From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Fri, 08 Aug 2014 10:05:11 -0400

On 08/08/2014 10:00 AM, Greg KH wrote:

On Fri, Aug 08, 2014 at 09:56:34AM -0400, Daniel Kahn Gillmor wrote:


For example, you could register keyboards by serial number with the
system,


Most USB keyboards in the system do not have a unique serial number.
Heck, most USB devices in the system do not have a unique serial number,
the only USB device that is required to do so is a USB printer,
everything else is free to not have one at all, or have the same serial
number for all devices made of that type.

Never treat a USB serial number as "unique", except for a USB printer,
sorry.


ugh, that's a shame.  are there any other characteristics we could use
to gin up a phony serial number for this kind of use?  Even making an
allowlist by model number would raise the bar a little bit for a generic
attacker.

Though i suppose you could create a device that claims to be 400
different keyboards at once -- or in a rapid hotplug succession until it
finds the common model that you've already allowed :(

ugh,

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

BadUSB discussion Dan Carpenter (Aug 08)
- Re: BadUSB discussion Florian Weimer (Aug 08)
  - Re: BadUSB discussion Daniel Kahn Gillmor (Aug 08)
    - Re: BadUSB discussion Greg KH (Aug 08)
    - Re: BadUSB discussion Daniel Kahn Gillmor (Aug 08)
    - Re: BadUSB discussion Greg KH (Aug 08)
    - Re: BadUSB discussion Eddie Chapman (Aug 08)
    - Re: BadUSB discussion Greg KH (Aug 08)
    - Re: BadUSB discussion Eddie Chapman (Aug 08)
    - Re: BadUSB discussion Greg KH (Aug 08)
    - Re: BadUSB discussion Eddie Chapman (Aug 08)
    - Re: BadUSB discussion Greg KH (Aug 08)
    - Re: BadUSB discussion Eddie Chapman (Aug 08)
    - Re: BadUSB discussion lazytyped (Aug 09)
    - Re: BadUSB discussion Dean Pierce (Aug 08)

(Thread continues...)