Re: BadUSB discussion

[Greg KH <greg () kroah com>]

On Fri, Aug 08, 2014 at 09:23:21AM -0700, Dean Pierce wrote:
> Being able to "infect" a USB device (allowing unsigned firmware to be
> flashed on) is bad.

"bad"?  Why is that?  Loads of devices work this way, a whole class of
USB controller chips work exactly in this manner, they require the
firmware to be dowloaded to the device from the host operating system
before they work at all.  They are really common and cheap and used all
over the place and have been on the market since the early 1990's.

> Being able to "infect" a host controller is bad.

And is something that I have never seen anyone say is possible, have
you?  If so, details would be great to have.

> Using a USB device to get DMA, memory dumps, files, etc via loaded drivers
> is bad, whether they are using legitimate code paths or kernel bugs.

How can a USB device get any of those things without the Host operating
system give them to it the device?

> I'm not so worried about the keyboard thing.  That's only interesting
> because it's the automation of exploiting a machine that has already been
> compromised.
>
> Personally I would prefer disabling USB hotplug while a machine is locked
> (or while there are no active TTYs or something for servers).  Even if HID
> was whitelisted while the machine is locked, it would be a great start.

Then do just that, Linux has allowed you to do this for years, again,
but very few people take advantage of it.

> In regards to the PCI stuff, don't miss Joe's talk at DEFCON on Sunday.
>
> https://www.defcon.org/html/defcon-22/dc-22-speakers.html#FitzPatrick
>
> People have much more exposed PCI on their laptops and servers than they
> realize.  It's super cheap, super easy, and when we start selling kits this
> afternoon, it's going to be super accessible.

express card and thunderbolt are pcie, it's fun to play with, glad to
see some "kits" to make it more accessable.

> VTd/IOMMU would be nice to have if implemented properly, but it seems like
> even OSX, the only OS currently using VTd as a security feature, still
> hasn't gotten it quite right.

What exactly do you mean by "get it right"?

> Also firewire attacks are still a thing.  What's up with that?

The hardware is designed to do this, the host operating system can't do
much about bad hardware, sorry.

> ExpressCard and Thunderbolt adapters are super cheap, and Inception is
> still being actively maintained with new targets being added
> regularly.

It makes it easy to back up laptops :)

thanks,

greg k-h