On Friday 17 October 2014 02:49:05 Clemens Ladisch did opine And Gene did reply: > Gene Heskett wrote: > > On Thursday 16 October 2014 18:28:16 Greg KH did opine > > > > And Gene did reply: > >> On Thu, Oct 16, 2014 at 06:12:48PM -0400, Gene Heskett wrote: > >>> Is there a move afoot to write a checker utility that determines if > >>> the usb device its pointed at is vulnerable, and can therefore be > >>> reliably blacklisted? > >> > >> What do you mean by a "vulnerable" USB device? > > > > There is an exploitable error in the usb hardware/firmware, one that > > nearly 100% of the devices have. > > That "error" is the fact that USB devices have a CPU which can execute > arbitrary code. The "BadUSB" guys have shown that several widely-used > USB sticks allow the PC to change their firmware, but building USB > devices with malicious firmware has _always_ been possible; the only > difference is that the hardware costs have gone down from $40 for > a Rubber Ducky to $10 for an off-the-shelf memory stick. > > > No one ever gave security a seconds thought when writing the usb std. > > As described it is both hardware and firmware that will need to be > > addressed for an effective fix. > > So you want to blacklist every device (USB or any other bus) that can > be connect to a PC? And outlaw general-purpose computers? > > > Regards, > Clemens I think the point they were trying to make is that the device packager, who may not be the chip vendor, can put, if there is room in its flashrom, a short commend that would, on plugging it in, cause the machine to silently go out on the net and become part of a spam bot, or install a keylogger, particularly dangerous for those of us who do our banking online. To completely ignore it seems like a mistake. Ideally it seems we would need a new call into the driver, to have it reach in since its usually so easy, and do a 64 bit crc on the flashrom, and compare that to a secured copy of that crc. If they don't match, turn on the klaxons. Even that would be easily defeatable in the real world, so it needs to be more complex that that. A users $0.02 Clemens. ATM I need to go get a new usb key and reformat it in either fat32, or just plain fat with its 8.3 names as thats all a new digital scope I just bought accepts. It cannot find its update files on a vfat key. And since it is an Atten, its factory shipped firmware is "buggier than a ten day old carcass". I have much better firmware for it, but its apparently married to the older fat filesystem. Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
