On Fri, Oct 17, 2014 at 05:01:51AM -0400, Gene Heskett wrote: > On Friday 17 October 2014 03:48:48 Greg KH did opine > And Gene did reply: > > On Thu, Oct 16, 2014 at 08:18:26PM -0400, Gene Heskett wrote: > > > On Thursday 16 October 2014 18:28:16 Greg KH did opine > > > > > > And Gene did reply: > > > > On Thu, Oct 16, 2014 at 06:12:48PM -0400, Gene Heskett wrote: > > > > > Is there a move afoot to write a checker utility that determines > > > > > if the usb device its pointed at is vulnerable, and can > > > > > therefore be reliably blacklisted? > > > > > > > > What do you mean by a "vulnerable" USB device? > > > > > > Thanks for the reply, Greg. > > > > > > There is an exploitable error in the usb hardware/firmware, one that > > > nearly 100% of the devices have. > > > > No there isn't, it's a specific design of the device, we have had > > devices like this since the 1990's. This is nothing new at all, and > > nothing that is a problem. > > > > > No one ever gave security a seconds thought when writing the usb std. > > > > As one who helped write a tiny portion of the spec, that's not true at > > all. If you have specifics, I would be glad to discuss them. > > I have a copy of the 1.1 specs, before they put it behind a paywall. I am > glad you did have a small hand in it, thanks. There is no "paywall" for USB specs. All specs are "backwards compatible", so the latest 3.0 spec has all of the 1.1 stuff in it as well. It's just more stuff to wade through :) > > > As described it is both hardware and firmware that will need to be > > > addressed for an effective fix. > > > > What needs to be "fixed"? > > > The procedure to update that firmware. That's vendor-specific, and again, isn't a big deal at all. I even helped create the spec that allows that to happen in a standard way. Linux supports that quite well. > > > See: > > > > > > <http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack > > > /> > > > > > > for an explanation much better than I seem to be doing. It went live > > > yesterday. > > > > The only thing that is "new" is the fact that some people thought that > > the firmware of a USB device could not be changed to work like > > something else. Again, that's never been true, and is nothing that > > "hurts" the operating system. > > > Agreed, but if when it is plugged in, it goes out and installs a > keylogger, Wait, how can a USB device "install a keylogger"? If that happens, then that is a bug in the kernel. And yes, we did have a few bugs in that area in the past, specifically we fixed them over the past year, but that's a totally different thing than allowing the firmware of a device to be changed. > now that is harming the user even if the code to do it is 100% > nicely written legal code. Again, there should never be a way for a USB device to arbitrarily execute code on your processor. That's not part of the USB spec, and does not happen on Linux at all. If it does, please let us know and it will be fixed. So far, none of the "BadUSB" stuff actually does this, so that is not an issue. Beware of the press around this issue, it's very confusing, and incorrect. This has been discussed in detail on the oss-security mailing list a few months ago if you are interested and want to go read the archives. thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
