On Fri, Oct 17, 2014 at 04:53:57AM -0400, Gene Heskett wrote: > On Friday 17 October 2014 02:49:05 Clemens Ladisch did opine > And Gene did reply: > > Gene Heskett wrote: > > > On Thursday 16 October 2014 18:28:16 Greg KH did opine > > > > > > And Gene did reply: > > >> On Thu, Oct 16, 2014 at 06:12:48PM -0400, Gene Heskett wrote: > > >>> Is there a move afoot to write a checker utility that determines if > > >>> the usb device its pointed at is vulnerable, and can therefore be > > >>> reliably blacklisted? > > >> > > >> What do you mean by a "vulnerable" USB device? > > > > > > There is an exploitable error in the usb hardware/firmware, one that > > > nearly 100% of the devices have. > > > > That "error" is the fact that USB devices have a CPU which can execute > > arbitrary code. The "BadUSB" guys have shown that several widely-used > > USB sticks allow the PC to change their firmware, but building USB > > devices with malicious firmware has _always_ been possible; the only > > difference is that the hardware costs have gone down from $40 for > > a Rubber Ducky to $10 for an off-the-shelf memory stick. > > > > > No one ever gave security a seconds thought when writing the usb std. > > > As described it is both hardware and firmware that will need to be > > > addressed for an effective fix. > > > > So you want to blacklist every device (USB or any other bus) that can > > be connect to a PC? And outlaw general-purpose computers? > > > > > > Regards, > > Clemens > > I think the point they were trying to make is that the device packager, > who may not be the chip vendor, can put, if there is room in its flashrom, > a short commend that would, on plugging it in, cause the machine to > silently go out on the net and become part of a spam bot, or install a > keylogger, particularly dangerous for those of us who do our banking > online. Again, no, a device can not "cause the machine to silently go out on the net..." That's not possible, and if it is, then it's a bug in the operating system, that needs to be fixed, and has nothing to do with the USB specification at all. thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
