On Fri, 17 Oct 2014, Greg KH wrote: > > now that is harming the user even if the code to do it is 100% > > nicely written legal code. > > Again, there should never be a way for a USB device to arbitrarily > execute code on your processor. That's not part of the USB spec, and > does not happen on Linux at all. If it does, please let us know and it > will be fixed. So far, none of the "BadUSB" stuff actually does this, > so that is not an issue. On Fri, 17 Oct 2014, Peter Stuge wrote: > It should become clear that what you describe just isn't possible. > > Not everything that is published (on internet or elsewhere) is > actually correct. I don't think the situation is quite so rosy as you guys seem to believe. Given the ability to update a USB device's firmware, a black hat can easily modify the firmware of an innocent-looking USB flash drive. The new firmware can include an HID interface that presents itself to the host as a keyboard. When an unsuspecting user plugs the device into his computer, any data sent out by the bad firmware over the keyboard interface will appear (to the host) as if it was typed directly by the user. Therefore the device would be able to do practically anything the user could. It wouldn't exactly be "silent", but it could be quite insidious. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
