On Fri, Oct 17, 2014 at 10:58:15AM -0400, Alan Stern wrote: > On Fri, 17 Oct 2014, Greg KH wrote: > > > > now that is harming the user even if the code to do it is 100% > > > nicely written legal code. > > > > Again, there should never be a way for a USB device to arbitrarily > > execute code on your processor. That's not part of the USB spec, and > > does not happen on Linux at all. If it does, please let us know and it > > will be fixed. So far, none of the "BadUSB" stuff actually does this, > > so that is not an issue. > > On Fri, 17 Oct 2014, Peter Stuge wrote: > > > It should become clear that what you describe just isn't possible. > > > > Not everything that is published (on internet or elsewhere) is > > actually correct. > > I don't think the situation is quite so rosy as you guys seem to > believe. > > Given the ability to update a USB device's firmware, a black hat can > easily modify the firmware of an innocent-looking USB flash drive. The > new firmware can include an HID interface that presents itself to the > host as a keyboard. > > When an unsuspecting user plugs the device into his computer, any data > sent out by the bad firmware over the keyboard interface will appear > (to the host) as if it was typed directly by the user. Therefore the > device would be able to do practically anything the user could. > > It wouldn't exactly be "silent", but it could be quite insidious. Google 'USB rubber ducky', you can turn that device into a device that looks like anything else quite easily if you want to, so you have to be aware of what you plug into your machine. The only thing new here is that now people know how to turn devices that were previously not thought to be programmable, now are. So if you have malware running on a machine, and you plug your USB stick into it, it could change it to be something else for when you plug that into a different machine, which can do the 'bad keyboard/mouse' trick. There isn't anything "exploitable" on the host OS side of this, through the USB interface directly, or that the USB spec is somehow "totally insecure" as the original post was asserting. thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
