On Fri, 17 Oct 2014, Greg KH wrote: > > Given the ability to update a USB device's firmware, a black hat can > > easily modify the firmware of an innocent-looking USB flash drive. The > > new firmware can include an HID interface that presents itself to the > > host as a keyboard. > > > > When an unsuspecting user plugs the device into his computer, any data > > sent out by the bad firmware over the keyboard interface will appear > > (to the host) as if it was typed directly by the user. Therefore the > > device would be able to do practically anything the user could. > > > > It wouldn't exactly be "silent", but it could be quite insidious. > > Google 'USB rubber ducky', you can turn that device into a device that > looks like anything else quite easily if you want to, so you have to be > aware of what you plug into your machine. > > The only thing new here is that now people know how to turn devices that > were previously not thought to be programmable, now are. So if you have > malware running on a machine, and you plug your USB stick into it, it > could change it to be something else for when you plug that into a > different machine, which can do the 'bad keyboard/mouse' trick. > > There isn't anything "exploitable" on the host OS side of this, through > the USB interface directly, or that the USB spec is somehow "totally > insecure" as the original post was asserting. The exploitability lies in what you mentioned above: that you have to be aware of what you plug into your machine, and that devices that were previously thought not to be corruptible actually are. Taken together, these two ingredients make up a recipe for a social exploit: reprogram an innocent-looking device and give it to someone who doesn't realize how dangerous it could be. Furthermore, there's no reasonable way to test for this sort of attack. That is, given a USB device, you can't easily determine whether the firmware it contains is dangerous without exposing yourself to the danger. The only effective defense is never to plug in a USB device unless you know it has never been used by anybody else. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
