Dave Tian <dave.jing.tian@xxxxxxxxx> writes: > BadUSB[1] attacks show that everyone can change the firmware adding > new functionalities/interfaces, e.g., a usb driver with a > keyboard/input interface. The question seems deeper than it looks like > - we/users probably want to know: Oh, good point -- I don't think anyone has considered what would happen if some *other* device on the machine got hacked remotely and pretended to be a ChaosKey. > 1. a chaoskey is a usb key rather than a keyboard (though it may contain an input interface, like Yubikey) > > For the 1st issue, GoodUSB[2] allows user to specify the desired the > interfaces the device should have, and disable all other requested > interfaces from the device. That, at least, would be easy to accomplish in the ChaosKey driver itself -- verify that the device had precisely the interfaces expected and entirely ignore it otherwise. > 2. a chaoskey is actually a legit key from chaos (though I have no > idea what the chaoskey would enumerate itself…) > > Answering the 2nd questions seems more challenging, since the final > question would be how we could authenticate the device. Remember that > everything (PID/VID..) from the firmware is not trusted. There are few > solutions I can think about: > 1. Disable the firmware update from the manufacturer We have already done this -- the firmware cannot be updated unless you have physical access to the device. You must insert a jumper wire into the board and then insert the device for it to boot in 'firmware update' mode. > 2. Sign the firmware - I have no idea where the signature is saved on > the device and how the host retrieves the signature from the device Yeah, signing the firmware in the device doesn't sound interesting; that seems subject to a trivial replay attack. However, providing an interface where the device could prove that it holds a certain private key might allow us to protect against spoofing devices. The trick with this would be securing the key from disclosure without actually loading a TPM chip onto the board. That seems intractable to me. -- -keith
Attachment:
signature.asc
Description: PGP signature
