Linux Has a USB Driver Security Problem (bleepingcomputer.com) 156
Catalin Cimpanu, reporting for BleepingComputer: USB drivers included in the Linux kernel are rife with security flaws that in some cases can be exploited to run untrusted code and take over users' computers. The vast majority of these vulnerabilities came to light on Monday, when Google security expert Andrey Konovalov informed the Linux community of 14 vulnerabilities he found in the Linux kernel USB subsystem. "All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine," Konovalov said. The 14 flaws are actually part of a larger list of 79 flaws Konovalov found in Linux kernel USB drivers during the past months. Not all of these 79 vulnerabilities have been reported, let alone patched. Most are simple DoS (Denial of Service) bugs that freeze or restart the OS, but some allow attackers to elevate privileges and execute malicious code.
an attacker has physical access to the machine (Score:4, Informative)
Re: (Score:1)
I think you're confusing cryptography and steganography..
Re: (Score:2)
Nope, he isn't.
Re: (Score:2)
One solution to that problem is to completely (first to last sector) overwrite the disk with random data, then create a partition table and a legitimate filesystem on top of that, add some legitimate files, map the sectors that constitute free space of that filesystem to a logical contiguous block device, create crypto container on top of that, create filesystem on top of that, mount, enjoy.
Re: (Score:2)
A stack of hard disks sitting next to my computer and containing a total of around 8 TB actual pseudorandom data beg to differ. Also every hard drive that was bought used and sold by someone with a little knowledge.
Re:an attacker has physical access to the machine (Score:5, Insightful)
If all it takes is access to plug in a USB dongle, that's a different kind of access than being able to open up the machine and tinker with it. Secretary turns her back for a moment? Plug it in while you can.
Hell, with the tendency for people to plug in USB keys found on the street still to this day, that's all that would be required to exploit these flaws in an otherwise impenetrable building.
Comment removed (Score:5, Funny)
Re:an attacker has physical access to the machine (Score:5, Insightful)
Wow, Hollywood has actually been accurately portraying the state of security in Linux for years, and nobody realized!
If it turns out that the secretaries of the world have been running Linux all these years, I will be rather surprised :)
Re:an attacker has physical access to the machine (Score:5, Funny)
Wow, Hollywood has actually been accurately portraying the state of security in Linux for years, and nobody realized!
No, they haven't been portraying it accurately for years. But in the last few weeks we have seen actresses and secretaries in Hollywood coming forward with the story of what happens when they turn their backs and executive producers try to "plug it in while they can".
Re: (Score:2, Funny)
Of course, all it takes is a few plug-in attempts to create kernel panics...or is that moral panics?
Re:an attacker has physical access to the machine (Score:5, Interesting)
I've had it happen to me while I was developing a USB device. Plugged it into a Linux machine and it kernel panics immeidately. No, plug it into Windows and nothing happens.
It turned out I screwed up the USB descriptors I was returning - Linux didn't like that I set the descriptor type wrong.
Granted, this is something I did many many many years ago (around the time of the great east cost blackout) so I expect that it would be somewhat more robust now.
It's also interesting to see how different OSes reacted - the USB descriptor is a fixed size, but some OSes (Windows, notably) only do a partial request - I think it was 5 bytes - in order to get the USB descriptor type and length bytes, then it re-ran the request with the proper size. Linux at the time simply did a proper sized request - the descriptor size is fixed and unchanging so what Windows did was completely unnecessary unless it was to ensure that devices responded properly.
Re: (Score:2)
https://blogs.msdn.microsoft.c... [microsoft.com]
Re: (Score:2)
Meanwhile at Linus tech tips [youtube.com]...
Re: (Score:1)
Secretary accepts flash drive from student to print homework assignment on the office printer...
Re: (Score:3, Funny)
Re: (Score:1)
All the printers work in linux.
That was already true 15 years ago.
Re: (Score:1)
UNREALISTIC. Windows does not have these same vulns.
So, like the fellow that found the Linux vulnerabilities, obviously you've examined the Windows source code to ensure that Windows didn't have them, thus allowing you to make a definitive statement such as the one above.
Oh, wait ....
Re: (Score:1)
Well I know Plan9 is cannot be similarly affected, as it runs all USB drivers in userspace as separate processes. I know many Windows USB drivers run in userspace but I can't be certain all do. In any case it would be a good idea for Linux to scrap the shitty design that is kernel mode USB drivers and run the USB stack as a usermode helper with privsep+privdrop. Doing anything else is negligent engineering.
Re: an attacker has physical access to the machin (Score:2)
Re: (Score:2)
Re: (Score:2)
yeah windows doesn't have a feature called autoplay
Re: (Score:2)
Re: (Score:1)
It's important to understand that USB does not include any type of security or authentication. Secondly, it requires a custom USB device. Even many experienced developers are not in a position to craft such things. You're basically talking about embedded developers.
Such exploits are going to be fairly specialized AND you still require either physical access or social engineering to achieve the goal. Though a common form of social engineering is to drop USB drives in parking lots you would to exploit. This i
Re: (Score:2)
Secondly, it requires a custom USB device. Even many experienced developers are not in a position to craft such things. You're basically talking about embedded developers.
So what? All it takes is one or two embedded developers to craft such things with a barely usable management UI, flood Baidu or eBay with their wares, and then every man and his dog has access to one.
Re: (Score:3)
Embedded USB developer boards already exist [pjrc.com] and are just as cheap/easy to use as Arduinos.
Re: (Score:1)
Secretary turns her back for a moment? Plug it in while you can.
Hello sexual harassment lawsuit.
Re: (Score:1)
It's kinda sad that it's not common knowledge by now, but USB itself has physical hardware vulnerabilities that are not fixable at the driver level. Fixing the security flaws in the USB drivers is kinda like fixing the security flaws in a lock on a paper window.
Re: (Score:3)
Please tell me more. I recall a rather problematic security issue with early FireWire implementations that allowed direct access to a computer system's memory. Wasn't this used to break some DVD encryption keys? ThunderBolt might have similar problems but I have not looked into it thoroughly, this is likely much harder to fix since ThunderBolt is an extension of the PCI bus. ThunderBolt 3 uses USB-C for it's standard connection port, is this what you mean by a physical hardware vulnerability? This kind
Re: (Score:3)
What USB hardware vulnerabilities do you know about?
One exploit I remember from a few years back is a custom USB device emulating a keyboard and mouse can issue commands via keyboard shortcuts and mouse clicks [github.com].
Another one is emulating a network adapter to intercept and alter network traffic [boingboing.net].
Re: (Score:2)
Emulating a keyboard and mouse is not any more a "hardware vulnerability" than having access to PS/2 or any other input port that one might have access to. These kind of attacks have existing long before USB.
Emulating a network adapter is not much of a vulnerability either since one could also attack by Ethernet or wireless connection. This is also fairly simple to protect against by disabling the use of USB network adapters and/or setting routing priority on the computer.
I thought that there was somethin
Re: (Score:3)
I think you're falling in to the same trap as some other posters with "physical access = already pwned".
USB is somewhat more dangerous because they are also ubiquitous inconspicuous storage devices and computers often have multiple easy to access USB ports.
PS/2 ports are used exclusively for keyboard and mice and the ports are generally at the back of the computer, so you're not going to be able to trick someone into inserting a device like you could with something that looks like a USB stick and to do it y
Re: (Score:2)
The claim was that USB has physical vulnerabilities that are not fixable at the driver level. Problems of people inserting storage or network devices can be fixed by disabling or removing drivers for those devices. If access to front ports are a problem then disable the front ports. Disabling front ports can be done at the driver level, or BIOS level, and not just by filling them with glue.
Perhaps there is a problem where people need ready access to USB storage, so front ports cannot be disabled, AND nee
Re: (Score:2)
The other claim was that this was not common knowledge, but I'm pretty sure it's common knowledge that USB keyboards exist and drivers for them are standard install on most any operating system.
That's not the claim being made.
If someone wants to claim that it's not common knowledge that keyboard emulators can fit in a device that can be disguised as a flash drive then that might be something that could stand up.
That is the claim, and I would say it's a very safe claim to make.
But then someone would have to be engineered to plug in a flash drive and for some reason allow the device to "drive" the computer until the payload was delivered. If the person doing this was aware that the device would do this, such as being a party to the crack attempt, then this is still not something unique to USB. Such a person could easily be engineered to plug a device into a PS/2 port.
I disagree; Giving someone files on a USB stick is such a common and natural thing to do that the vast majority of people wouldn't think twice about it. Just leaving one lying around might be enough, and it may be possible to install a hack on a user's own USB stick [wonderhowto.com] if you can get brief access to it.
Giving someone a dongle to plug into a port that they may have never used on their computer (and increasingly isn
Re: (Score:2)
I disagree; Giving someone files on a USB stick is such a common and natural thing to do that the vast majority of people wouldn't think twice about it. Just leaving one lying around might be enough, and it may be possible to install a hack on a user's own USB stick if you can get brief access to it.
My comment was that people would have to plug this in, watch the device take over their screen and do nothing about it. That's going to take some crazy planning to distract the person or something, or as I pointed out the person would have to be in on the attack.
Giving someone a dongle to plug into a port that they may have never used on their computer (and increasingly isn't even present) would already be more suspicious, and only give you keyboard access with nothing else.
I point out the use of PS/2 and such just to show how old these attacks are. People have been doing this for a long time. The ports people use to plug in their keyboards have changed is all. You want someone to plug in a keylogger on their PC a
Re: (Score:2)
You're ignoring all the additional scenarios this opens up that wouldn't be possible otherwise -
Any company that deals with large digital documents where it's normal to receive files on usb sticks / drives.
Plugging a miniature USB stick into an unattended computer quickly and walking off.
Giving branded USB sticks away.
Leaving USB sticks lying around.
Your examples mostly revolve around already having social engineered a position of trust (if you're already doing maintenance on a user's machine what do you ne
Re: (Score:2)
You're ignoring all the additional scenarios this opens up that wouldn't be possible otherwise -
USB adds nothing that an an otherwise equivalently capable device could not do with another appropriate port.
Any company that deals with large digital documents where it's normal to receive files on usb sticks / drives.
The places I've been it's rare to send data on a flash drive as it does not prevent modification in transit. We use optical discs, CD-R, DVD-R, or BD-R, depending on the size. If the stack of polycarbon discs starts to look a bit think then its sent on a SAS drive in a pelican case. Each end will have the appropriate drive array for the caddy the drive is in. Many files are simply sent over the
Re: (Score:2)
USB adds nothing that an an otherwise equivalently capable device could not do with another appropriate port.
No other port has nearly the range of possible attacks or the ubiquity of use as USB.
The places I've been it's rare to send data on a flash drive as it does not prevent modification in transit. We use optical discs, CD-R, DVD-R, or BD-R, depending on the size. If the stack of polycarbon discs starts to look a bit think then its sent on a SAS drive in a pelican case. Each end will have the appropriate drive array for the caddy the drive is in. Many files are simply sent over the network through a number of data storage services, if the file cannot simply be e-mailed.
In niche / high security organizations sure, but most companies would be fine to receive files that way.
That's frowned upon. Depending on the time and place this is a breach of protocol, merely inconsiderate, and may involve a verbal reprimand. Such drives are to be handed to the person, placed in their mail box, or left with a neighboring coworker.
We're talking about hacking here, not colleagues playing pranks on each other. A disgruntled employee or even guest of the building could slip a small USB stick into a computer much more discreetly than even hooking a (much more limited capability) PS2 keylogger onto a system and easily go unnoticed.
There's enough distrust that I'm not sure this would go over well. They'd be examined or must come from a trusted party
Yeah you can tell empl
Re: (Score:2)
No other port has nearly the range of possible attacks or the ubiquity of use as USB.
That's just like saying every house has a front door therefore they are vulnerable. There's nothing inherently insecure about USB that previously common ports did not have.
USB combining keyboard/mouse with storage and network adds nothing or very little. The ubiquity of floppy and optical drives meant any storage based attack is no different than a flash drive attack, except maybe the speed and size but then computers have always getting smaller and faster. A keyboard emulator attack requires someone to
Re: an attacker has physical access to the machine (Score:2)
You're still completely missing the point of this -
A malicious USB device can bypass restrictions on autorun by using keyboard shortcuts to execute commands (eg. via win-r) that a storage-only attack can't.
A malicious USB device can execute an attack too quick to stop, and possibly before the user has even looked up at the screen again.
Computers can't realistically have their usb keyboard and mouse drivers disabled.
It's not making a mountain out of a mole hill, it's noting an interesting attack vector that
Re: (Score:2)
It's not making a mountain out of a mole hill, it's noting an interesting attack vector that the ubiquity and multi-function nature of USB makes possible.
You are about 15 years too late. This is not interesting now. USB came out over 20 years ago, and has been quite common since the early days of Windows XP and Mac OS X 15 years ago. If this was any real effective attack vector then maybe someone would have done more than just some interesting demonstrations with a $30 embedded computer. Sure, lots of things are possible if someone throws enough time and effort behind it. If this has somehow escaped into the wild then maybe it can be "interesting".
Very
Re: (Score:2)
Well that's a really silly thing to say isn't? That there hasn't been any known attacks but now cheap powerful usb dev boards are available and people are releasing proof of concept code, there still won't be any attacks? Dear me, next you'll be saying KRACK attack is nothing because it's been sitting in plain sight in the wpa2 spec for 10 years!
Re: (Score:2)
I didn't say there won't be any attacks, I said that there are no reports of this style of attack being successful against anyone, therefore this threat is merely theoretical. If this moves out of theory into practice then we might have something "interesting". Since this has remained theoretical for 20 years then my expectations of such a thing happening anytime soon are quite low.
Maybe someone could find these hacks useful for something that doesn't involve breaking into another computer. I have some i
Re: (Score:2)
I mean, it is more than theoretical now though as there is readily available hardware and several working proof of concepts. Certainly one to keep an eye on.
Re: (Score:2)
Yes and no. Denial of service is easy for some of the drivers, on more than just Linux. Just say your device descriptor has the maximum number of interfaces, each interface has the maximum number of endpoints, and things like that. But then again, you can just have a USB device that fries your computer completely since it's really a big supercap.
Now taking over a computer this way is harder. Certainly there could be exploits, but I don't necessarily think this is just Linux either.
Re: (Score:2)
Thats how the penetration testers often work. They charm or sneak into a building past security and put a usb device into any computer they need to get access to.
They are from "tech support", know the boss and want to show a "charity" movie the boss is interested in to the staff
Someone grants access to their computer and usb to "help" the expert.. or the now trusted person the boss knows...
Re: (Score:2)
you're already pwned
Not really, especially today when great steps have been made towards creating physical security for computers.
We have self-encrypting SSDs, and AMD's latest parts support encrypted RAM. The keys are stored in secure enclaves of the CPU, so things like cold boot attacks and removing RAM doesn't work any more.
Combine that with a secure OS and secure boot via UEFI and the machine is pretty difficult to p0wn even with physical access. You would need to get to the level of replacing firmware in some critical per
Linux kernel USB drivers (Score:3, Interesting)
I think i found the problem. Kernel Space drivers are always prone to these kinds of problems. This is not new.
The depth of the problem is newish, but only because someone peeked in and saw flaws.
Re: (Score:1)
That's why we have https://www.kernel.org/doc/Documentation/usb/authorization.txt
now, that it is not used it is a whole different matter
Sandbox (Score:3)
I'm assuming these things happen because the USB device drivers load microcode from the USB device? If so why can't these things be sandboxed-- no reason to give them file access or network access or even much memory. If it's a matter of top line speed then let the user decide-- sandbox by default and let the user have a switched labeled "open your mouth and close your eyes-- give me a tiny bit more speede in return for butt neckid security."
Re: (Score:2)
I'm assuming these things happen because the USB device drivers load microcode from the USB device?
No.
The tool referred to does "fuzzing". That means it talks the protocol, but tries a variety of minor corruptions to the packets it sends, to see if any of them exercise a bug in the drivers on the other end of the wire.
So any bugs found are in the driver and related to defective error-checking on incoming messages, not to hypothetical code loaded from the USB peripheral.
(Granted, if some driver DID do somet
Re: (Score:2)
No microcode. However there's an enumeration process that involves reading data from the device. Ie, you can try to override some internal buffers of the buggy driver by claiming to have longer descriptors than it has room for.
Re: (Score:2)
I don't know of any USB device drivers that loads microcode from a USB device. There are plenty that do it the other way around - the USB is just a bootloader + RAM, with the application code stored in the driver and loaded every time it is plugged in.
The issue is that the USB device sends device descriptors to the computer that describe what it is and how to talk to it. By looking at that data the OS can device which driver to assign to it. By sending malformed descriptors you can trigger bugs in the Linux
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Pretty much everything on that website is a USB keyboard. Doesn't work if the PC you plug it in to is locked or not logged in. You may as well use the keyboard that's already plugged in.
Re: (Score:2)
Re: (Score:2)
Different OS. If you're using "cifsmount" for /home/ user or something similar you might be vulnerable. If the lock-screen gets you to a desktop that can only run SSH, VNC over SSH, or a locked-down HTTPS-only browser, not so much. Then again, the attack described in that article isn't just a USB thing... someone could probably build a male RJ45 dongle that runs the same attack.
Re: (Score:2)
That's not discreet. The point is to create a device that emulates a usb keyboard which can be automated to inject commands into the system.
This is not unique to USB, any port that allows the connection of a keyboard (PS/2, ADB, whatever) will allow someone to inject commands into a computer at a speed faster than people can type.
If there is a need to keep it discreet then hide it in something that's common to an office environment, like a hollowed out highlighter or dry erase marker. Why not just hide the device in an actual keyboard? Most keyboards I've seen have a hollowed out back, room enough for plenty of circuitry. Even better if the
Re: (Score:2)
It's also a mouse/keyboard emulator in the background, but the user doesn't easily notice that.
That's just crazy talk. People will notice their mouse pointer moving and things getting typed.
Meanwhile plugging in a foreign PS/2 device has never been a thing, so it would be a rather weird and suspicious thing to do.
People have been plugging in crazy and "suspicious" things all the time. A PS/2 keylogger would be only a short cable with a "ferrite choke" in the middle (which actually contained the electronics) and installed as a "noise filter". In reality it transmitted every keystroke to anyone with the right kind of receiver. The fancier ones had two-way action. A storage device, from floppies to CD-Rs to Zip cartridge
Re: (Score:2)
Three of those "hacks" are just devices that emulate keyboards, that's not unique to USB since something that can emulate PS/2 could do the same. The ability to have storage as part of the USB device does add some capability since files can be copied over but if there is internet access then files can be downloaded. Without internet access and sufficient time at the computer a keyboard emulator (PS/2, ADB, whatever) could input executable scripts or even enter and compile code. This is nothing a person c
Re: (Score:2)
I don't know why you got modded as flamebait because this is spot on. There are other mitigations to reduce the USB risk which are appropriate in most cases as it's not usually feasible to block the ports but some risk remains. Ultimately most environments need USB keyboards & mice so if your badUSB device emulates an HP or IBM keyboard then it's likely to get through any USB device control in place.
There are lots of environments where the biggest threat comes from the people who have physical access.
Re: Physical access (Score:1)
The fact is USB is inherently vulnerable (Score:2, Interesting)
Linux drivers can mitigate that but they will never stop the problems in the USB spec.
Every USB Drive can emulate a keyboard (Score:2)
So when you plug in a flash drive, you are giving control of your entire computer to it. Every time. Like when your kids give you a USB with something to print from their virus riddled school.
At least Windows is no longer supposed to automatically execute code it finds on the drive (or CD, if that is what the USB is emulating). But it is *long* over due that I should be able to plug in a USB drive and still be safe. May need special ports. Or a rule that Keyboards are only detected on startup. Etc.
Re: (Score:2)
Vulnerabilities present and reported in the kernel-based DRIVER FOR A TOY since *2003*
What are you talking about?
Re: (Score:1)
The first mistake. Having an operating system.
Re: Can't believe I'm saying it but... apk (Score:2)
Re: (Score:1, Insightful)
Why can't Linus in his infinite wisdom do the same?
If Linux was a microkernel architecture kernel, it would be safer, but slower by about 20%. So the reason is speed.
20% slower? (Score:2)
Re: (Score:2)
How many context switches to draw a pixel?
Seems like a good thing! (Score:4, Informative)
Severs in locked data centers - safe
PCs in locked offices / homes - safe
Laptops - safe if you shut it down and have bios password to enable boot, probably safe with encrypted root fs, provided machine is shutdown to begin with.
Laptop in yours own hands - safe
Now all those consumer devices that the manufacture won't let you have access to, ROOTED!
This is a win.
Re: (Score:2)
Re: (Score:2)
--Anymore, one of the only devices you can "trust" plugging a random USB device into would be a Raspberry Pi. Cheap and disposable if necessary; you can run ClamAV tests from there, and see if it lets out the magic smoke.
Android (Score:2)
So, i guess it affects android too..
Oh, i see your phone is low on battery, here - have a charger
Re: (Score:2)
Qubes OS solution: USB VM (Score:1, Redundant)
Authors of Qubes OS have long stated that monolithic kernel crappiness means that Linux, Windows kernels cannot be used effectively for security. The solution is to isolate the risk (large attack surface) they pose using relatively secure type-1 hypervisors. USB and NIC/wifi/bluetooth controllers are compartmentalized in their own virtual machines.
Re: (Score:1)
It's a trade. Security vs performance. Always is.
Can we have PS/2 ports back now? (Score:4, Interesting)
I've worked in secure environments and as someone that has obtained security certifications I see all kinds of problems with USB beyond improperly coded drivers. One common practice not that long ago was to disable any USB ports to stop people from plugging in things they weren't supposed to. This was only possible while PS/2 ports for keyboards and mice were still commonplace. (There was also that short period where some Apple computers had both ADB and USB ports.)
I like USB-C. It's quite the improvement over what we've had before. I am a bit concerned on how this affects the security of our devices in the future. Controlling things like someone offering a "charger" for a laptop or cell phone to try to sneak into a device can be managed in many ways. Dedicated ports for video, keyboard, mouse, and even Ethernet had inherent security in that they did only so much which prevented certain security issues. Will all these ports go away and be replaced with USB-C?
Again, I really like USB-C as it adds convenience and capability that nothing else offered before. It also adds security issues that a simple list of "dos and don'ts" cannot cover for many less technically knowledgeable people to follow. Securing computers from many kinds of attacks is going to be an increasingly difficult problem unless we get off this mentality of one port to rule them all.
Maybe we'll see some means to better secure USB. Maybe we'll see computer systems that will allow one to disable anything that is not a HID or power device from being recognized on USB in the firmware. Maybe OS developers will provide better granularity on what USB ports are allowed to do.
Maybe we'll get PS/2 ports back again. Probably not. I do think something has to give. If we can't have the inherent security of feature limited ports then we will need some security through better management of the ports that replace them.
Re: (Score:2)
PS/2 and USB HID devices are just as much of a security risk, possibly more so. Simply emulate a keyboard and you can type arbitrary commands into the machine. You might even be able to wake it up from sleep mode in the middle of the night.
Re: (Score:2)
PS/2 is a security risk? Really - I thought it was pretty safe. Sure, you can plug in a keyboard emulator, but you've still got to get past the login screen to do anything. For you to be able to read back the result of your password cracking, you'd have to decode the VGA signal.
Given the choice between a USB port or a PS/2 + VGA on the back of a server, PS/2 is the more secure choice. What makes most sense on your laptop is up for a bit more debate, but seeing as that has a screen and keyboard already, I'd
Filter USB? (Score:2)
With a dongle : http://hexus.net/tech/news/per... [hexus.net]
With some Linux 'firewalls' : USBGuard, https://github.com/dkopecek/us... [github.com] , USBauth, https://github.com/kochstefan/... [github.com]
Nice paper on LWV, that's still paying this week but will become free after 8 days as usual : https://lwn.net/Articles/73830... [lwn.net]
HTH,
Hervé
BTW : anyone in region 06 in France wishing to share shipping costs for the dongle?
Re: (Score:1)
You need to eject or safely remove your penis.