Protection against USB HID attacks

Questions about hardware, drivers and peripherals.
In the Original Post please also include the output of inxi -Fzx
User avatar
ilu
Posts: 2060
Joined: 09 Oct 2013 12:45

Protection against USB HID attacks

Postby ilu » 25 Aug 2017 10:59

Does anybody know configuration options to protect against USB HID attacks? Only using my own pen drives is not a practical option for me.

I've read this https://incenp.org/notes/2014/disable-n ... vices.html and this https://security.stackexchange.com/ques ... ux-desktop and while it looks like at least something, it seems to be more a workaround. There was also a mention of

This https://wiki.gentoo.org/wiki/Allow_only ... sb_devices seems to implement a kind of "off switch" which would be perfect , but, if I understand correctly it requires a custom kernel. This https://github.com/pmsosa/duckhunt doesn't have Linux support upto now. This https://github.com/dkopecek/usbguard looks promising - it's already in debians repos (https://packages.debian.org/stable/utils/usbguard).

Has anybody tried anything? Any other ideas?

kurotsugi
Posts: 2116
Joined: 09 Jan 2014 00:17

Re: Protection against USB HID attacks

Postby kurotsugi » 28 Aug 2017 00:29

IIRC it's an old issue from several years ago. unfortunately, there isn't much we can do about it. though, to be fair, there are several things to consider.
1. you can assume that no vendor trying to do it. manipulating the firmware means that your hardware will malfunctioning. no one want to buy a malfunctioning device.
2. the attacker in this case is someone who specifically attacking you. if you have no enemies you can assume that you won't get affected by this issue.
3. the way the attacker works. he plug his device > stole your data/do malicious stuff with your system > retrieve his device. which means, he needs to phisically access your system.
4. things that can be done is limited. AFAIK the attack was mostly done to stole your data and nothing else.

the actual risk is actually much lower. well...what is the chances you got targeted by spy? IIRC this issue was quickly ignored.

The idea behind BadUSB is that a malicious agent re-flashes a device's USB controller chip to do something nasty. This is an interesting possiblity, but there are some serious assumptions here that people tend to gloss over:
1: The USB controller chip has to allow firmware flashing over the USB connection

This is a security vulnerability for sure if it's possible. If this is allowed, then any host that the device is plugged in to can permanently alter the characteristics of the device. Generally this requires special equipment and direct access to the chip's physical pins, but if a manufacturer decided to expose the functionality over the USB protocol, then that is cause for alarm in itself, and should be reported as a vulnerability in that product. It is not, however, a flaw in the protocol itself.

The fact that 3 of the 4 scheduled demos involve chips from Phison Electronics suggest that the researcher discovered just such a vulnerability in a specific product.
2: The device has to be physically capable of the activity you're attempting

By flashing your device's firmware, you can get a thumb drive to report itself as a network adapter. But that doesn't make it actually a network adapter, it just means that the computer will talk to it as if it was one. So now your computer starts talking to your Verbatim Store-n-Go using the driver for the D-Link DUB-E100. But unless the Store-n-Go has the corresponding hardware interface found in the D-Link, all you have is broken USB stick.

If the USB stick has a relatively powerful microcontroller on board, you might be able to re-program it. But "powerful" and "USB peripheral" don't usually go together.
3: The computer has to be willing to play along

One of the examples cited is teaching a device to act like a network adapter, and then assuming that all traffic will be looped through it on any computer you plug it in to. That's... a stretch. To make that happen, your computer has to be already configured to set any newly connected network adapter as the new default gateway. I'm not sure if Windows is that eager for change, but if you've ever configured networking on a Linux computer, you know that it's never that simple.
The Take-Away

This whole concept isn't all bunk. If a device allows re-flashing by any connected host, that's an issue. I can safely state with 100% certainty that it won't lead to the calamities pushed by the associated breathless news articles. But it's worth attention.

And more importantly, USB is powerful, and powerful means potentially dangerous. Connecting a device over USB necessarily means altering the way your computer behaves, and very, very dangerous things are possible. We've known this since the 90's. Use all due caution when attaching things to your computer. But this new discovery changes very little; the new attacks possible here aren't nearly as powerful as what already exists, the new danger is that it blurs the line between "trusted" and "untrusted" devices.

User avatar
ilu
Posts: 2060
Joined: 09 Oct 2013 12:45

Re: Protection against USB HID attacks

Postby ilu » 28 Aug 2017 12:40

BadUSB devices are mailordered really cheap nowadays (nobody has to flash anything) and they can easily be configured for a complete takeover. That quote is 3 years old, these devices now usually identify themselves as keyboards (HID). That way they can enter any code the user is allowed to.
You don't need enemies to be wary - it's enough if you work in an area where you have to ensure that secrets are kept.
what is the chances you got targeted by spy?
Actually, if you are working in the right business - reasonably high. Also ransom attacks have spread lately with devastating consequences. There's a reason why some admins seal all USB slots with glue.
You can reduce the risk if you never leave your USB slots unguarded and only use your own pendrives but if you have to interchange pendrives you are in trouble. If you have friends with weird ideas about a good hoax you might be in trouble too.

Anyway, I was not asking whether this is a problem for you, but what would be possible to do against it.

kurotsugi
Posts: 2116
Joined: 09 Jan 2014 00:17

Re: Protection against USB HID attacks

Postby kurotsugi » 29 Aug 2017 01:51

well...I asked because different attacker, different attack mechanism, will require different anticipation method. there are several ways to do keep us safe:
1. physically block usb port.
2. disable usb port.
3. use something like usbguard.
4. disable autostart and execution functionality from usb.

number 1 is most safe and 4 is less safe. security is against ease of use so you'll need to pick which one is best for you. things you need to consider is that the attack consist of two part. (i) masked the device as HID, (ii) execute scripts. keep on mind that masking the device as HID do no harm to your system. the script does. the key to make you safe is how to prevent script execution and limiting the privilege.

linux by default limit the user privilege so in most case you'll be safe unless the attacker specififally exploit an unpatched security hole in your system. for an example, even if the attacker use something as dangerous as "rm -rf /" command, nothing harmfull is done. the kernel won't execute it. if you'll still worried, using something like selinux and apparmor could be usefull too.

that being said, by the nature of the attack (i.e: the script need to be executed with enough privilege), in reality it's hard to execute the attack. without an escalated privilege, even linux without additional security stuff is enough to block this attacks. hence, this issue was quickly ignored.

User avatar
Arjen Balfoort
Site Admin
Posts: 8860
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Protection against USB HID attacks

Postby Arjen Balfoort » 29 Aug 2017 05:47

This is an interesting subject!

I was just thinking: are users of Wine potentially more vulnerable to these kind of attacks?


SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 2060
Joined: 09 Oct 2013 12:45

Re: Protection against USB HID attacks

Postby ilu » 29 Aug 2017 14:13

kurotsugi wrote:keep on mind that masking the device as HID do no harm to your system. the script does. the key to make you safe is how to prevent script execution and limiting the privilege.
Actually, no. You can't stop script execution as long as the user can execute them. And the user needs that right. So you have to prevent the USB HID from registering without user intervention.
kurotsugi wrote:linux by default limit the user privilege so in most case you'll be safe unless the attacker specififally exploit an unpatched security hole in your system. for an example, even if the attacker use something as dangerous as "rm -rf /" command, nothing harmfull is done.
A malicious script can do a lot of harmful things with just user privileges. And who would want "rm -rf /"? Plant a script to later send the content of /home/Documents to the attackers server would be more like it. I don't know the details but escalated privileges are not needed.
kurotsugi wrote:that being said, by the nature of the attack (i.e: the script need to be executed with enough privilege), in reality it's hard to execute the attack. without an escalated privilege, even linux without additional security stuff is enough to block this attacks. hence, this issue was quickly ignored.
It's absolutely not ignored, it's used. "Lose" these devices on the parking deck and wait for the well-meaning and curious employee to pick it up ... or plug your device in while the computer owner went away to fetch a cup of coffee for you ... Obviously these are office situations.
Schoelje wrote:I was just thinking: are users of Wine potentially more vulnerable to these kind of attacks?
We had a pen tester demonstrate his skills. He used Win10 but just said: Linux is way easier because it has so many more tools to use.

User avatar
ilu
Posts: 2060
Joined: 09 Oct 2013 12:45

Re: Protection against USB HID attacks

Postby ilu » 01 Mar 2018 21:38

On a vaguely related note: I just saw this https://www.kde.org/info/security/advis ... 0208-2.txt
When a vfat thumbdrive which contains `` or $() in its volume label is plugged
and mounted trough the device notifier, it's interpreted as a shell command,
leaving a possibility of arbitrary commands execution. an example of offending
volume label is "$(touch b)" which will create a file called b in the
home folder.

User avatar
Arjen Balfoort
Site Admin
Posts: 8860
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Protection against USB HID attacks

Postby Arjen Balfoort » 02 Mar 2018 07:30

Confirmed.

I created a fat32 USB and ran this command:

Code: Select all

sudo mkfs.vfat /dev/sdc1 -F 32
sudo fatlabel /dev/sdc1 '$(touch b)'
sudo fatlabel /dev/sdc1
The file was created as soon as the USB was inserted.

"plasmashell --version" returned "plasmashell 5.8.6" which confirms the vulnerability. However, I think that the risk is low and also there's not much I can do about it. :(


SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 2060
Joined: 09 Oct 2013 12:45

Re: Protection against USB HID attacks

Postby ilu » 02 Mar 2018 18:05

No of course not. I just thought I should mention it.

There's also a new attack vector against 2FA usb devices (yubikey) using a feature called webusb from google chrome. It seems that the chrome browser now has the ability to directly adress USB devices. The devil rode the idiots who implemented that "feature" ...

kurotsugi
Posts: 2116
Joined: 09 Jan 2014 00:17

Re: Protection against USB HID attacks

Postby kurotsugi » 03 Mar 2018 15:57

should we implement apparmor by default?

User avatar
ilu
Posts: 2060
Joined: 09 Oct 2013 12:45

Re: Protection against USB HID attacks

Postby ilu » 23 Aug 2018 03:32

Just a follow up: Now they've realised the same attack using just cables ... https://vincentyiu.co.uk/usbharpoon/


Return to “Hardware”

Who is online

Users browsing this forum: No registered users and 4 guests