The USG is a firewall for your USB ports.Your computer automatically trusts every device you plug into it. But every USB device is actually a small embedded computer that runs software you cannot control.
USB driver exploits work by sending malformed or unexpected input to your computer's USB drivers. Your computer likely has hundreds of USB device drivers installed, and a programming error in any one of them leaves you exposed.
The USG blocks these attacks by passing data through an internal serial link with a very simple protocol. Only a limited number of safe commands are accepted by the receiving microprocessor, so no malformed or unexpected data is transmitted to your computer. This effectively blocks USB driver exploits.
Previously, previously, previously, previously, previously, previously.
Neat! Now I can see what's on all these USB drives I keep finding in parking lots.
If, /// the OS had a fixed " " port, and the user's other uses of the port were blocked, or " let the OS reject and notify about any other types of device that appear." /// then would this port be a condom for the user installs? I bet a looky look would not cause much harm through this dongle though ...
Alternatively... operating systems could easily let their users configure "I will only plug <generic mass storage devices|generic PTP devices> into this port", and let the OS reject and notify about any other types of device that appear. Perhaps even prompt about what type of device it is, and let the user say "OK, yes, I did plug that in and do want to use it".
Sure, people who don't actively do this won't benefit from the lockdown. But people who'd know and care about USB attacks enough to be aware that USG blocks exist are also the people who'd be willing to use such an OS feature if made available to them.
This would be good, and I don't understand why, years after people knew about this kind of toxin, every OS doesn't do this.
However it would almost certainly be better if the default was simply silently to reject anything odd (ie you plug it in, it just doesn't appear except for some obscure syslog message). Because when the system asks you 'do you really want to do this' people are going to answer yes, even though they neither know what they are doing nor would want to do it if they did.
Of course that would basically be this I think.
The same reason every other known exploit which has remained unpatched for more than a few years doesn't get fixed: law enforcement or intelligence agencies have come to depend on them and have national security letters in place prohibiting them from being fixed.
Is there evidence for this? Not a rhetorical question: it seems disturbingly plausible to me.
We know that NSLs include orders to "not disable, suspend, lock, cancel or interrupt" services and channels of communication, beyond demands for information and silence. And we know that Feds reject compliance with their own "Vulnerability Equities Process" regulations, keeping all but e.g., one Apple vulnerability ever to themselves after purchasing them from
organized crimethe private sector who will surely continue to sell them.Eeeh. This will maybe protect against some attacks, but not others. The good old trick of enumerating as a keyboard and "typing" in a script, then running it while re-enumerating as a flash drive holding the payload to be executed, will still work. And while you could defend against it by having the USG forbid re-enumerating devices without replugging the whole mess, that still leaves the fake keyboard issue.
They should've added an option switch to it to only allow mass storage devices.
It does block re-enumerating. But yes, "storage only" would be a good feature.
You're being "That Meh Guy". Don't be that guy.
It blocks devices which confess their sins. If a device explicitly re-enumerates, it get blocked. If instead a device just "goes away" - disconnecting and then re-connecting itself to come back moments later as something else this hardware has no idea about that.
Today probably no-one does that. Working around it will be an obscure feature in somebody's USB malevolence toolkit. When every drooling conference attendee has one, all such devices will work around it. In this respect it's like trivial password scrambling, the first person to ever choose "p455w0rd" as their password can clap themselves on the back, but the thousandth person was just asking for the password dictionary to be made a little larger.
Storage-only would probably not be very popular because it really shows up the USG's weaknesses. This device is USB Full Speed aka awfully slow, both as a cost saving measure and because slow is easier to do correctly. If you want to ensure a victim doesn't use their USG just tell them to read the 100MB PDF manual you included on your evil USB drive, after a minute or so they'll be exasperated and unplug the stupid thing.
Is reenumeration after pushing a keyboard script something that actually works on consumer OSes?
Wham bam thank you, ma'am, my qusetions are answered!
Does that really solve the problem or just make it the user's problem? Creating a debugging tool and debugging are two different things. Personally, I hate security prompts. You're just making me do the job you couldn't do.
@Kyzer
Does that really solve the problem or just make it the user's problem? Creating a debugging tool and debugging are two different things. Personally, I hate security prompts. You're just making me do the job you couldn't do.
Huh, it's an optocoupler.
The firewall is SPI? They don't specify a clock rate. SPI doesn't usually clock faster than 10 Mbps or so. That's even slower than USB 1.0 speed.