USG

The USG is a firewall for your USB ports.

Your computer automatically trusts every device you plug into it. But every USB device is actually a small embedded computer that runs software you cannot control.

USB driver exploits work by sending malformed or unexpected input to your computer's USB drivers. Your computer likely has hundreds of USB device drivers installed, and a programming error in any one of them leaves you exposed.

The USG blocks these attacks by passing data through an internal serial link with a very simple protocol. Only a limited number of safe commands are accepted by the receiving microprocessor, so no malformed or unexpected data is transmitted to your computer. This effectively blocks USB driver exploits.

Previously, previously, previously, previously, previously, previously.

Tags: ,

16 Responses:

  1. Aaron says:

    Neat! Now I can see what's on all these USB drives I keep finding in parking lots.

    • XuppdduX says:

      If, /// the OS had a fixed " " port, and the user's other uses of the port were blocked, or " let the OS reject and notify about any other types of device that appear." /// then would this port be a condom for the user installs? I bet a looky look would not cause much harm through this dongle though ...

  2. Kyzer says:

    Alternatively... operating systems could easily let their users configure "I will only plug <generic mass storage devices|generic PTP devices> into this port", and let the OS reject and notify about any other types of device that appear. Perhaps even prompt about what type of device it is, and let the user say "OK, yes, I did plug that in and do want to use it".

    Sure, people who don't actively do this won't benefit from the lockdown. But people who'd know and care about USB attacks enough to be aware that USG blocks exist are also the people who'd be willing to use such an OS feature if made available to them.

    • tfb says:

      This would be good, and I don't understand why, years after people knew about this kind of toxin, every OS doesn't do this.

      However it would almost certainly be better if the default was simply silently to reject anything odd (ie you plug it in, it just doesn't appear except for some obscure syslog message). Because when the system asks you 'do you really want to do this' people are going to answer yes, even though they neither know what they are doing nor would want to do it if they did.

      Of course that would basically be this I think.

  3. Asm says:

    Eeeh. This will maybe protect against some attacks, but not others. The good old trick of enumerating as a keyboard and "typing" in a script, then running it while re-enumerating as a flash drive holding the payload to be executed, will still work. And while you could defend against it by having the USG forbid re-enumerating devices without replugging the whole mess, that still leaves the fake keyboard issue.

    They should've added an option switch to it to only allow mass storage devices.

    • jwz says:

      It does block re-enumerating. But yes, "storage only" would be a good feature.

      You're being "That Meh Guy". Don't be that guy.

      • Nick Lamb says:

        It blocks devices which confess their sins. If a device explicitly re-enumerates, it get blocked. If instead a device just "goes away" - disconnecting and then re-connecting itself to come back moments later as something else this hardware has no idea about that.

        Today probably no-one does that. Working around it will be an obscure feature in somebody's USB malevolence toolkit. When every drooling conference attendee has one, all such devices will work around it. In this respect it's like trivial password scrambling, the first person to ever choose "p455w0rd" as their password can clap themselves on the back, but the thousandth person was just asking for the password dictionary to be made a little larger.

        Storage-only would probably not be very popular because it really shows up the USG's weaknesses. This device is USB Full Speed aka awfully slow, both as a cost saving measure and because slow is easier to do correctly. If you want to ensure a victim doesn't use their USG just tell them to read the 100MB PDF manual you included on your evil USB drive, after a minute or so they'll be exasperated and unplug the stupid thing.

        • James says:

          Is reenumeration after pushing a keyboard script something that actually works on consumer OSes?

      • Jaclyn says:

        Wham bam thank you, ma'am, my qusetions are answered!

  4. Dominance says:

    Does that really solve the problem or just make it the user's problem? Creating a debugging tool and debugging are two different things. Personally, I hate security prompts. You're just making me do the job you couldn't do.

  5. Dominance says:

    @Kyzer

    Does that really solve the problem or just make it the user's problem? Creating a debugging tool and debugging are two different things. Personally, I hate security prompts. You're just making me do the job you couldn't do.

  6. Walter says:

    Huh, it's an optocoupler.

  7. Andrew Klossner says:

    The firewall is SPI? They don't specify a clock rate. SPI doesn't usually clock faster than 10 Mbps or so. That's even slower than USB 1.0 speed.

  • Previously