From owner-freebsd-security@freebsd.org Mon Sep 18 13:06:55 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 85A09E0EDAC for ; Mon, 18 Sep 2017 13:06:55 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1178D6793E for ; Mon, 18 Sep 2017 13:06:54 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id v8ID6hBG037612 for ; Mon, 18 Sep 2017 23:06:43 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 18 Sep 2017 23:06:43 +1000 (EST) From: Ian Smith To: freebsd-security@freebsd.org Subject: BlueBorne Message-ID: <20170918222439.W81507@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Sep 2017 13:06:55 -0000 Hi, I suppose Those Who Need To Know would be onto this, but apart from this newspaper article the other day, I've come across no other mention. "Bluetooth flaw allows airborne viruses silently to attack internet-enabled devices" I know very little about Bluetooth, only recently starting to use it myself between a couple of phones, but the linked-to PDF paper I found interesting and informative, if not perhaps being overly alarmist? Does this / might this / could this impact on FreeBSD's bt stack? I flipped through https://lists.freebsd.org/pipermail/freebsd-bluetooth/ 's last year pretty quickly, there's not a lot there. After reading the paper I wouldn't dare try diving into this stack, I'd never get back .. cheers, Ian From owner-freebsd-security@freebsd.org Mon Sep 18 14:23:41 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 10660E13DF5 for ; Mon, 18 Sep 2017 14:23:41 +0000 (UTC) (envelope-from srs0=yqyw=at=freebsd.org=remko@mail2.jr-hosting.nl) Received: from mail2.jr-hosting.org (milamber.elvandar.org [176.9.38.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CA2696B0DE for ; Mon, 18 Sep 2017 14:23:39 +0000 (UTC) (envelope-from srs0=yqyw=at=freebsd.org=remko@mail2.jr-hosting.nl) Received: from [192.168.6.4] (a153218.upc-a.chello.nl [62.163.153.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.jr-hosting.org (Postfix) with ESMTPSA id 8F1D920F582; Mon, 18 Sep 2017 16:23:32 +0200 (CEST) From: Remko Lodder Message-Id: <5AFB7CDA-43E9-46F5-AF71-ACA196C51BAD@FreeBSD.org> Content-Type: multipart/signed; boundary="Apple-Mail=_359BAC09-6655-47DE-BEA1-ABEAFBA6466F"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: BlueBorne Date: Mon, 18 Sep 2017 16:23:31 +0200 In-Reply-To: <20170918222439.W81507@sola.nimnet.asn.au> Cc: freebsd-security@freebsd.org To: Ian Smith References: <20170918222439.W81507@sola.nimnet.asn.au> X-Mailer: Apple Mail (2.3273) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Sep 2017 14:23:41 -0000 --Apple-Mail=_359BAC09-6655-47DE-BEA1-ABEAFBA6466F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On 18 Sep 2017, at 15:06, Ian Smith wrote: >=20 > Hi, >=20 > I suppose Those Who Need To Know would be onto this, but apart from = this > newspaper article the other day, I've come across no other mention. >=20 > "Bluetooth flaw allows airborne viruses silently to attack > internet-enabled devices" >=20 > = >=20 > I know very little about Bluetooth, only recently starting to use it > myself between a couple of phones, but the linked-to PDF paper I found > interesting and informative, if not perhaps being overly alarmist? >=20 > >=20 > Does this / might this / could this impact on FreeBSD's bt stack? I > flipped through https://lists.freebsd.org/pipermail/freebsd-bluetooth/ > 's last year pretty quickly, there's not a lot there. After reading = the > paper I wouldn't dare try diving into this stack, I'd never get back = .. >=20 > cheers, Ian We believe that we are not affected at this stage. Thanks, Remko Lodder on behalf of The FreeBSD Security Team --Apple-Mail=_359BAC09-6655-47DE-BEA1-ABEAFBA6466F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZv9bkAAoJEKjD27JZ84ywnqoQAKuqHplSKp2u68TlehUyt/ll vM0v0BO81d5bZJrajyTB6tS5dD2nRB1UvyS1UqRviK74VaUQhT7XiICKw970g3dC q3bj4VVjqI7f/bdjKiU32Hq5gw3BuLxX3jP5dSXkVO2wKl2SDeEfRR/Wg+sxdx8c 21Sbl/QUln3sdBUWxdBL2DqGNRqF8C0BsSkSx3dnSMLq/x8JcNXNdPUrX0QZP6A/ 93kfP3uwpNloswVRg+oiaeRoQdCXRz3R40/sFqAXd4Wq2ybdnE07PazXeM5PDup/ WFjuyIUQjTKWWOmfV+nMug6wbQd8D1jCN3hiQFv6VAZ1XZtapN8GkGhBty7YDN1S gdWYK+vCtEQFUh+lGkOx/5kYu2WsSq5kOnKLJ0umXYMeTyyH7x1NaoXXNgR5/4E8 kNEEoCekcJL67TjL2eW1RC0/n5AexsfiR/Q4xgGwV2ubgm1ri04bbzOv+zX/wiZ6 yxPCaMR5VSyZGHNLo6hgmA4/1QKs3mD1RDjFoWVTu8EMax0OEKN2VF/PIF3R+NaS CEnENVDT88mg7bUklpJhb3AwbwqxAVavumS5iZXk6CfUbq9g/ngtN8Fg8P7UCIBw gznSxE+Mpne7ugsOd8NhOtCRNb1Sg7T8yIMWs5YS4lCgOFqkFpvSpwrRSrZDe/06 NZnX04XMv6l4QXlDtRUx =3sBp -----END PGP SIGNATURE----- --Apple-Mail=_359BAC09-6655-47DE-BEA1-ABEAFBA6466F-- From owner-freebsd-security@freebsd.org Mon Sep 18 14:48:59 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 91059E15755 for ; Mon, 18 Sep 2017 14:48:59 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 17DD76BFC2; Mon, 18 Sep 2017 14:48:58 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id v8IEms6d041399; Tue, 19 Sep 2017 00:48:54 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 19 Sep 2017 00:48:54 +1000 (EST) From: Ian Smith To: Remko Lodder cc: freebsd-security@FreeBSD.org Subject: Re: BlueBorne In-Reply-To: <5AFB7CDA-43E9-46F5-AF71-ACA196C51BAD@FreeBSD.org> Message-ID: <20170919004611.R81507@sola.nimnet.asn.au> References: <20170918222439.W81507@sola.nimnet.asn.au> <5AFB7CDA-43E9-46F5-AF71-ACA196C51BAD@FreeBSD.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Sep 2017 14:48:59 -0000 On Mon, 18 Sep 2017 16:23:31 +0200, Remko Lodder wrote: > > On 18 Sep 2017, at 15:06, Ian Smith wrote: > > > > Hi, > > > > I suppose Those Who Need To Know would be onto this, but apart from this > > newspaper article the other day, I've come across no other mention. > > > > "Bluetooth flaw allows airborne viruses silently to attack > > internet-enabled devices" > > > > > > > > I know very little about Bluetooth, only recently starting to use it > > myself between a couple of phones, but the linked-to PDF paper I found > > interesting and informative, if not perhaps being overly alarmist? > > > > > > > > Does this / might this / could this impact on FreeBSD's bt stack? I > > flipped through https://lists.freebsd.org/pipermail/freebsd-bluetooth/ > > 's last year pretty quickly, there's not a lot there. After reading the > > paper I wouldn't dare try diving into this stack, I'd never get back .. > > > > cheers, Ian > > > We believe that we are not affected at this stage. > > Thanks, > Remko Lodder > on behalf of The FreeBSD Security Team Thanks Remko. Back to lurking .. cheers, Ian From owner-freebsd-security@freebsd.org Wed Sep 20 19:09:53 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 221D0E1E43A; Wed, 20 Sep 2017 19:09:53 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "land.berklix.org", Issuer "land.berklix.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C0D5A77C17; Wed, 20 Sep 2017 19:09:51 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mart.js.berklix.net (pD9FA3C56.dip0.t-ipconnect.de [217.250.60.86]) (authenticated bits=128) by land.berklix.org (8.15.2/8.15.2) with ESMTPSA id v8KI6mL8068070 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 20 Sep 2017 18:06:59 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id v8KI7WZt096510; Wed, 20 Sep 2017 20:07:32 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id v8KI6tQM078780; Wed, 20 Sep 2017 20:07:08 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201709201807.v8KI6tQM078780@fire.js.berklix.net> to: freebsd-usb@freebsd.org, freebsd-security@freebsd.org cc: "Astrid Jekat" cc: Hans Petter Selasky Subject: Re.: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell From: "Julian H. Stacey" Organization: http://berklix.eu BSD Linux Unix Consultants, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.eu/free/ X-From: http://www.berklix.eu/~jhs/ Date: Wed, 20 Sep 2017 20:06:55 +0200 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2017 19:09:53 -0000 Hi usb@ & security@ freebsd.org, hps@ (cc'd) introduced a FreeBSD Sysctl Oct 2014: hw.usb.disable_enumeration: 0 dev.uhub.4.disable_enumeration: 0 dev.uhub.3.disable_enumeration: 0 dev.uhub.2.disable_enumeration: 0 dev.uhub.1.disable_enumeration: 0 dev.uhub.0.disable_enumeration: 0 which added some protection against USB devices that turn evil. https://lists.freebsd.org/pipermail/freebsd-usb/2014-October/013304.html https://lists.freebsd.org/pipermail/freebsd-security/2014-October/007976.html A tiny diff to make it easier to grep sysctl descriptions: http://www.berklix.com/~jhs/src/bsd/fixes/FreeBSD/src/gen/sys/dev/usb/usb_hub.c.REL=12.0-CURRENT.diff Chips shrink, imagine one hidden in a small arm band Micro-USB adapter cable, as sold in one Euro/Pound shops. A picture of similar https://www.twist4-silikonarmbaender.de/ Probably some are made in China, perhaps in PLA owned factories. Short cables, so to save losing it, it might be left plugged in. At power on, a chip might do nothing but set a timer, & stay in low power for 130 minutes, out waiting checkers before it starts "Hi, I'm a keyboard + C:\n uname -a\n probes & commands" (Combi scanner / printers & PS2 keyboard + mouse converters both share 2 devices on 1 cable, so a 2nd dev on a physical interface isn't intrinsicaly suspicious.) To detect a Trojan cable, could one measure very low power consumption of a supposedly passive cable not yet connected the other end to a device ? My laptop + FreeBSD-current suggest low current detection is not possible ? usbconfig shows all currents in multiples of 100mA (0mA) (0mA) (0mA) (0mA) (100mA) (100mA) (100mA) (200mA) (500mA) So probably not measurements made by the PC, but nominal ratings ? & if it's merely the external device reporting its desired rating, then useless to detect if a cable has a hidden device. I'm not familiar with USB chip functionalities available, but I looked at the code: /usr/src/usr.sbin/usbconfig/dump.c dump_device_info{ usage = libusb20_dev_get_power_usage(pdev); printf("%s, cfg=%u md=%s spd=%s pwr=%s (%umA)\n", ... usage); man libusb20_dev_get_power_usage libusb20_dev_get_power_usage() returns the reported power usage in milliamps for the given USB device. A power usage of zero typically means that the device is self powered. /usr/src/lib/libusb/libusb20.c pdev->methods->get_power_usage(pdev, &power_usage); ugen20_get_power_usage ioctl(pdev->file_ctrl, IOUSB(USB_GET_POWER_USAGE) /sys/dev/usb/usb_generic.c: case USB_GET_POWER_USAGE: ugen_get_power_usage(f); /sys/dev/usb/usb_generic.c return (udev->power) I suppose in desperation a dentist's X-Ray machine would give a view. It'd be worse if an organisation buried evil chips in Power Banks (batteries to recharge smart phones etc). It would be impossible to detect low power consumed by a sleeping chip, that continues to sleep long after a phone is plugged in to charge. Smaller battery packs are around company promotional gift prices. I recall the current FreeBSD sysctl provides switching per port, but not per device type. I guess one could bodge a bit more security by a script, approx: cp /etc/devd.conf.no_kbd /etc/devd.conf kill -9 `cat /var/run.devd.pid` /sbin/devd sysctl hw.usb.disable_enumeration=0 # Defences open. .... more specific port settings ? echo "Now Insert within 10 sec." ; sleep 10 sysctl hw.usb.disable_enumeration=1 cp /etc/devd.conf.with_kbd /etc/devd.conf kill -9 `cat /var/run.devd.pid` /sbin/devd Keyboard is the long identified danger, but maybe there are other dev types to protect against too, (ls /usr/share/man/man4), Some devices such as 'da' I don't see as a problem, as for /dev/da one can select on /etc/devd/*.conf "sernum" mount -o nosuid .. etc. Ideally the USB system might offer more fine tuned defence, to have some better defence than above, but as that's minority interest, security companies might need to contribute to development of that. Cheers, Julian -- Julian H. Stacey, Computer Consultant, BSD Linux Unix Systems Engineer, Munich Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable. http://berklix.eu/queen/ Petition to get 3.5 million UK votes back From owner-freebsd-security@freebsd.org Wed Sep 20 20:20:44 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61524E21627; Wed, 20 Sep 2017 20:20:44 +0000 (UTC) (envelope-from hps@selasky.org) Received: from mail.turbocat.net (turbocat.net [88.99.82.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 285087DED4; Wed, 20 Sep 2017 20:20:43 +0000 (UTC) (envelope-from hps@selasky.org) Received: from hps2016.home.selasky.org (unknown [62.141.129.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.turbocat.net (Postfix) with ESMTPSA id 02FE2260072; Wed, 20 Sep 2017 22:20:34 +0200 (CEST) Subject: Re: Re.: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell To: "Julian H. Stacey" , freebsd-usb@freebsd.org, freebsd-security@freebsd.org Cc: Astrid Jekat References: <201709201807.v8KI6tQM078780@fire.js.berklix.net> From: Hans Petter Selasky Message-ID: Date: Wed, 20 Sep 2017 22:18:02 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <201709201807.v8KI6tQM078780@fire.js.berklix.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 20 Sep 2017 20:36:16 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2017 20:20:44 -0000 On 09/20/17 20:06, Julian H. Stacey wrote: > A tiny diff to make it easier to grep sysctl descriptions: > http://www.berklix.com/~jhs/src/bsd/fixes/FreeBSD/src/gen/sys/dev/usb/usb_hub.c.REL=12.0-CURRENT.diff Hi, Please wrap the long string in multiple pieces before committing it. Looks good. Hope the sysctl has saved you some trouble :-) --HPS From owner-freebsd-security@freebsd.org Thu Sep 21 10:23:30 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 158F9E22895; Thu, 21 Sep 2017 10:23:30 +0000 (UTC) (envelope-from freebsd.lists@whitewinterwolf.com) Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D4946732AB; Thu, 21 Sep 2017 10:23:29 +0000 (UTC) (envelope-from freebsd.lists@whitewinterwolf.com) X-Originating-IP: 93.26.153.77 Received: from [10.137.2.15] (77.153.26.93.rev.sfr.net [93.26.153.77]) (Authenticated sender: lists@whitewinterwolf.com) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id E6DF01720E0; Thu, 21 Sep 2017 12:23:26 +0200 (CEST) Subject: Re: Re.: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell To: "Julian H. Stacey" , freebsd-usb@freebsd.org, freebsd-security@freebsd.org Cc: Hans Petter Selasky , Astrid Jekat References: <201709201807.v8KI6tQM078780@fire.js.berklix.net> From: "WhiteWinterWolf (Simon)" Message-ID: Date: Thu, 21 Sep 2017 12:23:26 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <201709201807.v8KI6tQM078780@fire.js.berklix.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Sep 2017 10:23:30 -0000 Hi Julian, You don't need microscopic chips or highly engineered devices to implement a working BadUSB attack. Nothing looks more as a Dell mouse than another Dell mouse, and a malicious mouse offers plenty of space to store all the chips you may want. USB sticks are also still widely found (they have all required processing and memory by default) either as promotional devices, to share documents or "lost" somewhere. Moreover, a lot of legitimate USB devices can be reprogrammed through USB. That's why, for instance, if you use a air-gapped computer you should use SD-Card instead of USB sticks to transfer data as a malware on your networked computer may "enhance" your USB stick with BadUSB features which would contaminate the air-gapped computer and establish a covert channel, exfiltrating data (in particular encryption keys and passwords). > Keyboard is the long identified danger, but maybe there are other dev types to protect against too This is not a "maybe". There was a practical demonstration for instance in a DefCon conference dedicated to BadUSB of a USB stick reprogrammed to act as a fake network device. The malicious device would very quickly: - Declare itself as a networking device. - Simulate a DHCP server on the fake network providing the address of a malicious DNS server. - Drop networking device features. - The new DNS server configuration remains kept by the host. As a result, this USB stick allows to change the DNS server of a host, opening the gate notably to man-in-the-middle attacks (and the whole process was quite unnoticeable, no black console window popping-up, AFAIR there was just a change in the network icon shape in the notification bar for a fraction of second...). * Regarding the solution you propose, I don't know how it would cope in the following situations: - Legitimate devices which dynamically change their USB configuration (their device type). Such change is not a malicious trick but is an integral part on how USB is designed and work. Example of devices legitimately changing their USB configuration on-the-fly include mobile devices which by default only use USB as a power-source and switch into something else when the user interactively selects an option in a device's menu. Another example is devices which upon connection first act as a mass storage device storing drivers installation files, and when the drivers are already installed on the system the driver "pings" the device which as a result drops mass storage capabilities and turns itself into its actual type. Some consumer-grade modems for instance were known to offer such feature to allow an easy installation of the driver. - I don't know how this suggestion handles USB hubs, either legitimate USB hubs or faked ones simulated by malicious BadUSB devices to get around USB configuration change restrictions (actually, my guess is that simulating a USB hub may effectively bypass the suggested security feature). * USB devices are identified by a class code (=the kind of device) and a manufacturer ID. The most promising counter-measure I've encountered so far against the BadUSB attack is a firewall-like system allowing to set the class codes expected on each physical USB port. This allows for instance to set the ports where you expect human interface devices (keyboard, mouse, etc.) to be connected, the ports where mass storage devices (and nothing else) are expected, and optionally a port where no device is accepted (you would use this port only as power source). I don't know how USB is implemented in FreeBSD, but such functionality might be implementable by intercepting the notifications of new USB devices configuration and rejecting configurations where the device class and USB port information do not match the rules. Regards, Simon. Le 20/09/2017 à 20:06, Julian H. Stacey a écrit : > Hi usb@ & security@ freebsd.org, > hps@ (cc'd) introduced a FreeBSD Sysctl Oct 2014: > hw.usb.disable_enumeration: 0 > dev.uhub.4.disable_enumeration: 0 > dev.uhub.3.disable_enumeration: 0 > dev.uhub.2.disable_enumeration: 0 > dev.uhub.1.disable_enumeration: 0 > dev.uhub.0.disable_enumeration: 0 > which added some protection against USB devices that turn evil. > https://lists.freebsd.org/pipermail/freebsd-usb/2014-October/013304.html > https://lists.freebsd.org/pipermail/freebsd-security/2014-October/007976.html > > A tiny diff to make it easier to grep sysctl descriptions: > http://www.berklix.com/~jhs/src/bsd/fixes/FreeBSD/src/gen/sys/dev/usb/usb_hub.c.REL=12.0-CURRENT.diff > > Chips shrink, imagine one hidden in a small arm band Micro-USB > adapter cable, as sold in one Euro/Pound shops. A picture of similar > https://www.twist4-silikonarmbaender.de/ > Probably some are made in China, perhaps in PLA owned factories. > > Short cables, so to save losing it, it might be left plugged in. > At power on, a chip might do nothing but set a timer, & stay > in low power for 130 minutes, out waiting checkers before it starts > "Hi, I'm a keyboard + C:\n uname -a\n probes & commands" > > (Combi scanner / printers & PS2 keyboard + mouse converters both > share 2 devices on 1 cable, so a 2nd dev on a physical interface > isn't intrinsicaly suspicious.) > > To detect a Trojan cable, could one measure very low power consumption of a > supposedly passive cable not yet connected the other end to a device ? > My laptop + FreeBSD-current suggest low current detection is not possible ? > > usbconfig shows all currents in multiples of 100mA (0mA) > (0mA) (0mA) (0mA) (100mA) (100mA) (100mA) (200mA) (500mA) > > So probably not measurements made by the PC, but nominal ratings ? > & if it's merely the external device reporting its desired > rating, then useless to detect if a cable has a hidden device. > > I'm not familiar with USB chip functionalities available, > but I looked at the code: > > /usr/src/usr.sbin/usbconfig/dump.c > dump_device_info{ > usage = libusb20_dev_get_power_usage(pdev); > printf("%s, cfg=%u md=%s spd=%s pwr=%s (%umA)\n", ... usage); > > man libusb20_dev_get_power_usage > libusb20_dev_get_power_usage() returns the reported power usage in > milliamps for the given USB device. A power usage of zero typically > means that the device is self powered. > > /usr/src/lib/libusb/libusb20.c > pdev->methods->get_power_usage(pdev, &power_usage); > > ugen20_get_power_usage > > ioctl(pdev->file_ctrl, IOUSB(USB_GET_POWER_USAGE) > > /sys/dev/usb/usb_generic.c: case USB_GET_POWER_USAGE: > ugen_get_power_usage(f); > > /sys/dev/usb/usb_generic.c > return (udev->power) > > I suppose in desperation a dentist's X-Ray machine would give a view. > > It'd be worse if an organisation buried evil chips in Power Banks > (batteries to recharge smart phones etc). It would be impossible > to detect low power consumed by a sleeping chip, that continues to > sleep long after a phone is plugged in to charge. > Smaller battery packs are around company promotional gift prices. > > I recall the current FreeBSD sysctl provides switching per port, > but not per device type. I guess one could bodge a bit more security > by a script, approx: > > cp /etc/devd.conf.no_kbd /etc/devd.conf > kill -9 `cat /var/run.devd.pid` > /sbin/devd > sysctl hw.usb.disable_enumeration=0 # Defences open. > .... more specific port settings ? > echo "Now Insert within 10 sec." ; sleep 10 > sysctl hw.usb.disable_enumeration=1 > cp /etc/devd.conf.with_kbd /etc/devd.conf > kill -9 `cat /var/run.devd.pid` > /sbin/devd > > Keyboard is the long identified danger, but maybe there are > other dev types to protect against too, (ls /usr/share/man/man4), > Some devices such as 'da' I don't see as a problem, as for /dev/da > one can select on /etc/devd/*.conf "sernum" mount -o nosuid .. etc. > > Ideally the USB system might offer more fine tuned defence, to have > some better defence than above, but as that's minority interest, > security companies might need to contribute to development of that. > > Cheers, > Julian > From owner-freebsd-security@freebsd.org Thu Sep 21 06:50:46 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 333EDE18102; Thu, 21 Sep 2017 06:50:46 +0000 (UTC) (envelope-from gljennjohn@gmail.com) Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com [IPv6:2a00:1450:400c:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AF06F6C1D8; Thu, 21 Sep 2017 06:50:45 +0000 (UTC) (envelope-from gljennjohn@gmail.com) Received: by mail-wm0-x241.google.com with SMTP id m127so4313094wmm.0; Wed, 20 Sep 2017 23:50:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=Zued3CXapInekiR1xgoydWnsc2AEH78a674d7Lu6OtE=; b=Y8CZ9DouPnvQQhZKzGCWjaqavhr2N/ZriQttd3DsSdBY59uBHCKW3IyVM79y5J1Gt0 gNshi4HxLeA0qh0yNXp8HQCYJ+ByvHvJWHL3iy1Mralq0iXc3Cr39pvanDmEeEgwcUro MzPpf6ogzvWANNy/vDBcr0Qdih82s2IdbEsut1N7FtN8J2rXgDJveHUK7ncbJqq5xXVw IJHQlk2hc5qKia5qizJCk5SYcHYvVJg++K6mq2kvpltx8v9BWYdWJzBA+GKw86H7okqf la4NziIsxKkKDSq1TlUX63DFu0FPUFjdBPEN4NFC0Ro8jqf53d2Y7peFg4v9HS7cvOZI uNPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=Zued3CXapInekiR1xgoydWnsc2AEH78a674d7Lu6OtE=; b=DVk8r5fRm5DgHDD2Svm16P5yPz8748Q8P0CujWngam7C/2oLSMlDmdO9m5CiTIIVc7 jU67NwTLuBSHU6jUIHp3HFyp5/ey/qEoy6Vjb7yPocFDCtPORk761bH7gzspCA1k86qf ozj4X1F9VZxsRBimwBNOXXafIRw9D1qh3CuTB4Okb8PLViAH/2yTl9oZBxxIxvK6uTjS fwfCT4iw/muTqiQg8G5IKGTFVbC0QcKlWQ1yzyk6NkkV8JubbEGj6//uiOM4ETp9vEBd pxwbKuTL5h+NBYM72WbcKVq151pPtWWAVXpvhdEjzYRV33+Rn84GFJQNJLRWZbdYfRau zjXw== X-Gm-Message-State: AHPjjUh8grazIhVFC+cBmq9CCh2UTIs8tUl7yJ1aD0iTsyaDgyJAzHtp GmLsXhhCngFngbrwfcNPEY99HA== X-Google-Smtp-Source: AOwi7QCqULzoSm8m2Ekg7qQowvog3nRLsv2PiOLZ8MTjgPHw/0GwH2G1gUSvXSBAkAdXCmlavNb44Q== X-Received: by 10.28.195.132 with SMTP id t126mr29426wmf.0.1505976643958; Wed, 20 Sep 2017 23:50:43 -0700 (PDT) Received: from ernst.home (p4FCA62DB.dip0.t-ipconnect.de. [79.202.98.219]) by smtp.gmail.com with ESMTPSA id m19sm728451wma.24.2017.09.20.23.50.42 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 20 Sep 2017 23:50:42 -0700 (PDT) Date: Thu, 21 Sep 2017 08:50:39 +0200 From: Gary Jennejohn To: Hans Petter Selasky Cc: "Julian H. Stacey" , freebsd-usb@freebsd.org, freebsd-security@freebsd.org, Astrid Jekat Subject: Re: Re.: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell Message-ID: <20170921085039.7d9a029b@ernst.home> In-Reply-To: References: <201709201807.v8KI6tQM078780@fire.js.berklix.net> Reply-To: gljennjohn@gmail.com X-Mailer: Claws Mail 3.15.1 (GTK+ 2.24.31; amd64-portbld-freebsd12.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 21 Sep 2017 10:39:25 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Sep 2017 06:50:46 -0000 On Wed, 20 Sep 2017 22:18:02 +0200 Hans Petter Selasky wrote: > On 09/20/17 20:06, Julian H. Stacey wrote: > > A tiny diff to make it easier to grep sysctl descriptions: > > http://www.berklix.com/~jhs/src/bsd/fixes/FreeBSD/src/gen/sys/dev/usb/usb_hub.c.REL=12.0-CURRENT.diff > > Hi, > > Please wrap the long string in multiple pieces before > committing it. Looks good. Hope the sysctl has saved you some > trouble :-) > I suppose Hans means "submitting it." Julian should probably open a bug report and attach his diff to it. Julian did at one time, many years ago, have a commit bit. But I doubt he does now. -- Gary Jennejohn From owner-freebsd-security@freebsd.org Thu Sep 21 22:20:56 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 166EDE26514; Thu, 21 Sep 2017 22:20:56 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "land.berklix.org", Issuer "land.berklix.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8BF4A6D2C9; Thu, 21 Sep 2017 22:20:54 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mart.js.berklix.net (pD9FA3C56.dip0.t-ipconnect.de [217.250.60.86]) (authenticated bits=128) by land.berklix.org (8.15.2/8.15.2) with ESMTPSA id v8LMJvnx044694 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 21 Sep 2017 22:20:01 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id v8LMKfnt008965; Fri, 22 Sep 2017 00:20:41 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id v8LMK45d026318; Fri, 22 Sep 2017 00:20:22 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201709212220.v8LMK45d026318@fire.js.berklix.net> To: Hans Petter Selasky cc: freebsd-usb@freebsd.org, freebsd-security@freebsd.org, Astrid Jekat Subject: Re: Re.: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell From: "Julian H. Stacey" Organization: http://berklix.eu BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.eu/free/ X-From: http://www.berklix.eu/~jhs/ In-reply-to: Your message "Wed, 20 Sep 2017 22:18:02 +0200." Date: Fri, 22 Sep 2017 00:20:03 +0200 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Sep 2017 22:20:56 -0000 Hi all Hans Petter Selasky wrote: > On 09/20/17 20:06, Julian H. Stacey wrote: > > A tiny diff to make it easier to grep sysctl descriptions: > > http://www.berklix.com/~jhs/src/bsd/fixes/FreeBSD/src/gen/sys/dev/usb/usb_hub.c.REL=12.0-CURRENT.diff > > Hi, > > Please wrap the long string in multiple pieces Done. > before committing it. See below > Looks good. Hope the sysctl has saved you some trouble :-) I'm not much exposed, but enthuse to others more exposed, how quickly you provided it once the risk was spotted :-). Hopefully those most at risk will enable it most, & like a firewall, may be ignorant if it saves them. I'm going to have my /etc/rc.conf enable it for all domains where `hostname` is not in my home domain. > --HPS > From: Gary Jennejohn > I suppose Hans means "submitting it." Julian should probably > open a bug report and attach his diff to it. Done, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222505 > Julian did at one time, many years ago, have a commit bit. But I > doubt he does now. Yes unfortunately my commit bit evaporated way back, lack of use. > From: "WhiteWinterWolf (Simon)" Thanks for a post with many good points, starting: > malicious mouse offers plenty of space to store all the chips you may Thanks Gary for pointing out German CT magazine issue 18/2017 https://www.heise.de/ct/ausgabe/2017-18-Gefahr-durch-angriffslustige-Hardware-3800729.html For those who can't read German: Normaly I just point to http://www.berklix.org/trans/ But currently as - Google have damaged their translator, no longer accept URLs - & Bing wont translate https, only http Temporarily there's http://www.berklix.org/trans/ct/ Cheers, Julian -- Julian H. Stacey, Computer Consultant, BSD Linux Unix Systems Engineer, Munich Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable. http://berklix.eu/queen/ Petition to get 3.5 million UK votes back.