From owner-freebsd-questions@freebsd.org Tue Jun 20 20:04:18 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D629DDA110E for ; Tue, 20 Jun 2017 20:04:18 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mailrelay14.qsc.de (mailrelay14.qsc.de [212.99.163.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.antispameurope.com", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5BDFC71965 for ; Tue, 20 Jun 2017 20:04:17 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de ([213.148.129.14]) by mailrelay14.qsc.de; Tue, 20 Jun 2017 22:03:50 +0200 Received: from r56.edvax.de (port-92-195-76-106.dynamic.qsc.de [92.195.76.106]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 6AA483CBF9; Tue, 20 Jun 2017 22:03:49 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id v5KK3nRY002071; Tue, 20 Jun 2017 22:03:49 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Tue, 20 Jun 2017 22:03:49 +0200 From: Polytropon To: byrnejb@harte-lyne.ca Cc: freebsd-questions@freebsd.org Subject: Re: Fwd: [cros-discuss] Hacking possibility? Real or not? Message-Id: <20170620220349.d17430b8.freebsd@edvax.de> In-Reply-To: References: Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-cloud-security-sender: freebsd@edvax.de X-cloud-security-recipient: freebsd-questions@freebsd.org X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mailrelay14.qsc.de with E278D683E54 X-cloud-security-connect: mx01.qsc.de[213.148.129.14], TLS=1, IP=213.148.129.14 X-cloud-security: scantime:.1276 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2017 20:04:18 -0000 On Tue, 20 Jun 2017 11:15:58 -0400, James B. Byrne via freebsd-questions wrote: > > On Tue, June 20, 2017 06:38, Matthew Seaman wrote: > > On 2017/06/20 10:23, Matthias Apitz wrote: > >> In the mailing-list about Chromium OS is some interesting discussion > >> about some attack vector using an USB plug-in with some Raspery > >> system behind to offer to the OS an USB keyboard and ethernet and > >> at the end take over the system. More of the discussion here > >> > >> https://groups.google.com/a/chromium.org/forum/?hl=en#!topic/chromium-os-discuss/UqbGh2kHaVw > >> > >> and the full technical description here: > >> > >> https://samy.pl/poisontap/ > >> > >> As far as I can see, the same attack would be possible as well on > >> FreeBSD, maybe not so easy because the devd(8) must be configured > >> and the module for ethernet on USB cdce(4) must be loaded in advance. > >> > > > > Isn't this yet another manifestation of physical access to the > > hardware being almost impossible to secure against? Don't plug > > in any strange USB devices kids, and don't let your portable kit > > out of your control so that other people could take liberties > > with your USB ports either. > > Every USB device contains a controller which itself operates on the > basis of flash-able microcode. Few such controllers have any > safeguards against being reprogrammed. Consequently, any physical > access to any USB port on a host allows an attacker to permanently > corrupt and infect the USB device controller(s) on a target system. > As such malware likely contains code to prohibit further reprogramming > the infection is permanent and removal of the affected hardware is the > only remedy. On most modern computers this requires discarding the > motherboard. > > This issue was demonstrated at BlackHat-2014. I think you're refering to "BadUSB". For reference and context: https://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/ https://www.blackhat.com/us-14/briefings.html#badusb-on-accessories-that-turn-evil With physical access to a machine, no matter if via USB or orhter means, it's more or less game over, and no OS mechanism can prevent that. As Valeri mentioned, physical security always is part of the game. ;-) Regarding the initial submission, I think FreeBSD configuration determines what happens when a new network device is being found (even if it's just an emulated one). In "worst" case, the system recognizes the interface and then does nothing - no DHCP request. Thas "stops" the attack at this poing. Everything else explained depends on the network functionality being established. PoisonTap's primary operation is to act within a network. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...