From owner-freebsd-security@FreeBSD.ORG Mon Oct 6 19:56:44 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 426A7221; Mon, 6 Oct 2014 19:56:44 +0000 (UTC) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C654DF84; Mon, 6 Oct 2014 19:56:43 +0000 (UTC) Received: from mart.js.berklix.net (p57BCF751.dip0.t-ipconnect.de [87.188.247.81]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id s96JrR8v034603; Mon, 6 Oct 2014 19:53:30 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id s96JuL3A080791; Mon, 6 Oct 2014 21:56:21 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id s96Ju8S3089675; Mon, 6 Oct 2014 21:56:20 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201410061956.s96Ju8S3089675@fire.js.berklix.net> To: freebsd-usb@freebsd.org Subject: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell From: "Julian H. Stacey" Organization: http://berklix.com BSD Linux Unix Consultants, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com/~jhs/cv/ Date: Mon, 06 Oct 2014 21:56:08 +0200 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2014 19:56:44 -0000 Hi freebsd-usb@freebsd.org, (I suggest replies to usb@) cc: freebsd-security@freebsd.org FYI Ref. article on BadUSB pan OS (non FreeBSD specific) security loophole http://www.bbc.com/news/technology-29475566 Dated 6 October 2014 Last updated at 15:29 GMT I found https://github.com/search?utf8=%E2%9C%93&q=BadUSB Then viewed https://www.youtube.com/watch?v=nuruzFqMgIw ( Which BTW plays nicely inc. sound on FreeBSD-9.2-RELEASE + firefox without any flash installed (certainly no ports/graphics/gnash) A fascinating video by Lecturers Karsten Nohl & Jacob Lell at Black Hat USA 2014, Run time 44:30 ) (PS for non native English spekers on this global list, dont worry if you find Jacob's accent hard, Karsten resumes for last 3rd, listen on :-) It seems USB controllers (8041 or so based) can first masquerade one device, then pause & masquerade another device type. This is an OS independent security list. Lecturers includes both demo of an MS to Linux contamination, & consideration of other scenarios. A predominant USB controller manufacturer in Taipei was not happy. The lecturers didn't discuss MS or Linux or Android smart phone protection schemes (except to allude to the danger of someone saying "Can I plug in my smart phone to your PC to charge it ?". It can't be ignored as a smart phone exploit: the demo wasn't with a smart phone but a `dumb' stick. One can't get some protection by checking for sernum connecting, as devd shows: - my USB to PS2 adapter (vendor=0x04b4 product=0x8081) emits sernum="" - my real USB "Havit" keyboard (vendor=0x1241 product=0x1203) emits sernum="" For FreeBSD, I guess for serious security, every new device that is connected & recognised by /sbin/devd should in future be personaly authorised by a human ! One can no longer trust what reports itself to be eg a keyboard to actually Be a keyboard, etc. /usr/src/etc/devd/*.conf & my own .conf do Not meet that awkward security requirement... yet. I guess we'll need a couple of hooks that support Yes/No, one from cli & one for within X11. There's no security warning section in http://en.wikipedia.org/wiki/Flash_memory Cheers, Julian -- Julian Stacey, BSD Linux Unix'78 C Sys Eng Consultant Munich http://berklix.com Indent previous with "> ". Interleave reply paragraphs like a play script. Send plain text, not quoted-printable, HTML, base64, or multipart/alternative. ShellShock - http://www.berklix.com/~jhs/bash/