From owner-freebsd-usb@freebsd.org Wed Sep 20 19:09:53 2017 Return-Path: Delivered-To: freebsd-usb@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 221D0E1E43A; Wed, 20 Sep 2017 19:09:53 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "land.berklix.org", Issuer "land.berklix.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C0D5A77C17; Wed, 20 Sep 2017 19:09:51 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mart.js.berklix.net (pD9FA3C56.dip0.t-ipconnect.de [217.250.60.86]) (authenticated bits=128) by land.berklix.org (8.15.2/8.15.2) with ESMTPSA id v8KI6mL8068070 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 20 Sep 2017 18:06:59 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id v8KI7WZt096510; Wed, 20 Sep 2017 20:07:32 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id v8KI6tQM078780; Wed, 20 Sep 2017 20:07:08 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201709201807.v8KI6tQM078780@fire.js.berklix.net> to: freebsd-usb@freebsd.org, freebsd-security@freebsd.org cc: "Astrid Jekat" cc: Hans Petter Selasky Subject: Re.: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell From: "Julian H. Stacey" Organization: http://berklix.eu BSD Linux Unix Consultants, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.eu/free/ X-From: http://www.berklix.eu/~jhs/ Date: Wed, 20 Sep 2017 20:06:55 +0200 X-BeenThere: freebsd-usb@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: FreeBSD support for USB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2017 19:09:53 -0000 Hi usb@ & security@ freebsd.org, hps@ (cc'd) introduced a FreeBSD Sysctl Oct 2014: hw.usb.disable_enumeration: 0 dev.uhub.4.disable_enumeration: 0 dev.uhub.3.disable_enumeration: 0 dev.uhub.2.disable_enumeration: 0 dev.uhub.1.disable_enumeration: 0 dev.uhub.0.disable_enumeration: 0 which added some protection against USB devices that turn evil. https://lists.freebsd.org/pipermail/freebsd-usb/2014-October/013304.html https://lists.freebsd.org/pipermail/freebsd-security/2014-October/007976.html A tiny diff to make it easier to grep sysctl descriptions: http://www.berklix.com/~jhs/src/bsd/fixes/FreeBSD/src/gen/sys/dev/usb/usb_hub.c.REL=12.0-CURRENT.diff Chips shrink, imagine one hidden in a small arm band Micro-USB adapter cable, as sold in one Euro/Pound shops. A picture of similar https://www.twist4-silikonarmbaender.de/ Probably some are made in China, perhaps in PLA owned factories. Short cables, so to save losing it, it might be left plugged in. At power on, a chip might do nothing but set a timer, & stay in low power for 130 minutes, out waiting checkers before it starts "Hi, I'm a keyboard + C:\n uname -a\n probes & commands" (Combi scanner / printers & PS2 keyboard + mouse converters both share 2 devices on 1 cable, so a 2nd dev on a physical interface isn't intrinsicaly suspicious.) To detect a Trojan cable, could one measure very low power consumption of a supposedly passive cable not yet connected the other end to a device ? My laptop + FreeBSD-current suggest low current detection is not possible ? usbconfig shows all currents in multiples of 100mA (0mA) (0mA) (0mA) (0mA) (100mA) (100mA) (100mA) (200mA) (500mA) So probably not measurements made by the PC, but nominal ratings ? & if it's merely the external device reporting its desired rating, then useless to detect if a cable has a hidden device. I'm not familiar with USB chip functionalities available, but I looked at the code: /usr/src/usr.sbin/usbconfig/dump.c dump_device_info{ usage = libusb20_dev_get_power_usage(pdev); printf("%s, cfg=%u md=%s spd=%s pwr=%s (%umA)\n", ... usage); man libusb20_dev_get_power_usage libusb20_dev_get_power_usage() returns the reported power usage in milliamps for the given USB device. A power usage of zero typically means that the device is self powered. /usr/src/lib/libusb/libusb20.c pdev->methods->get_power_usage(pdev, &power_usage); ugen20_get_power_usage ioctl(pdev->file_ctrl, IOUSB(USB_GET_POWER_USAGE) /sys/dev/usb/usb_generic.c: case USB_GET_POWER_USAGE: ugen_get_power_usage(f); /sys/dev/usb/usb_generic.c return (udev->power) I suppose in desperation a dentist's X-Ray machine would give a view. It'd be worse if an organisation buried evil chips in Power Banks (batteries to recharge smart phones etc). It would be impossible to detect low power consumed by a sleeping chip, that continues to sleep long after a phone is plugged in to charge. Smaller battery packs are around company promotional gift prices. I recall the current FreeBSD sysctl provides switching per port, but not per device type. I guess one could bodge a bit more security by a script, approx: cp /etc/devd.conf.no_kbd /etc/devd.conf kill -9 `cat /var/run.devd.pid` /sbin/devd sysctl hw.usb.disable_enumeration=0 # Defences open. .... more specific port settings ? echo "Now Insert within 10 sec." ; sleep 10 sysctl hw.usb.disable_enumeration=1 cp /etc/devd.conf.with_kbd /etc/devd.conf kill -9 `cat /var/run.devd.pid` /sbin/devd Keyboard is the long identified danger, but maybe there are other dev types to protect against too, (ls /usr/share/man/man4), Some devices such as 'da' I don't see as a problem, as for /dev/da one can select on /etc/devd/*.conf "sernum" mount -o nosuid .. etc. Ideally the USB system might offer more fine tuned defence, to have some better defence than above, but as that's minority interest, security companies might need to contribute to development of that. Cheers, Julian -- Julian H. Stacey, Computer Consultant, BSD Linux Unix Systems Engineer, Munich Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable. http://berklix.eu/queen/ Petition to get 3.5 million UK votes back