Why the Security of USB Is Fundamentally Broken

All topics relating to computer security and internet privacy. Please try to keep it technical related and leave political diatribes at the door.

Why the Security of USB Is Fundamentally Broken

Postby Lou » August 2nd, 2014, 11:46 pm

Debian Jessie w/o systemd - icewm
User avatar
Lou
 
Posts: 235
Joined: April 5th, 2011, 3:58 pm

Re: Why the Security of USB Is Fundamentally Broken

Postby Randicus Draco Albus » August 3rd, 2014, 12:06 am

If someone were to put something bad onto a USB device, how would it gain access to my root directory? If that is explained to me, then I would worry. Otherwise, it is like telling me to not open an .exe file. This article is typical. Potential threats that are very serious, but no details, because providing information would aid the bad guys.
Klingons are fun, but female Romulans are the sexiest women in the galaxy.
User avatar
Randicus Draco Albus
 
Posts: 1411
Joined: September 22nd, 2011, 1:22 pm

Re: Why the Security of USB Is Fundamentally Broken

Postby allthatisthecase » August 3rd, 2014, 6:11 pm

Randicus Draco Albus wrote:If someone were to put something bad onto a USB device, how would it gain access to my root directory? If that is explained to me, then I would worry. Otherwise, it is like telling me to not open an .exe file. This article is typical. Potential threats that are very serious, but no details, because providing information would aid the bad guys.

You can use things like udev or dbus to give normal users access to shutdown or suspend, so I'm sure there will inevitably be an exploit here or there to abuse root rights. Also, think of all the butnut setups with /etc/sudoers reading something like:

Code: Select all
root    ALL=(ALL:ALL) ALL
user   ALL=(ALL:ALL) ALL


and think of the fact that Butnut Stable, unless an LTS after a point release, is basically a patched up Sid.
allthatisthecase
 
Posts: 279
Joined: May 13th, 2014, 5:39 pm

Re: Why the Security of USB Is Fundamentally Broken

Postby widget » August 3rd, 2014, 10:14 pm

I really hate to jump to the defense of Comical.

First; their use of the default settings in the sudoers file is not defensible and many other distros have jumped on that band wagon.

Second; all of their releases are basically using the base repo (Debian what ever) frozen at the point it is at when the RC is released. This means that, for instance, 14.04 LTS will continue to be using a "snapshot" of the Debian testing repo, with all the lovely Butnuts improvements there in, as it was a week before 14.04 was released until 14.04 reaches its EOL.

Backports will be from the Debian testing repo, for LTS releases, whenever they are created and then the packages upgraded on what ever the policy is at the time and the whims of the package maintainer.

The regular releases are based on Sid but the same system is used in relation to the Sid repo as the LTS uses in relation to the testing repo.

Most LTS packages will come from the Debian Stable releases that were testing when the LTS was released as far as normal package upgrades go. This is the reason for the "Squeeze LTS" experiment.

Debian is trying to find out if there will be support for the packages long term from the devs. Most of this support will have to come from the devs that are both Debian and Butnuts devs. I suspect this "experiment" will work out. Be shocked if not. Comical will not continue with a five year LTS desktop edition without Debian supporting their releases that long. This would mean that they would have to support the packages in house and they are not willing to do that. Too much like work.

Therefore they will make sure that they have enough devs to do that support when wearing their Debian hats. If this is a good thing or not is the question. Comical devs do not have a great history of sticking to support for packages and 5 years is a long time.

Debian may be willing, if their devs are, to continue the support anyway as it would make their system more competitive on the support side with RH.
widget
 
Posts: 36
Joined: May 25th, 2014, 8:58 pm
Location: S.E. Montana

Re: Why the Security of USB Is Fundamentally Broken

Postby Randicus Draco Albus » August 3rd, 2014, 10:18 pm

Also, think of all the butnut setups with /etc/sudoers reading something like:

Code: Select all
root ALL=(ALL:ALL) ALL
user ALL=(ALL:ALL) ALL
That is neither the fault of USB devices nor their manufacturers. That is a system with a faulty design, which Comical is to blame for.
Klingons are fun, but female Romulans are the sexiest women in the galaxy.
User avatar
Randicus Draco Albus
 
Posts: 1411
Joined: September 22nd, 2011, 1:22 pm

Re: Why the Security of USB Is Fundamentally Broken

Postby allthatisthecase » August 4th, 2014, 6:00 am

Nowhere have I said that the sudo setup is the fault of anyone, I'm just saying it is a potential risk, just as dbus etc., which then could be abused by a script lurking on a USB device/website/wherever.

Regarding Butnut... I think the LTS releases are quite decent. Being lazy, I've set up my mum's netbook with Xubuntu 10.04 and have upgraded it to 12.04 and then 14.04, but I've always waited for them to reach point release quality. There haven't been any problems so far. It's fast, stable and works as is on a 6y old machine. But that wasn't the issue. The real deal is that most Butnut users don't use LTS, they use a current release (either because it's cool or because they need a more recent kernel, etc.) Those are of course more Sid quality in my experience (YMMV). This may introduce new vulnarabilites.
allthatisthecase
 
Posts: 279
Joined: May 13th, 2014, 5:39 pm

Re: Why the Security of USB Is Fundamentally Broken

Postby dilberts_left_nut » August 4th, 2014, 6:16 am

I consider that borderline slanderous, and a gross misrepresentation of the quality of the sid branch ;)
detly wrote:What's wrong with RTFM as an answer when the answer is clearly in The FM and requires only cursory Ring?
User avatar
dilberts_left_nut
 
Posts: 315
Joined: February 10th, 2011, 8:41 am
Location: enzed

Re: Why the Security of USB Is Fundamentally Broken

Postby tomazzi » November 21st, 2015, 1:24 am

1st, Security of USB is not "Fundamentally Broken" - it is broken in Winblows and partially in BIOS'es...

2nd: ALL of firmware-based attacks are in fact targeting Winblows OR the BIOS.

- 1st type of attack means usage of an Autorun service, which is quite stupid and easy to cheat... (welcome to systemd+udev world, the linux' svchost.exe version) - welcome to winblows... :)

- 2nd type of attacks depends on BIOS. Unfortunately, due to a corporate mess, the programmers of the BIOSes are picked from those who are cheap (students maybe... who knows) - anyway, in the result, those stupid guys are are paid on a per-hour basis, so they can't spend even an extra minute to read USB protocol specification. This is not a joke - most of USB-based attacks are based on a trivial buffer overflows, which are resulting from the fact, that "BIG" corporations are selling motherboards with shitty BIOS code...

Practically, only a coreboot can prevent infections coming from USB drives, and only GNU/Linux OS is able to report an error resulting from system beeing run in a LLVM created by a BIOS-based virus... (inability to access some HW areas).

Anyway, all I want to say is: It's not the USB specification fault, but in most cases it's a bug in an Implementation (BIOSes) ...
tomazzi
 
Posts: 18
Joined: August 7th, 2013, 6:57 am

Re: Why the Security of USB Is Fundamentally Broken

Postby cynwulf » November 23rd, 2015, 9:43 am

tomazzi wrote:1st, Security of USB is not "Fundamentally Broken" - it is broken in Winblows and partially in BIOS'es...

2nd: ALL of firmware-based attacks are in fact targeting Winblows OR the BIOS.

Just because windows is the target, doesn't mean that other platforms aren't vulnerable. A vulnerability exists whether it's exploited or not.

tomazzi wrote: - 1st type of attack means usage of an Autorun service, which is quite stupid and easy to cheat... (welcome to systemd+udev world, the linux' svchost.exe version) - welcome to winblows... :)

Well autorun is a windows thing and it mounts a volume and automatically runs a script located on the volume. It has nothing to much to do with the firmware on the device, which is what the article discusses. USB device firmware can be exploited before any file systems are even mounted. Just plugging in the compromised device is enough.

tomazzi wrote: - 2nd type of attacks depends on BIOS. Unfortunately, due to a corporate mess, the programmers of the BIOSes are picked from those who are cheap (students maybe... who knows) - anyway, in the result, those stupid guys are are paid on a per-hour basis, so they can't spend even an extra minute to read USB protocol specification. This is not a joke - most of USB-based attacks are based on a trivial buffer overflows, which are resulting from the fact, that "BIG" corporations are selling motherboards with shitty BIOS code...

Modern "plug and play" operating systems don't use any of the the PC BIOS except to boot. The only purpose the BIOS serves is to enable/disable devices, set boot order, etc. Apart from that it's a relic of the x86 CP/M / MS-DOS era.

So in theory if you boot the OS and then plug in a USB stick, the BIOS is irrelevant.
cynwulf
 
Posts: 2424
Joined: April 26th, 2011, 2:46 pm


Return to Security/Privacy-Related

Who is online

Users browsing this forum: No registered users and 1 guest

x