Hi usb@ & security@ freebsd.org,
hps@ (cc'd) introduced a FreeBSD Sysctl Oct 2014:
        hw.usb.disable_enumeration: 0
        dev.uhub.4.disable_enumeration: 0
        dev.uhub.3.disable_enumeration: 0
        dev.uhub.2.disable_enumeration: 0
        dev.uhub.1.disable_enumeration: 0
        dev.uhub.0.disable_enumeration: 0
which added some protection against USB devices that turn evil.
  https://lists.freebsd.org/pipermail/freebsd-usb/2014-October/013304.html
  https://lists.freebsd.org/pipermail/freebsd-security/2014-October/007976.html

A tiny diff to make it easier to grep sysctl descriptions:
        
http://www.berklix.com/~jhs/src/bsd/fixes/FreeBSD/src/gen/sys/dev/usb/usb_hub.c.REL=12.0-CURRENT.diff

Chips shrink, imagine one hidden in a small arm band Micro-USB
adapter cable, as sold in one Euro/Pound shops.  A picture of similar
https://www.twist4-silikonarmbaender.de/
Probably some are made in China, perhaps in PLA owned factories.

Short cables, so to save losing it, it might be left plugged in.
At power on, a chip might do nothing but set a timer, & stay
in low power for 130 minutes, out waiting checkers before it starts 
"Hi, I'm a keyboard + C:\n uname -a\n probes & commands"

(Combi scanner / printers & PS2 keyboard + mouse converters both
share 2 devices on 1 cable, so a 2nd dev on a physical interface
isn't intrinsicaly suspicious.)

To detect a Trojan cable, could one measure very low  power consumption of a
supposedly passive cable not yet connected the other end to a device ?
My laptop + FreeBSD-current suggest low current detection is not possible ?

        usbconfig shows all currents in multiples of 100mA (0mA)
        (0mA) (0mA) (0mA) (100mA) (100mA) (100mA) (200mA) (500mA)

        So probably not measurements made by the PC, but nominal ratings ?
        & if it's merely the external device reporting its desired
        rating, then useless to detect if a cable has a hidden device.

        I'm not familiar with USB chip functionalities available,
        but I looked at the code:

        /usr/src/usr.sbin/usbconfig/dump.c
        dump_device_info{
        usage = libusb20_dev_get_power_usage(pdev);
        printf("%s, cfg=%u md=%s spd=%s pwr=%s (%umA)\n", ... usage);

        man libusb20_dev_get_power_usage
        libusb20_dev_get_power_usage() returns the reported power usage in
        milliamps for the given USB device.  A power usage of zero typically
        means that the device is self powered.

        /usr/src/lib/libusb/libusb20.c
        pdev->methods->get_power_usage(pdev, &power_usage);

        ugen20_get_power_usage

        ioctl(pdev->file_ctrl, IOUSB(USB_GET_POWER_USAGE)

        /sys/dev/usb/usb_generic.c: case USB_GET_POWER_USAGE:
        ugen_get_power_usage(f);

        /sys/dev/usb/usb_generic.c
        return (udev->power)

I suppose in desperation a dentist's X-Ray machine would give a view.

It'd be worse if an organisation buried evil chips in Power Banks
(batteries to recharge smart phones etc).  It would be impossible
to detect low power consumed by a sleeping chip, that continues to
sleep long after a phone is plugged in to charge.
Smaller battery packs are around company promotional gift prices.

I recall the current FreeBSD sysctl provides switching per port,
but not per device type.  I guess one could bodge a bit more security
by a script, approx:

        cp /etc/devd.conf.no_kbd /etc/devd.conf
        kill -9 `cat /var/run.devd.pid`
        /sbin/devd
        sysctl hw.usb.disable_enumeration=0     # Defences open.
        .... more specific port settings ?
        echo "Now Insert within 10 sec." ; sleep 10
        sysctl hw.usb.disable_enumeration=1     
        cp /etc/devd.conf.with_kbd /etc/devd.conf
        kill -9 `cat /var/run.devd.pid`
        /sbin/devd

Keyboard is the long identified danger, but maybe there are
other dev types to protect against too, (ls /usr/share/man/man4),
Some devices such as 'da' I don't see as a problem, as for /dev/da
one can select on /etc/devd/*.conf "sernum" mount -o nosuid .. etc.

Ideally the USB system might offer more fine tuned defence, to have
some better defence than above, but as that's minority interest,
security companies might need to contribute to development of that.

Cheers,
Julian
-- 
Julian H. Stacey, Computer Consultant, BSD Linux Unix Systems Engineer, Munich
 Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable.
 http://berklix.eu/queen/ Petition to get 3.5 million UK votes back
_______________________________________________
freebsd-usb@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-usb
To unsubscribe, send any mail to "freebsd-usb-unsubscr...@freebsd.org"

Reply via email to