On 01/27/18 13:33, Sebastian Götte wrote:
On 01/22/2018 08:33 AM, Peter Todd wrote:
Note that flash drives with physical write protect switches are available, such
as the Kanguru FlashBlu30 line.
While better than a regular r/w USB drive, I would not actually trust these.
There's only going to be a regular USB flash controller inside, and the
firmware on that one is just as good as the firmware on other USB drives.
The type of attack DVDs prevent is one where a compromised "download" or
"checksum" machine compromises the USB drive firmware. The compromised USB drive then
presents different data to different machines, e.g. the original iso to anyone checksumming and a
modified iso to anyone booting. This attack requires a compromise of the USB flash drive controller
via USB. This is realistic and has been demonstrated in the past.
I don't see the benefit of using a DVD (we're talking about USB DVD
readers here) but maybe it's only me being thick...
If the machine used to copy or checksum the payload/iso is compromised,
then IMO it's already "game over" so I don't see how using a true
read-only medium vs a regular flash drive would help.
A "physical write protect switch" is only going to be routed into that chip
through a GPIO, so it does *not* protect against this attack. Write-protect on or off,
most of the USB protocol logic inside the controller must be working in order to serve
read requests.
DVDs fare better in this scenario. Even though you could also attack the reader
firmware, the attacker has only one (large) static payload read by the firmware
(the DVD). In case of the USB drive, the attacker has an interactive session
over a complex, multi-layer protocol presenting much more attack surface.
Assuming the machine is not compromised and the payload/iso is legit,
the only way for the bad USB device to modify the data would be on-the-fly:
- when writing the iso to the medium (in which case using a
write-once-then-read-only doesn't help at all vs using a writable medium)
- when reading it, for instance at boot, presenting different data to
different machines like you mentioned.
But:
1- How really feasible is it to implement this attack ? It would
require tremendous processing power to properly alter the payload when
it's been copied to the medium; it would also require tailoring the
attack to qubes' isos, thus making it a targeted attack; I imagine that
if you get to that point you probably have more important problems.
2- both the DVD reader and flash drive have a USB firmware, so how
would the DVD reader's firmware be more "secure" than the USB flash
drive's one ?
But then, I'm not a security expert and I may be talking total nonsense
:) - I'd be happy to be proved wrong and learn something in the process...
Cheers,
Ivan
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/7438ac52-2a6c-be7a-0dc0-64fd41baaf98%40maa.bz.
For more options, visit https://groups.google.com/d/optout.
