Re: [qubes-users] detecting malicious usb devices

2016-10-25 Thread Ilpo Järvinen
On Tue, 25 Oct 2016, Vít Šesták wrote:

> I am not sure if the devices can sniff both directions. I've believed 
> that a device can sniff only inbound data and cannot communicate with 
> other devices. I've tried to look for some document that would allow me 
> to be sure about this, but I've found nothing. Well, the official 
> documentation would likely contain enough information, but it seems to 
> be quite large.

USB2 downstream traffic (towards device) seems to be broadcasted and
USB3 is routed only to the particular device due to power considerations. 
Some exceptions to that USB2 rule based on different USB speeds. The 
speed restrictions seem quite safe electrically too - assuming firmware 
level only compromizes - because of different signalling voltage levels
(a dual speed capable sniffing transreceiver does not seem too convincing 
threat as possibility deploying them to a victim probably should allow 
much easier to accomplish attacks too).

The USB2 upstream is different and is seen only by the hubs on the path
towards the host and the host itself.

Whether upstream isolation and USB3 downstream routing is really safe 
w.r.t. firmware attacks, I don't know (do hubs use firmware or not?).

Based on information here:
  http://www.totalphase.com/support/articles/200349256-USB-Background


In general, USB is a full "bus" only logically, not electrically due
to tiered-star topology.


-- 
 i.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/alpine.DEB.2.10.1610252145090.18027%40melkinpaasi.cs.helsinki.fi.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] detecting malicious usb devices

2016-10-25 Thread Vít Šesták
USB does not have DMA capabilities. If you have access to DMA, you have already 
got access to the controller or the usbvm.

You probably can get into USBVM easily from an USB device by logging as root on 
the login screen. This, however, assumes that keystrokes are not captured by 
other means, which I am not sure if it is true on the latest Qubes version, 
since some input proxies have been implemented. On 3.0, I was able to shutdown 
Debian USBVM by ctrl+alt+delete, which suggests that some more complex attacks 
(using the default empty root password) might be possible on this version. On 
newer version, I haven't tested it.

Nevertheless, I have disabled all USB keyboards on my USBVM for the reason 
above. They are enabled only in dom0, which uses a separate USB controller.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/323e9c2d-5bdf-4133-8838-c9a6acf68a26%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] detecting malicious usb devices

2016-10-25 Thread pixel fairy
On Tuesday, October 25, 2016 at 11:43:51 AM UTC-4, Vít Šesták wrote:
> I am not sure if the devices can sniff both directions. I've believed that a 
> device can sniff only inbound data and cannot communicate with other devices. 
> I've tried to look for some document that would allow me to be sure about 
> this, but I've found nothing. Well, the official documentation would likely 
> contain enough information, but it seems to be quite large.

a dma attack could do this, and much more. the mitigation / detection i was 
referring to are things like honeyusb, https://github.com/daveti/GoodUSB

the idea was to use the usbvm to screen for malicious devices. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3d3688d6-f8a1-49a5-97d2-383dc03322da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] detecting malicious usb devices

2016-10-25 Thread Vít Šesták
I am not sure if the devices can sniff both directions. I've believed that a 
device can sniff only inbound data and cannot communicate with other devices. 
I've tried to look for some document that would allow me to be sure about this, 
but I've found nothing. Well, the official documentation would likely contain 
enough information, but it seems to be quite large.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/32d7c1d0-682e-4a7f-b6fc-72cb450ba342%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] detecting malicious usb devices

2016-10-25 Thread Robert Mittendorf

Am 10/25/2016 um 04:15 PM schrieb Vít Šesták:

I don't think that a USB drive can directly record keystrokes. The 
communication goes in the opposite direction that the USB drive would need.

A malicious USB drive can also listen the data going to other USB devices on 
the same controller. You cannot detect this.
Well, your second point is exactly that. As USB is a Bus, all devices 
should be able to record the other devices messages - and thereby the 
keystrokes.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/384f7071-da9e-90e2-c8e8-026194f11e19%40digitrace.de.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] detecting malicious usb devices

2016-10-25 Thread Robert Mittendorf

Am 10/25/2016 um 09:05 AM schrieb Andrew David Wong:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-10-24 23:48, pixel fairy wrote:

can the a usbvm be used to detect malicious usb devices? has anyone tried this?


Sure, you can run whatever kind of detection software you like in a USB VM.
However, not all malicious USB devices are detectable (whether you're in a USB 
VM
or somewhere else). I haven't tried it.

- -- 
Andrew David Wong (Axon)

Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYDwQmAAoJENtN07w5UDAw5usP/0Yo9zrkgsEceiz38oRG6Kj0
ulBYSAnUOwGHEo9EIiFWHAVyu9uo6Eq+CptgF2CtQmkes8tHAXW3qEfbkL2+mgke
guaqeMxd6L2OLVNg7CBCSeyciqrmGMw2IB8l7/p5p+1daVhj1Gx//cfOc3UJay+G
R8w+pL3vYo916xP/PtkfOYV13IB+hTQR/WZKUWhigrxALBsLUb7s/fAHRrqxaCHb
30JSacKlH8ztY7PkZWEtzVUsvp71hE42TP1IGvJ/JuudIBsbXRxCFzfo1XHC61mH
ZIQ8Yxez85rlHD3uA0I5NxBRIA0iAYCmPPiYN5D/kRa+IaByQpONoReTTBgYWq7G
lBye2K09GJ3fKAxp1aLAxaw5BtxLFtzPY15VdL2yrhpfFH0329kk/q3Zxv+93OJn
Gldi237a8WL17CigQbJPBOkTC77+luF4QRq6dbUmRRNNqxQiUqSnETk3wZBqyZVJ
AeemmqHW2Clg0gemQ+nTLj8X5cgCUOM5flfE55LyYs8ai6kE2ASmBvhdpsV2qEVS
z20FOYOk1i25KVCcRtzXq/OlmBuHRmftAugS1ZnPGMmOwx/NGEBzkycYZqXVzb72
8WCYhpUZ9LkksHJpUQHZ6EngU2nnJryFkaritDYagLD8G/WucM2oTjm9Of7EQzW2
R6eMshcuf8F9N53qwos6
=pO8v
-END PGP SIGNATURE-

Example: A thumb drive that claims to be a keyboard to record your key 
strokes. How would you detect that?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d2c56a35-4bd8-baa9-ba75-538289a5e0d1%40digitrace.de.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] detecting malicious usb devices

2016-10-25 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-10-24 23:48, pixel fairy wrote:
> can the a usbvm be used to detect malicious usb devices? has anyone tried 
> this?
> 

Sure, you can run whatever kind of detection software you like in a USB VM.
However, not all malicious USB devices are detectable (whether you're in a USB 
VM
or somewhere else). I haven't tried it.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYDwQmAAoJENtN07w5UDAw5usP/0Yo9zrkgsEceiz38oRG6Kj0
ulBYSAnUOwGHEo9EIiFWHAVyu9uo6Eq+CptgF2CtQmkes8tHAXW3qEfbkL2+mgke
guaqeMxd6L2OLVNg7CBCSeyciqrmGMw2IB8l7/p5p+1daVhj1Gx//cfOc3UJay+G
R8w+pL3vYo916xP/PtkfOYV13IB+hTQR/WZKUWhigrxALBsLUb7s/fAHRrqxaCHb
30JSacKlH8ztY7PkZWEtzVUsvp71hE42TP1IGvJ/JuudIBsbXRxCFzfo1XHC61mH
ZIQ8Yxez85rlHD3uA0I5NxBRIA0iAYCmPPiYN5D/kRa+IaByQpONoReTTBgYWq7G
lBye2K09GJ3fKAxp1aLAxaw5BtxLFtzPY15VdL2yrhpfFH0329kk/q3Zxv+93OJn
Gldi237a8WL17CigQbJPBOkTC77+luF4QRq6dbUmRRNNqxQiUqSnETk3wZBqyZVJ
AeemmqHW2Clg0gemQ+nTLj8X5cgCUOM5flfE55LyYs8ai6kE2ASmBvhdpsV2qEVS
z20FOYOk1i25KVCcRtzXq/OlmBuHRmftAugS1ZnPGMmOwx/NGEBzkycYZqXVzb72
8WCYhpUZ9LkksHJpUQHZ6EngU2nnJryFkaritDYagLD8G/WucM2oTjm9Of7EQzW2
R6eMshcuf8F9N53qwos6
=pO8v
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b2ba8d41-3552-3e59-ed05-cee819c77646%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] detecting malicious usb devices

2016-10-25 Thread pixel fairy
can the a usbvm be used to detect malicious usb devices? has anyone tried this?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/98750f78-6182-4203-a4a4-581ef766683e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.