Gene Heskett wrote: > On Thursday 16 October 2014 18:28:16 Greg KH did opine > And Gene did reply: >> On Thu, Oct 16, 2014 at 06:12:48PM -0400, Gene Heskett wrote: >>> Is there a move afoot to write a checker utility that determines if >>> the usb device its pointed at is vulnerable, and can therefore be >>> reliably blacklisted? >> >> What do you mean by a "vulnerable" USB device? > > There is an exploitable error in the usb hardware/firmware, one that > nearly 100% of the devices have.
That "error" is the fact that USB devices have a CPU which can execute arbitrary code. The "BadUSB" guys have shown that several widely-used USB sticks allow the PC to change their firmware, but building USB devices with malicious firmware has _always_ been possible; the only difference is that the hardware costs have gone down from $40 for a Rubber Ducky to $10 for an off-the-shelf memory stick. > No one ever gave security a seconds thought when writing the usb std. As > described it is both hardware and firmware that will need to be addressed > for an effective fix. So you want to blacklist every device (USB or any other bus) that can be connect to a PC? And outlaw general-purpose computers? Regards, Clemens -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
