Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

udev rule vulnerability to badUSB #54

Open
leni536 opened this issue Mar 14, 2017 · 4 comments
Open

udev rule vulnerability to badUSB #54

leni536 opened this issue Mar 14, 2017 · 4 comments
Labels
Security

Comments

@leni536
Copy link

leni536 commented Mar 14, 2017
edited
Loading

There is a HN discussion about Circlean. Some questions came up about badUSB vulnerability, and it turned out that Circlean has a mitigation at circlean_fs/root_partition/etc/udev/rules.d/50-blockhid.rules.

However a potential attack came up. A badUSB device could imitate an USB hub with an attached keyboard, and it wouldn't be blocked (relevant comment). I suggest some whitelist based udev rule instead that only allows USB MSC devices, something along the lines of this and this methods.

An other badUSB attack came up too: because according to the instructions the USB devices are plugged in before boot, a badUSB device can potentially enter the BIOS, make itself the boot device then boot into a virus. This could be mitigated by fixing the method and the instructions to only plug in the device after boot.
@Rafiot
Copy link
Member

Rafiot commented Mar 14, 2017

I see some usability issues:

  • there is no graphical UI, the user has no way to know when it would be safe to plug the key
  • the script needs to know which key is which and right now, /dev/src and /dev/dst are mapped at boot time.

And if the attacker has a vulnerability able to compromise the bios of the Raspberry pi, they have lots of resources (money, time) and it is probably easier to just exploit a parser and write a malicious file on the destination key.

@leni536
Copy link
Author

leni536 commented Mar 14, 2017
edited
Loading

there is no graphical UI

The device already has a UI implemented as a blinking LED and sound. Now it only indicates two states: copying (blinking and music), and ready (silence). Indicating a third state could complicate instructions, but wouldn't be impossible.

Alternatively there could be separate/alternative instructions for the overly paranoids, like setting up a BIOS password and disable booting from USB.

As for the udev rule, I think it's still vulnerable. As I see the udev rule is there to block badUSB like attacks already, and now it fails at that. I see no reason to not fix that.

@Rafiot
Copy link
Member

Rafiot commented Mar 14, 2017
edited
Loading

Silence means "not started" or "done". I can think about implementing a loop to wait until two keys are connected, but if the attacker can compromise the bios when booting, does it makes any difference to have the system booted? De you have some white paper about that?
Based on the spreadsheets I found, the rpi can only boot from the SD card and there is no way to mess with the bios without compromising he SD card first.

The udev rule aims to avoid having keyboards and this one could in fact be improved (PR welcome). In practice there is no usable user in image so the attack vector is limited.

@dputtick
Copy link
Contributor

A note on the question of a BadUSB making the RPi boot from itself - RPis cannot be booted from USB without setting a special bit in the SoC, and this can only be done while booted from a SD card. So, that attack doesn't seem like something we should be particularly worried about.

More details here: https://www.raspberrypi.org/documentation/hardware/raspberrypi/bootmodes/msd.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@adulau @leni536 @Rafiot @dputtick