-
Notifications
You must be signed in to change notification settings - Fork 40
Home
The USG is a firewall for your USB ports. It connects between your computer and your untrusted USB device, isolating the badness with two dedicated processors.
(pic)
The USG's internal firewall is a high-speed serial link between two embedded microprocessors. The firewall uses a very simple protocol that effectively blocks any malicious USB commands from reaching your computer.
(pic)
Your computer automatically trusts every device you plug into it. But every USB device is actually a small embedded computer (microprocessor) that runs software you cannot control. And that software can easily attack your computer.
There are three ways a BadUSB device can attack your computer.
-
Exploit a USB driver: By supplying malicious data, a bad device can exploit bugs in your USB host driver, or any of the hundreds of USB device drivers found on modern operating systems. These drivers run with system privileges and are rarely tested against malformed input. Finding an exploit in your USB driver stack is not difficult!
-
Hidden evil functionality: What appears to be a single USB device can actually contain more than one function. The hidden function can perform any action allowed by the USB standard, including executing system commands or intercepting network traffic. Only 100% legitimate USB commands are used, so you can't defend against this by fixing USB driver bugs. Here's a good example.
-
Evil functionality in plain sight: This is where a USB device performs only the function you expect, but still manages to do bad things. Perhaps the best example is a mass storage device which maliciously alters its saved data on-the-fly (presented by SR Labs on page 16 of this presentation). Like the hidden-functionality attacks above, only legitimate USB commands are used and concerned users have no way of defending themselves. That is, until now.
The USG isolates malicious USB devices using a high-speed serial bus. Only common device classes are allowed, and only a limited number of safe commands are allowed to pass across the firewall. This security-by-isolation approach protects primarily against USB driver exploits (type 1 above). To protect against hidden-functionality attacks (type 2), rules in the USG firmware ensure devices don't misbehave.
-
Only one device attached at a time: By supporting only one attached device, we eliminate attacks that use a hidden additional device to perform unexpected actions.
-
No run-time device class changes: Once a USB device is enumerated through the USG, it cannot re-enumerate itself as a different device class until power is removed and reapplied to the USG. This stops attacks where a device unexpectedly changes its functionality to perform malicious actions.
And to protect against intended-functionality attacks (type 3), we can add class-specific rules. For example, the mass storage class could encrypt blocks before they reach the USB device, rendering man-in-the-middle attempts futile. Or the human interface device (HID) class might block keystrokes arriving faster than a reasonable human typing speed. This firmware functionality is still under development.
The USG currently supports mass storage devices (flash drives), keyboards, and mice. Future firmware revisions may add extra devices and other goodies.
Custom hardware is coming soon. If you want to try out the USG, at this point in time you will have to build one yourself. The DIY Hardware page will show you how to build a USG v0.9.
See here for how to set up a firmware development environment and install firmware on your USG.
The USG has two LEDs to indicate fault conditions. Find out what the blinkenlights mean.