-
Notifications
You must be signed in to change notification settings - Fork 40
Home
For over a decade, USB has been the universal peripheral interface for personal computers. In the past your computer trusted every connected device, and little effort was made to defend against malicious devices. But every USB device is actually a small embedded computer (microprocessor) that runs software you cannot control. So what would happen if malicious software were loaded into a USB device? How much damage could it do?
Any USB device can be turned bad by loading malicious firmware into its microprocessor, either during the manufacturing process or during daily use. There are three classes of attack a BadUSB device can perform against a host computer.
-
USB driver exploits: A device can supply maliciously malformed data to USB host software running on the computer. This can exploit bugs in the USB host driver, or any of the hundreds of USB device drivers found on a typical operating system. These device drivers run with system privileges, are often developed by third parties, and are rarely tested against unexpected or malformed input.
-
Hidden-functionality attacks: What appears to be a single USB device can actually hide more than one function inside itself. The hidden function can perform any action allowed by the USB standard. For example a hidden keyboard can run any command the user is authorised to perform, or a hidden network interface could attempt to intercept the user's network traffic. Only 100% legitimate USB commands are used, and the possibilities are limited only by the attacker's imagination. Here's a good example.
-
Intended-functionality attacks: This is where a USB device performs only the functions you expect, but still manages to be evil. Perhaps the best example is a Bad mass storage device, which has access to all your data and can maliciously alter storage blocks on-the-fly (presented by SR Labs on page 16 of this presentation). Like the hidden-functionality attacks above, only legitimate USB commands are used and concerned users have no way of defending themselves. That is, until now.
The USG is a firewall for your USB ports. It connects between your computer and your untrusted USB device, isolating the badness with two dedicated microprocessors. One talks to the untrusted device, while the other emulates a safe version of your device to the host computer. These microprocessors exchange data through a simple protocol running over a simple serial interface - SPI. This simple protocol has a much smaller attack surface than your computer's USB software. So even when a BadUSB device attacks one microprocessor, we can guarantee that the second microprocessor cannot be compromised and thus your computer is safe.
This security-by-isolation approach protects primarily against USB driver exploits (type 1 above). To protect against hidden-functionality attacks (type 2) we can add some rules into our USG firmware to ensure devices don't try to misbehave.
-
Only one device attached at a time: By supporting only one attached device, we eliminate attacks that use a hidden hub and additional device to perform unexpected actions.
-
No run-time device class changes: Once a USB device is enumerated through the USG, it cannot re-enumerate itself as a different device class until power is removed and reapplied to the USG. This blocks attacks where a device unexpectedly changes its functionality to perform malicious actions.
And to protect against intended-functionality attacks (type 3), we can add class-specific rules. For example, the mass storage class could encrypt blocks before they reach the USB device, rendering man-in-the-middle attempts futile. Or the human interface device (HID) class might block keystrokes arriving faster than a reasonable human typing speed. This firmware functionality is still under development.
The USG is currently in beta, so calibrate your expectations accordingly!
The first generation of USG hardware supports full-speed USB only, i.e. 12Mbps. If it proves sufficiently popular a high-speed 480Mbps version may be developed later.
Custom hardware is under development, but is not yet in production. If you want to try out the USG, at this point in time you will have to build one yourself. The DIY Hardware page will show you how to build a USG v0.9.
The USG firmware currently supports mass storage devices only. HID support is planned for the near future, in between hardware development efforts.
See here for how to set up a firmware development environment and install firmware on your USG.
The USG has two LEDs to indicate fault conditions. Find out what the blinkenlights mean.