-
Notifications
You must be signed in to change notification settings - Fork 40
Home
For over a decade, USB has been the universal peripheral interface for personal computers. In the past your computer trusted every connected device, and little effort was made to defend against malicious devices.
But every USB device is actually a small embedded computer (microprocessor) that runs software you cannot control. So what would happen if malicious software were loaded into a USB device? How much damage could it do?
Any USB device can be turned bad by loading malicious firmware into its microprocessor, either during the manufacturing process or during daily use. There are three ways a BadUSB device can attack your computer.
-
USB driver exploit: A device can supply malicious data to exploit bugs in your USB host driver, or any of the hundreds of USB device drivers found on modern operating systems. These drivers run with system privileges and are rarely tested against malformed input. Finding an exploit in your USB driver stack is not difficult!
-
Hidden-functionality attacks: What appears to be a single USB device can actually contain more than one function. The hidden function can perform any action allowed by the USB standard including executing any command the user is authorised to perform, or intercepting network traffic with a hidden network interface. Only 100% legitimate USB commands are used, so you can't defend against this by fixing USB driver bugs. Here's a good example.
-
Intended-functionality attacks: This is where a USB device performs only the functions you expect, but still manages to be evil. Perhaps the best example is a mass storage device which maliciously alters its saved data on-the-fly (presented by SR Labs on page 16 of this presentation). Like the hidden-functionality attacks above, only legitimate USB commands are used and concerned users have no way of defending themselves. That is, until now.
The USG is a firewall for your USB ports. It connects between your computer and your untrusted USB device, isolating the badness with two dedicated microprocessors. One talks to the untrusted device, while the other emulates a safe version of your device to the host computer. These microprocessors exchange data through a simple protocol running over a simple serial interface - SPI. This simple protocol has a much smaller attack surface than your computer's USB software. So even when a BadUSB device attacks one microprocessor, you can be sure that the second microprocessor cannot be compromised and thus your computer is safe.
This security-by-isolation approach protects primarily against USB driver exploits (type 1 above). To protect against hidden-functionality attacks (type 2) we can add some rules into our USG firmware to ensure devices don't try to misbehave.
-
Only one device attached at a time: By supporting only one attached device, we eliminate attacks that use a hidden additional device to perform unexpected actions.
-
No run-time device class changes: Once a USB device is enumerated through the USG, it cannot re-enumerate itself as a different device class until power is removed and reapplied to the USG. This stops attacks where a device unexpectedly changes its functionality to perform malicious actions.
And to protect against intended-functionality attacks (type 3), we can add class-specific rules. For example, the mass storage class could encrypt blocks before they reach the USB device, rendering man-in-the-middle attempts futile. Or the human interface device (HID) class might block keystrokes arriving faster than a reasonable human typing speed. This firmware functionality is still under development.
All your questions about the USG are answered here.
Custom hardware is coming soon. If you want to try out the USG, at this point in time you will have to build one yourself. The DIY Hardware page will show you how to build a USG v0.9.
The USG currently supports mass storage devices, keyboards, and mice. See here for how to set up a firmware development environment and install firmware on your USG.
The USG has two LEDs to indicate fault conditions. Find out what the blinkenlights mean.