How immune is this solution to VID / PID spoofing?
I've thought about this topic before and arrived at the idea that USB devices ought to be treated kind of like user accounts, where I can control what drivers / data / devices they have access to.
If the USB device can proffer a spoofed ID, there is no auth a-la PKI.
Maybe there is a USB controller where it is possible to turn off the data lanes and only keep the power ones active, but short of that, USBGuard had to trust the ID of the device.
Raspberry Pi Zero's USB controller, AFAIK, had the ability to present itself as a target, so that seems like a quick experiment.
Thanks! One benefit of the approach I envisioned above is that even a perfect imposter would be restricted to the access rights I granted the original device.
Since USB device ID's cannot be trusted by themselves couldn't some 2FA (eg USB security key) be used to authorize a device for as long as it stays connected?
Once a USB security key has been authorized and is kept on your person rather than constantly attached to your machine it should be impossible to connect a new device and have it trusted by default - and re-connecting an already connected device would de-authorize it.
Its not. Whats more attackers USB device is able to obtain quite a lot of insight about the host from enumeration alone - operating system, state of the system (boot/fully working etc), configuration (enabled/disabled autostart etc). Its not infeasible for an attacker to keep trying new VID/PID pairs until detecting successful enumeration.
Would it also not be possible to measure power draw upon the device and with that, add another metric to device profiling. So if you have say a keyboard that uses 200ma power and then suddenly a device that has the same ID's is plugged in and uses 500ma of power, that would trigger a flag.
Good idea. Though that can also be bypassed rather easily by including a small battery in the malicious device and only drawing the expected amount of power from the USB connection itself.
The real solution needs to be some sort of standardized auth system, where devices are identified by a public key rather than a static serial number. In the absence of that though, I think whitelisting serial numbers is the next best thing. It'll slow down attacks at least, and open the door for future improvements to the system.
Yes it does: lsusb -v upon linux shows exactly that information. Not sure upon windows flavours of doing that beyond gui digging some properties, but the values are in there.
Sadly the number you are thinking about is self reported by the device - it is required by the spec to report its bMaxPower in USB Configuration Descriptor. This field is merely a convenience and a promise. http://dangerousprototypes.com/docs/Designing_USB_Devices_fo...
What a nice security improvement, many thanks for developing this! It should be default in all operating systems to only accept known USB devices and in the case of new USB devices prompt the user with a clear warning message.
It is a tricky area to add layers of security to. In theory, you would want a device to refuse any connections unless it is explicitly agreed upon. At the same time, you average user will start calling Tech support everytime they hit the road block of "not being able to use the USB". In orgs with sensitive info, it should be mandatory, but others may be better off without it.
What if current input or output devices are broken so you can not prompt the user on them? What if they are broken in a such way that operation system does not know that they are broken, and you can not physically detach them because they are integrated? What if your user can not use their old output or input devices because they lost (some of) their sense(s) or limb(s)?
There is also usbguard-applet-qt, which I have found very helpful to navigate around the options. It also pops up a permission screen as soon as a device is plugged in.
I've thought about this topic before and arrived at the idea that USB devices ought to be treated kind of like user accounts, where I can control what drivers / data / devices they have access to.