Linux 6.13 To Enhance Logic For Trusting Built-In Thunderbolt Controllers

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • reba
    replied
    Originally posted by uid313 View Post

    The NSA and spy agencies have something similar but very much smaller, it looks like a normal USB cable but acts as keyboard and has a built-in Wi-Fi so you can connect to it remotely.
    You can buy these from basic retail, so old is this concept.

    Leave a comment:


  • reba
    replied
    Originally posted by uid313 View Post
    No the user wouldn't because the user wouldn't know about it because the USB device would inject the keypresses when the computer was idle and the user not present at the computer. The strange behavior would be so fast to open a terminal, and run some command that the user wouldn't even notice it even if he was there. Even if the user saw it, the user would just ignore it and think it was some normal system update operation happening in the background.​
    If you leave your system unlocked when you leave it/go away fault is on you.
    Rubber Duck, Flipper and Co can input all the keystrokes they want if they end up on the lock screen and get counted as invalid logins, shown to you when you come back to the computer.
    For example with swaylock --show-failed-attempts

    Originally posted by uid313 View Post
    No, you can plugin any USB device and the system will blindly trust it.
    Because it is configured to do so. There is no technical reason the OS trusts plugged in devices.

    Originally posted by uid313 View Post
    Then it should require input devices to be present before boot.
    It should display a message like "a input device has been plugged in, if you want to use it, you have to reboot".
    Or it needs to be whitelisted in the UEFI settings so that UEFI can use it, but the OS can only allow inputs from an input device after it has been whitelisted in the UEFI.
    reboot? This isn't Windows

    Leave a comment:


  • billyswong
    replied
    Originally posted by uid313 View Post

    Then it should require input devices to be present before boot.
    It should display a message like "a input device has been plugged in, if you want to use it, you have to reboot".
    Or it needs to be whitelisted in the UEFI settings so that UEFI can use it, but the OS can only allow inputs from an input device after it has been whitelisted in the UEFI.
    This sounds like the PS2 port days. The market seems to dislike that.

    Leave a comment:


  • uid313
    replied
    The NSA and spy agencies have something similar but very much smaller, it looks like a normal USB cable but acts as keyboard and has a built-in Wi-Fi so you can connect to it remotely.

    Leave a comment:


  • uid313
    replied
    Originally posted by Anux View Post
    And? The user would take its PC to a professional to have a look at that strange behavior, just typing stuff at random times will result in various symptoms but is hardly a reliable exploit, you would want to wait until there is an admin terminal open for which you need some way of informing your "keyboard" about that. Are you seriously comparing this to DMA?
    No the user wouldn't because the user wouldn't know about it because the USB device would inject the keypresses when the computer was idle and the user not present at the computer. The strange behavior would be so fast to open a terminal, and run some command that the user wouldn't even notice it even if he was there. Even if the user saw it, the user would just ignore it and think it was some normal system update operation happening in the background.​

    Originally posted by reba View Post
    Only if the host system trusts the device, accepts its connection and hooks it up.
    No, you can plugin any USB device and the system will blindly trust it.

    Originally posted by billyswong View Post

    We should figure out a way to fix it, but it may not be the job of kernel to handle that as it is more a social engineering problem.

    Imagine you get a laptop with broken keyboard and touchpad. You definitely don't want your external keyboard and mouse be blocked from accessing the computer. No, requiring explicit approval unless the new keyboard/mouse is the only input device doesn't work. The broken internal keyboard and touchpad may be still sending alive signal to the computer.
    Then it should require input devices to be present before boot.
    It should display a message like "a input device has been plugged in, if you want to use it, you have to reboot".
    Or it needs to be whitelisted in the UEFI settings so that UEFI can use it, but the OS can only allow inputs from an input device after it has been whitelisted in the UEFI.

    Leave a comment:


  • billyswong
    replied
    Originally posted by uid313 View Post
    Mean while anyone can just plugin a USB device that looks like a USB storage device but is actually identified as a USB HID class and inserts keystrokes to open terminal and type stuff?

    USB is just blindly trusted?
    We should figure out a way to fix it, but it may not be the job of kernel to handle that as it is more a social engineering problem.

    Imagine you get a laptop with broken keyboard and touchpad. You definitely don't want your external keyboard and mouse be blocked from accessing the computer. No, requiring explicit approval unless the new keyboard/mouse is the only input device doesn't work. The broken internal keyboard and touchpad may be still sending alive signal to the computer.

    Leave a comment:


  • ziguana
    replied
    Originally posted by uid313 View Post
    Mean while anyone can just plugin a USB device that looks like a USB storage device but is actually identified as a USB HID class and inserts keystrokes to open terminal and type stuff?

    USB is just blindly trusted?
    NEW VERSION OF THE BEST SELLING HOTPLUG With a few seconds of physical access, all bets are off...

    Leave a comment:


  • reba
    replied
    Originally posted by uid313 View Post

    Yes, but any USB device whether it looks like a USB flash storage or a camera or a scanner can identify as USB human interface device (HID) as if it was a USB keyboard and start automatically injecting keystrokes as if they were typed by the user.
    Only if the host system trusts the device, accepts its connection and hooks it up.

    Leave a comment:


  • Anux
    replied
    Originally posted by uid313 View Post
    ... USB human interface device (HID) as if it was a USB keyboard and start automatically injecting keystrokes as if they were typed by the user.
    And? The user would take its PC to a professional to have a look at that strange behavior, just typing stuff at random times will result in various symptoms but is hardly a reliable exploit, you would want to wait until there is an admin terminal open for which you need some way of informing your "keyboard" about that. Are you seriously comparing this to DMA?

    Leave a comment:


  • uid313
    replied
    Originally posted by colejohnson66 View Post

    USB is less powerful than Thunderbolt. USB can only access what the OS allows, whereas Thunderbolt can issue DMA transfers, access other PCIe devices, and more.
    Yes, but any USB device whether it looks like a USB flash storage or a camera or a scanner can identify as USB human interface device (HID) as if it was a USB keyboard and start automatically injecting keystrokes as if they were typed by the user.

    Leave a comment:

Working...
X