Announcement

**WonkoTheSaneUK** · 07 November 2017, 02:31 PM

Typo?

"and to have physical address to the vulnerable Linux system" instead of "and to have physical access to the vulnerable Linux system"?

**starshipeleven** · 07 November 2017, 02:34 PM

inb4 "they must rewrite it in rust".

That said, for "malicious USB device" it's probably good any programmable system with usb guest ports, so any rootable Android phone, a large list of SBCs and network embedded devices with a single port, and various microcontrollers like some Atmegas whose name I keep forgetting

**AnassAhmed** · 07 November 2017, 02:35 PM

In before "The should rewrite the kernel in rust."

**oooverclocker** · 07 November 2017, 02:39 PM

Thanks to the person or people who have found out about these vulnerabilities! Every security hole that is found or denied is a huge step forward.

**M@GOid** · 07 November 2017, 02:45 PM

Heh, I can see a Corsair Voyager on that photo. Mine is a 1GB model and the first flashdrive I ever owned. And the damn thing still works more than 10 years later!

**V10lator** · 07 November 2017, 03:48 PM

If I follow the link I see all of these "more than a dozen (14) usb vulnerabilities" the article talks about are fixed. So no news to report here? Anyway, if I follow the link at the link to https://github.com/google/syzkaller/...nd_bugs_usb.md I see around 35 unfixed vulnerabilities - Why not make a news article from that?

//EDIT: Or change the title to "14 USB vulnerabilites fixed - 35 still open" ? Would be a more interresting article to read.

**oiaohm** · 07 November 2017, 04:28 PM

Originally posted by V10lator View Post

If I follow the link I see all of these "more than a dozen (14) usb vulnerabilities" the article talks about are fixed. So no news to report here? Anyway, if I follow the link at the link to https://github.com/google/syzkaller/...nd_bugs_usb.md I see around 35 unfixed vulnerabilities - Why not make a news article from that?

//EDIT: Or change the title to "14 USB vulnerabilites fixed - 35 still open" ? Would be a more interresting article to read.

Double check what you linked to. There were 14 true exploitable vulnerabilities. The other 35 are driver dies due to current day inbuilt protections. Yes so a lot more issues to fix none of them look like security vulnerabilities.

**carewolf** · 07 November 2017, 04:37 PM

Well, among the non-exploit basic features of the USB-bus is to take control of the computer as if you were a local user connected by USB keyboard and mouse.

**schmidtbag** · 07 November 2017, 04:38 PM

Unless there are good solutions to these problems without causing performance or compatibility issues, I'm not sure I really care about any of this. These vulnerabilities just cause DoS and system crashes. Seeing as you have to have a specially-made device and physical access to the PC, there's a much easier way to inconvenience someone:

USBKill V4

https://usbkill.com/products/usb-killer-v3

The USBKill has evolved. The new V4 hardware framework enables advanced functionality and performance. Depending on your needs, the USBKill V4 comes in three versions: Basic, Pro and Classic. Included with every USBKill V4: Purchase Protection: Money Back Guarantee World-wide shipping: Tracked & Express Options Mos

If you want to be cheap or maybe not cause permanent damage, you could just take any plain USB cord, cut the end off, and solder the red and black wires together.

I'm not saying these vulnerabilities shouldn't be fixed, but these issues are hardly worth worrying about.

Announcement

More Than One Dozen USB Vulnerabilities Published For The Linux Kernel

More Than One Dozen USB Vulnerabilities Published For The Linux Kernel

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment