On Mon, Oct 06, 2014 at 03:06:44AM -0400, Tom Metro wrote: > If these drives look like an ordinary USB storage drive when first > attached, I wonder what they are using as a trigger to have them switch > into malicious keyboard mode? I don't think it can pose as both > simultaneously. The switch might occur after a simple count down timer > starting when it was powered up.
Why couldn't it pose as both simultaneoulsy? Couldn't it embed a USB hub to present more than one device id to the host? > So the tester gizmo just needs to wait it out. Maybe you'll "quarantine" > your USB drives for 24 hours before attaching them to your real > computer. At least until the hackers increase the delay, or figure out > how to fingerprint the host they are attached to, and only go malicious > if it's the desired target (like a machine running Windows). There's a > good chance this sort of fingerprinting would be possible by looking at > how the OS interrogates the USB controller. So your tester would need to > have a custom USB driver that emulates Windows or OS X. > > One way to address this vulnerability is to modify the OS to put up a > dialog any time a USB hotplug event is detected. "Found a new keyboard > device, identifying itself as ... If you did not just plug in a > keyboard, answer no. Use this device? Yes No" > > Of course the hackers could return an identification matching some very > popular USB keyboard and hope to get lucky, or pester the user enough > times so that they think their keyboard has a loose plug. Qubes OS can solve this problem by using VM isolation for USB, especially if you have a PS/2-connected keybaord and mouse (like most PC laptops' internal keyboards/touchpads). Just avoid Apple laptops. I wonder if the OSes can be tweaked to refuse new USB keyboards/mice after the first one has been connected. _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss