(Warning: this is being sent from the affected computer, so don't trust
"me". BCCd recipients: anyone can post to the debian-security list, but
be aware that its public archive does not spam-protect email addresses)
I use usbguard [0], set to allow only the specific USB devices I have.
One of my flash drives apparently stopped working, and investigation
found that it had changed Product ID, causing usbguard to block it as an
unrecognized device.
Possible explanations - all seem unlikely but it has to be something:
(a) Innocent device malfunction
(b) Malware infection [1-2] via physical access to the drive
(c) Malware infection that began in the computer then infected the drive
(a), innocent malfunction, has the problem that the new Product ID
number is not just a bit flip away and the strings changed as well.
(Unless the firmware has two descriptors and a switch bit? or a built-in
default + a rewritable configuration, and the flash block containing the
latter has died?)
(b), physical access attack, would require an attacker breaking into my
home. (It has been several years since I last took the affected flash
drive anywhere else or plugged it into any other computer.) If they're
willing to do that, I seem a strange choice of target: a Debian
Maintainer is high-value compared to a random user (because their
uploads can infect others) but probably not the highest-value target in
a tech-heavy city.
(c), malware on my computer, requires getting around the fact that I
haven't recently installed anything from outside Debian except my own
package. Maybe a Firefox/Thunderbird sandbox escape?
My integrity_check.py script (checking that system files match the
Debian packages they come from) and clamav don't find such malware, but
that's not proof. usbguard probably blocks the DFU method of writing to
firmware (since I don't have any 0xFE interfaces in my allowed list),
but at least some USB flash drives instead use an SCSI command [1],
which usbguard won't catch.
Both the old and new Product IDs are listed in
/lib/udev/hwdb.d/20-usb-vendor-model.hwdb as flash drives, and it
continued to have only a mass storage (class 08: subclass 06: protocol
0x50) interface, i.e. if it is malware it's not using the obvious
"pretend to be a keyboard" route.
I'm also not sure whether firmware-based malware is common enough to be
something the average developer should worry about. I have seen many
reports of the possibility, but the news tends to emphasize rare events,
and the reports I've seen of actual in-the-wild examples are ones that
target Windows not Linux.
I have unplugged the affected flash drive, but either (b) or (c) would
imply that it may not be the only device infected - and also that even
if I do replace my whole computer, they may be able to repeat the attack.
[0] https://usbguard.github.io/
[1] (non-trust warning: found via Wikipedia)
https://srlabs.de/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf
[2] https://opensource.srlabs.de/projects/badusb/wiki/USB_storage
syslog - before:
Aug 5 07:21:51 rnpalmer-laptop kernel: [34901.758073] usb 3-2.1: New
USB device found, idVendor=058f, idProduct=6387
Aug 5 07:21:51 rnpalmer-laptop kernel: [34901.758077] usb 3-2.1: New
USB device strings: Mfr=1, Product=2, SerialNumber=3
Aug 5 07:21:51 rnpalmer-laptop kernel: [34901.758080] usb 3-2.1:
Product: Mass Storage
Aug 5 07:21:51 rnpalmer-laptop kernel: [34901.758082] usb 3-2.1:
Manufacturer: Generic
Aug 5 07:21:51 rnpalmer-laptop kernel: [34901.758084] usb 3-2.1:
SerialNumber: F32402A6
Aug 5 07:21:51 rnpalmer-laptop kernel: [34901.758274] usb 3-2.1: Device
is not authorized for usage
[...]
Aug 5 07:21:51 rnpalmer-laptop kernel: [34901.953787] usb 3-2.1:
authorized to connect
syslog - after:
[these are messages that are saved after hibernation, but the first ones
may actually have been generated before it; it is not normal to get "new
USB device" at this time]
Aug 6 21:52:26 rnpalmer-laptop kernel: [50368.297466] usb 3-2.1: reset
high-speed USB device number 21 using xhci_hcd
Aug 6 21:52:26 rnpalmer-laptop kernel: [50368.605593] usb 3-2.1: device
firmware changed [ from the source code this actually means "descriptor
changed",
https://sources.debian.org/src/linux/4.9.168-1/drivers/usb/core/hub.c/#L5520
]
[...]
Aug 6 21:52:26 rnpalmer-laptop kernel: [50370.579113] usb 3-2.1: New
USB device found, idVendor=058f, idProduct=1234
Aug 6 21:52:26 rnpalmer-laptop kernel: [50370.579117] usb 3-2.1: New
USB device strings: Mfr=1, Product=2, SerialNumber=0
Aug 6 21:52:26 rnpalmer-laptop kernel: [50370.579119] usb 3-2.1:
Product: Mass Storage Device
Aug 6 21:52:26 rnpalmer-laptop kernel: [50370.579121] usb 3-2.1:
Manufacturer: Alcor Micro
Aug 6 21:52:26 rnpalmer-laptop kernel: [50370.579255] usb 3-2.1: Device
is not authorized for usage
