detecting malicious usb devices
79 views
Skip to first unread message
pixel fairy
Oct 25, 2016, 2:48:03 AM10/25/16
to qubes-users
can the a usbvm be used to detect malicious usb devices? has anyone tried this?
Andrew David Wong
Oct 25, 2016, 3:05:32 AM10/25/16
to pixel fairy, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-10-24 23:48, pixel fairy wrote:
> can the a usbvm be used to detect malicious usb devices? has anyone tried this?
>
Sure, you can run whatever kind of detection software you like in a USB VM.
However, not all malicious USB devices are detectable (whether you're in a USB VM
or somewhere else). I haven't tried it.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYDwQmAAoJENtN07w5UDAw5usP/0Yo9zrkgsEceiz38oRG6Kj0
ulBYSAnUOwGHEo9EIiFWHAVyu9uo6Eq+CptgF2CtQmkes8tHAXW3qEfbkL2+mgke
guaqeMxd6L2OLVNg7CBCSeyciqrmGMw2IB8l7/p5p+1daVhj1Gx//cfOc3UJay+G
R8w+pL3vYo916xP/PtkfOYV13IB+hTQR/WZKUWhigrxALBsLUb7s/fAHRrqxaCHb
30JSacKlH8ztY7PkZWEtzVUsvp71hE42TP1IGvJ/JuudIBsbXRxCFzfo1XHC61mH
ZIQ8Yxez85rlHD3uA0I5NxBRIA0iAYCmPPiYN5D/kRa+IaByQpONoReTTBgYWq7G
lBye2K09GJ3fKAxp1aLAxaw5BtxLFtzPY15VdL2yrhpfFH0329kk/q3Zxv+93OJn
Gldi237a8WL17CigQbJPBOkTC77+luF4QRq6dbUmRRNNqxQiUqSnETk3wZBqyZVJ
AeemmqHW2Clg0gemQ+nTLj8X5cgCUOM5flfE55LyYs8ai6kE2ASmBvhdpsV2qEVS
z20FOYOk1i25KVCcRtzXq/OlmBuHRmftAugS1ZnPGMmOwx/NGEBzkycYZqXVzb72
8WCYhpUZ9LkksHJpUQHZ6EngU2nnJryFkaritDYagLD8G/WucM2oTjm9Of7EQzW2
R6eMshcuf8F9N53qwos6
=pO8v
-----END PGP SIGNATURE-----
Hash: SHA512
On 2016-10-24 23:48, pixel fairy wrote:
> can the a usbvm be used to detect malicious usb devices? has anyone tried this?
>
However, not all malicious USB devices are detectable (whether you're in a USB VM
or somewhere else). I haven't tried it.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYDwQmAAoJENtN07w5UDAw5usP/0Yo9zrkgsEceiz38oRG6Kj0
ulBYSAnUOwGHEo9EIiFWHAVyu9uo6Eq+CptgF2CtQmkes8tHAXW3qEfbkL2+mgke
guaqeMxd6L2OLVNg7CBCSeyciqrmGMw2IB8l7/p5p+1daVhj1Gx//cfOc3UJay+G
R8w+pL3vYo916xP/PtkfOYV13IB+hTQR/WZKUWhigrxALBsLUb7s/fAHRrqxaCHb
30JSacKlH8ztY7PkZWEtzVUsvp71hE42TP1IGvJ/JuudIBsbXRxCFzfo1XHC61mH
ZIQ8Yxez85rlHD3uA0I5NxBRIA0iAYCmPPiYN5D/kRa+IaByQpONoReTTBgYWq7G
lBye2K09GJ3fKAxp1aLAxaw5BtxLFtzPY15VdL2yrhpfFH0329kk/q3Zxv+93OJn
Gldi237a8WL17CigQbJPBOkTC77+luF4QRq6dbUmRRNNqxQiUqSnETk3wZBqyZVJ
AeemmqHW2Clg0gemQ+nTLj8X5cgCUOM5flfE55LyYs8ai6kE2ASmBvhdpsV2qEVS
z20FOYOk1i25KVCcRtzXq/OlmBuHRmftAugS1ZnPGMmOwx/NGEBzkycYZqXVzb72
8WCYhpUZ9LkksHJpUQHZ6EngU2nnJryFkaritDYagLD8G/WucM2oTjm9Of7EQzW2
R6eMshcuf8F9N53qwos6
=pO8v
-----END PGP SIGNATURE-----
Robert Mittendorf
Oct 25, 2016, 5:09:53 AM10/25/16
to qubes...@googlegroups.com
strokes. How would you detect that?
7v5w7go9ub0o
Oct 25, 2016, 10:02:56 AM10/25/16
to qubes...@googlegroups.com
On 10/25/2016 09:09 AM, Robert Mittendorf wrote:
> Am 10/25/2016 um 09:05 AM schrieb Andrew David Wong:
>>
>>
>> On 2016-10-24 23:48, pixel fairy wrote:
>>> can the a usbvm be used to detect malicious usb devices? has anyone
>>> tried this?
>>>
>> Sure, you can run whatever kind of detection software you like in a
>> USB VM.
>> However, not all malicious USB devices are detectable (whether you're
>> in a USB VM
>> or somewhere else). I haven't tried it.
>>
>> -----END PGP SIGNATURE-----
>>
> Example: A thumb drive that claims to be a keyboard to record your key
> strokes. How would you detect that?
>
ISTM ITL has considered this issue, and here's a writeup:
>>
> Example: A thumb drive that claims to be a keyboard to record your key
> strokes. How would you detect that?
>
<https://www.qubes-os.org/doc/usb/>
I'd guess you'd try lsusb and dmesg before and after insertion
(insertion after the OS is up and running).
As to the OP, he may be referring to Windows autorun files which can be
simply listed.
Naturally, use an offline DispVM for these tests.
Vít Šesták
Oct 25, 2016, 10:15:49 AM10/25/16
to qubes-users
I don't think that a USB drive can directly record keystrokes. The communication goes in the opposite direction that the USB drive would need.
But USB drive can act as a keyboard (i.e. send keystrokes). You can disable all devices acting as a keyboard using udev rules.
A malicious USB drive can also listen the data going to other USB devices on the same controller. You cannot detect this.
A malicious USB device can also send data (including keystrokes) on behalf of other devices. If you have a keyboard attached to the same controller, you are currently out of luck.
Robert Mittendorf
Oct 25, 2016, 10:26:52 AM10/25/16
to qubes...@googlegroups.com
Am 10/25/2016 um 04:15 PM schrieb Vít Šesták:
> I don't think that a USB drive can directly record keystrokes. The communication goes in the opposite direction that the USB drive would need.
>
> I don't think that a USB drive can directly record keystrokes. The communication goes in the opposite direction that the USB drive would need.
>
> A malicious USB drive can also listen the data going to other USB devices on the same controller. You cannot detect this.
Well, your second point is exactly that. As USB is a Bus, all devices
should be able to record the other devices messages - and thereby the
keystrokes.....
Vít Šesták
Oct 25, 2016, 11:43:51 AM10/25/16
to qubes-users
I am not sure if the devices can sniff both directions. I've believed that a device can sniff only inbound data and cannot communicate with other devices. I've tried to look for some document that would allow me to be sure about this, but I've found nothing. Well, the official documentation would likely contain enough information, but it seems to be quite large.
pixel fairy
Oct 25, 2016, 12:11:01 PM10/25/16
to qubes-users
On Tuesday, October 25, 2016 at 11:43:51 AM UTC-4, Vít Šesták wrote:
> I am not sure if the devices can sniff both directions. I've believed that a device can sniff only inbound data and cannot communicate with other devices. I've tried to look for some document that would allow me to be sure about this, but I've found nothing. Well, the official documentation would likely contain enough information, but it seems to be quite large.
a dma attack could do this, and much more. the mitigation / detection i was referring to are things like honeyusb, https://github.com/daveti/GoodUSB
> I am not sure if the devices can sniff both directions. I've believed that a device can sniff only inbound data and cannot communicate with other devices. I've tried to look for some document that would allow me to be sure about this, but I've found nothing. Well, the official documentation would likely contain enough information, but it seems to be quite large.
the idea was to use the usbvm to screen for malicious devices.
Vít Šesták
Oct 25, 2016, 12:28:02 PM10/25/16
to qubes-users
USB does not have DMA capabilities. If you have access to DMA, you have already got access to the controller or the usbvm.
You probably can get into USBVM easily from an USB device by logging as root on the login screen. This, however, assumes that keystrokes are not captured by other means, which I am not sure if it is true on the latest Qubes version, since some input proxies have been implemented. On 3.0, I was able to shutdown Debian USBVM by ctrl+alt+delete, which suggests that some more complex attacks (using the default empty root password) might be possible on this version. On newer version, I haven't tested it.
Nevertheless, I have disabled all USB keyboards on my USBVM for the reason above. They are enabled only in dom0, which uses a separate USB controller.
Ilpo Järvinen
Oct 25, 2016, 3:21:49 PM10/25/16
to qubes-users
USB3 is routed only to the particular device due to power considerations.
Some exceptions to that USB2 rule based on different USB speeds. The
speed restrictions seem quite safe electrically too - assuming firmware
level only compromizes - because of different signalling voltage levels
(a dual speed capable sniffing transreceiver does not seem too convincing
threat as possibility deploying them to a victim probably should allow
much easier to accomplish attacks too).
The USB2 upstream is different and is seen only by the hubs on the path
towards the host and the host itself.
Whether upstream isolation and USB3 downstream routing is really safe
w.r.t. firmware attacks, I don't know (do hubs use firmware or not?).
Based on information here:
http://www.totalphase.com/support/articles/200349256-USB-Background
In general, USB is a full "bus" only logically, not electrically due
to tiered-star topology.
--
i.
Reply all
Reply to author
Forward
0 new messages