Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How to secure access to SD cards a la USBGuard?
107 views
Skip to first unread message
hdv@gmail
Nov 11, 2021, 12:50:05 PM11/11/21
to
Hi all,
I'd like to limit access to (micro) SD cards on our systems to only
those cards that have been vetted up front.
At first glance I thought maybe USBGuard would help me do this, but that
will only detect built-in or USB-mounted card readers in which the card
is plugged, not the storage device itself. Therefore allowing the card
reader will automatically allow anyone to access any number of memory
cards. That's not what we want for these systems.
Using USBGuard I can (and do) limit access to specific USB devices
(including thumbdrives), but it seems I cannot use it to limit access to
specific memory cards. For built-in readers I figure that is because the
communication is not USB-based. But that would not be the case for
USB-based card readers.
Does anyone have a suggestion on how I can achieve this?
Many thanks in advance!
Grx HdV
I'd like to limit access to (micro) SD cards on our systems to only
those cards that have been vetted up front.
At first glance I thought maybe USBGuard would help me do this, but that
will only detect built-in or USB-mounted card readers in which the card
is plugged, not the storage device itself. Therefore allowing the card
reader will automatically allow anyone to access any number of memory
cards. That's not what we want for these systems.
Using USBGuard I can (and do) limit access to specific USB devices
(including thumbdrives), but it seems I cannot use it to limit access to
specific memory cards. For built-in readers I figure that is because the
communication is not USB-based. But that would not be the case for
USB-based card readers.
Does anyone have a suggestion on how I can achieve this?
Many thanks in advance!
Grx HdV
Stefan Monnier
Nov 12, 2021, 11:20:04 AM11/12/21
to
> I'd like to limit access to (micro) SD cards on our systems to only those
> cards that have been vetted up front.
IIUC the way SD card are interfaced with the system, you can't use an
> cards that have been vetted up front.
approach like USBGuard for that indeed.
I suspect you'll need to be more specific about what you mean by
"access". E.g. you may need to control this access when `mount`ing,
which will then depend on how you want to allow such mounts.
Then another question will be how you want to "vet" (by partion
UUID, maybe?).
Stefan
hdv@gmail
Nov 12, 2021, 12:10:06 PM11/12/21
to
On 2021-11-12 17:13, Stefan Monnier wrote:
>> I'd like to limit access to (micro) SD cards on our systems to only those
>> cards that have been vetted up front.
>
> IIUC the way SD card are interfaced with the system, you can't use an
> approach like USBGuard for that indeed.
I was getting afraid of that.
>> I'd like to limit access to (micro) SD cards on our systems to only those
>> cards that have been vetted up front.
>
> IIUC the way SD card are interfaced with the system, you can't use an
> approach like USBGuard for that indeed.
> I suspect you'll need to be more specific about what you mean by
> "access". E.g. you may need to control this access when `mount`ing,
> which will then depend on how you want to allow such mounts.
that have been registered up front. I've always thought it strange that
people consider thumbdrives to be a risk (and rightly so), but no one is
seemingly bothered by almost the equivalent risk posed by memory cards.
Those can contain "bad" software as well, and they can to automounted
just as easily as USB-drives. So why not make it possible to prevent
users from mounting a card they found somewhere or that was given to
them by some unknown agent?
> Then another question will be how you want to "vet" (by partion
> UUID, maybe?).
trustworthy and unique ID for storage devices (not USB).
P.S. Just to be sure: this is not about letting only specific users
mount a filesystem. I know how to achieve that goal. This is about
preventing social engineering attacks through malicious memory cards,
without blocking the card reader altogether.
Thanks!
Grx HdV
Stefan Monnier
Nov 12, 2021, 12:30:04 PM11/12/21
to
> What I'd like is to be able to let users mount only those memory cards that
> have been registered up front. I've always thought it strange that people
> consider thumbdrives to be a risk (and rightly so), but no one is seemingly
> bothered by almost the equivalent risk posed by memory cards.
There's a difference in the fact that what looks like a USB thumbdrive
> have been registered up front. I've always thought it strange that people
> consider thumbdrives to be a risk (and rightly so), but no one is seemingly
> bothered by almost the equivalent risk posed by memory cards.
may actually expose itself to your machine as something else
(e.g. a combination of a thumbdrive, a keyboard, a mouse, a network
adapter, a serial port, you name it).
Hence USB guard.
IIUC the SD protocol also supports other kinds of devices (SDIO devices)
so it opens up comparable risks, but since it's an extension of the base
SD protocol we can hope that most sdcard readers only support access to
actual mass storage thingies and hence block those threats in
their tracks.
> Those can contain "bad" software as well, and they can to automounted
> just as easily as USB-drives. So why not make it possible to prevent
> users from mounting a card they found somewhere or that was given to
> them by some unknown agent?
introduce serious risk as long as you avoid obvious issues like setuid
bits, and as long as you don't go out of your way to introduce security
holes (such as by auto-executing some files from the just-mounted
partition).
> P.S. Just to be sure: this is not about letting only specific users mount
> a filesystem. I know how to achieve that goal. This is about preventing
> social engineering attacks through malicious memory cards, without blocking
> the card reader altogether.
such social engineering attacks to know what to recommend.
As mentioned, the way to control it will depend on the specific tool
used to mount. E.g. if it's mounted by hand via a rule in /etc/fstab,
then you can rules that specify the device via /etc/disk/by-uuid.
Do note that partition UUIDs are not designed to be reliable w.r.t
malicious uses (it's easy to create a partition with the same UUID as
some other).
Another way might to be to force the use of an encrypted filesystem and
see if you can enforce the use of a particular encryption key, so any
memory card not encrypted with the specific key will hopefully fail.
Stefan
Andrei POPESCU
Dec 5, 2021, 7:40:05 AM12/5/21
to
On Vi, 12 nov 21, 12:27:59, Stefan Monnier wrote:
>
> As mentioned, the way to control it will depend on the specific tool
> used to mount. E.g. if it's mounted by hand via a rule in /etc/fstab,
> then you can rules that specify the device via /etc/disk/by-uuid.
>
> Do note that partition UUIDs are not designed to be reliable w.r.t
> malicious uses (it's easy to create a partition with the same UUID as
> some other).
/dev/disk/by-id/ should be device specific.
>
> As mentioned, the way to control it will depend on the specific tool
> used to mount. E.g. if it's mounted by hand via a rule in /etc/fstab,
> then you can rules that specify the device via /etc/disk/by-uuid.
>
> Do note that partition UUIDs are not designed to be reliable w.r.t
> malicious uses (it's easy to create a partition with the same UUID as
> some other).
Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser
hdv@gmail
Dec 5, 2021, 8:20:05 AM12/5/21
to
On 2021-12-05 13:33, Andrei POPESCU wrote:
> On Vi, 12 nov 21, 12:27:59, Stefan Monnier wrote:
>>
>> As mentioned, the way to control it will depend on the specific tool
>> used to mount. E.g. if it's mounted by hand via a rule in /etc/fstab,
>> then you can rules that specify the device via /etc/disk/by-uuid.
>>
>> Do note that partition UUIDs are not designed to be reliable w.r.t
>> malicious uses (it's easy to create a partition with the same UUID as
>> some other).
>
> /dev/disk/by-id/ should be device specific.
Shoot, I had forgotten about WWNs at all! Yep, those should be good
> On Vi, 12 nov 21, 12:27:59, Stefan Monnier wrote:
>>
>> As mentioned, the way to control it will depend on the specific tool
>> used to mount. E.g. if it's mounted by hand via a rule in /etc/fstab,
>> then you can rules that specify the device via /etc/disk/by-uuid.
>>
>> Do note that partition UUIDs are not designed to be reliable w.r.t
>> malicious uses (it's easy to create a partition with the same UUID as
>> some other).
>
> /dev/disk/by-id/ should be device specific.
enough for my purposes.
Thanks for the hint!
Grx HdV
David Wright
Dec 6, 2021, 11:20:05 AM12/6/21
to
On Sun 05 Dec 2021 at 13:33:41 (+0100), Andrei POPESCU wrote:
> On Vi, 12 nov 21, 12:27:59, Stefan Monnier wrote:
> >
> > As mentioned, the way to control it will depend on the specific tool
> > used to mount. E.g. if it's mounted by hand via a rule in /etc/fstab,
> > then you can rules that specify the device via /etc/disk/by-uuid.
> >
> > Do note that partition UUIDs are not designed to be reliable w.r.t
> > malicious uses (it's easy to create a partition with the same UUID as
> > some other).
>
> /dev/disk/by-id/ should be device specific.
It certainly is, but specific to the card reader reading it,
> On Vi, 12 nov 21, 12:27:59, Stefan Monnier wrote:
> >
> > As mentioned, the way to control it will depend on the specific tool
> > used to mount. E.g. if it's mounted by hand via a rule in /etc/fstab,
> > then you can rules that specify the device via /etc/disk/by-uuid.
> >
> > Do note that partition UUIDs are not designed to be reliable w.r.t
> > malicious uses (it's easy to create a partition with the same UUID as
> > some other).
>
> /dev/disk/by-id/ should be device specific.
not the card. And that's whether the card is plugged into a
slot on the computer, or into a discrete SD/USB adapter.
Cheers,
David.
David Wright
Dec 6, 2021, 11:20:05 AM12/6/21
to
files, for all my disks, sticks and cards. I can't find any WWNs that
are not on either spinning drives or my (sole) SSD. Even my oldest
hard drive (early-2007) lacks one. So I'm interested to know how/where
you read them from on SD cards. Is this a new thing with SDXC/SDUC?
I use LABELs and "UUIDs" (Serial Numbers) to identify mine. LABELs are
most use; for example, I have a Nokia phone that writes a new Serial
Number on any µSD card that's inserted. I have no idea why.
It's obviously only useful in a cooperative environment.
Cheers,
David.
David Wright
Jan 2, 2022, 10:00:04 PM1/2/22
to
when the link starts with /dev/disk/by-id/mmc- then the ID is
that of the card, whereas when it starts with /dev/disk/by-id/usb-
then the ID is that of the card reader. Note that I did all the
comparisons using fullsize SD cards pushed into slots in the PCs,
so there were no separate adapters involved, neither SD→USB, nor µSD→SD.
As one might expect, googling mmc and usb is swamped with stuff about
MMC and SD /cards/, so I haven't read anything about the differences
between these slots on different computers. But I guess that if you
want to distinguish SD cards by their identification/serial number,
rather than strings that you write onto them (UUID/LABEL), you need
to use a PC with an mmc-style slot.
Cheers,
David.
Andrei POPESCU
Jan 11, 2022, 6:50:05 AM1/11/22
to
On Du, 02 ian 22, 20:52:25, David Wright wrote:
> On Fri 10 Dec 2021 at 17:20:52 (+0100), Andrei POPESCU wrote:
> > On Lu, 06 dec 21, 10:18:49, David Wright wrote:
> > > On Sun 05 Dec 2021 at 13:33:41 (+0100), Andrei POPESCU wrote:
> > > > On Vi, 12 nov 21, 12:27:59, Stefan Monnier wrote:
> > > > >
> > > > > As mentioned, the way to control it will depend on the specific tool
> > > > > used to mount. E.g. if it's mounted by hand via a rule in /etc/fstab,
> > > > > then you can rules that specify the device via /etc/disk/by-uuid.
> > > > >
> > > > > Do note that partition UUIDs are not designed to be reliable w.r.t
> > > > > malicious uses (it's easy to create a partition with the same UUID as
> > > > > some other).
> > > >
> > > > /dev/disk/by-id/ should be device specific.
> > >
> > > It certainly is, but specific to the card reader reading it,
> > > not the card. And that's whether the card is plugged into a
> > > slot on the computer, or into a discrete SD/USB adapter.
> >
> > At least with the built-in reader on an Acer Chromebook R13 the ID
> > changes with every card I tested, but you are indeed right about USB
> > adapters (at least for the two I could test).
>
> I did some comparisons between machines, and it would appear that
> when the link starts with /dev/disk/by-id/mmc- then the ID is
> that of the card, whereas when it starts with /dev/disk/by-id/usb-
> then the ID is that of the card reader. Note that I did all the
> comparisons using fullsize SD cards pushed into slots in the PCs,
> so there were no separate adapters involved, neither SD→USB, nor µSD→SD.
My guess is micro-SD to SD adapters are passive only (i.e. just
> On Fri 10 Dec 2021 at 17:20:52 (+0100), Andrei POPESCU wrote:
> > On Lu, 06 dec 21, 10:18:49, David Wright wrote:
> > > On Sun 05 Dec 2021 at 13:33:41 (+0100), Andrei POPESCU wrote:
> > > > On Vi, 12 nov 21, 12:27:59, Stefan Monnier wrote:
> > > > >
> > > > > As mentioned, the way to control it will depend on the specific tool
> > > > > used to mount. E.g. if it's mounted by hand via a rule in /etc/fstab,
> > > > > then you can rules that specify the device via /etc/disk/by-uuid.
> > > > >
> > > > > Do note that partition UUIDs are not designed to be reliable w.r.t
> > > > > malicious uses (it's easy to create a partition with the same UUID as
> > > > > some other).
> > > >
> > > > /dev/disk/by-id/ should be device specific.
> > >
> > > It certainly is, but specific to the card reader reading it,
> > > not the card. And that's whether the card is plugged into a
> > > slot on the computer, or into a discrete SD/USB adapter.
> >
> > At least with the built-in reader on an Acer Chromebook R13 the ID
> > changes with every card I tested, but you are indeed right about USB
> > adapters (at least for the two I could test).
>
> I did some comparisons between machines, and it would appear that
> when the link starts with /dev/disk/by-id/mmc- then the ID is
> that of the card, whereas when it starts with /dev/disk/by-id/usb-
> then the ID is that of the card reader. Note that I did all the
> comparisons using fullsize SD cards pushed into slots in the PCs,
> so there were no separate adapters involved, neither SD→USB, nor µSD→SD.
connecting pin-to-pin as needed), so it shouldn't matter.
For the OP's issue, it seems a possible solution would be to disallow
any USB-to-SD adapters, and for the (hopefully few) users that really
need to use SD cards to use MMC-style slots only.
A less secure option would be to allow USB adapters only for a few
select *trusted* users, with the understanding that they use "safe" SD
cards only.
hdv@gmail
Jan 11, 2022, 11:50:05 AM1/11/22
to
in use right now and changing that policy would create too much negative
sentiment among the users of these systems/laptops. We have a hard
enough time to get them to comply as it is. Plus, I try to accommodate
our users where I can, so that they know I am doing my best to not get
in their way unless it can't be done in another way. This has paid many
dividends in the past, where others were not able to get our users to
cooperate and they would when I asked them. Just because they trust I am
doing my best to think of them. I am very careful not to waste that
goodwill.
> A less secure option would be to allow USB adapters only for a few
> select *trusted* users, with the understanding that they use "safe" SD
> cards only.
security aware. In the past I have been able to demonstrate many many
social engineering and technical attacks to them, and still they fall
for it. It is not that they are unwilling or dumb. They just don't get
how computers (or indeed they themselves) can be manipulated so easily.
They expect us admins to make that impossible, but they also don't want
to be bothered by any measures we take...
I am still trying to find a manageable and dependable way to limit the
mounting of storage devices to devices (not filesystems) that have been
vetted up front.
Thanks for taking the time to help me with this!
Grx HdV
0 new messages