Fwd: [cros-discuss] Hacking possibility? Real or not?

[Matthias Apitz]

Hello,

In the mailing-list about Chromium OS is some interesting discussion
about some attack vector using an USB plug-in with some Raspery system
behind to offer to the OS an USB keyboard and ethernet and at the end
take over the system. More of the discussion here

https://groups.google.com/a/chromium.org/forum/?hl=en#!topic/chromium-os-discuss/UqbGh2kHaVw

and the full technical description here:

https://samy.pl/poisontap/

As far as I can see, the same attack would be possible as well on
FreeBSD, maybe not so easy because the devd(8) must be configured and
the module for ethernet on USB cdce(4) must be loaded in advance.

matthias

----- Forwarded message from Jim Dantin <jim.d...@gmail.com> -----

Date: Sun, 18 Jun 2017 15:56:40 -0700 (PDT)
From: Jim Dantin <jim.d...@gmail.com>
To: Chromium OS discuss <chromium-...@chromium.org>
Subject: [cros-discuss] Hacking possibility? Real or not?

Mike Frysinger and other Chromium OS experts -

This rather one-sided Microsoft video brings up some interesting claims.
I'll ignore the claim that Windows is more secure, but I wonder about what
really is possible with ChromeOS devices.
https://www.youtube.com/watch?v=DJg-mI3tuaU

I'd like us to get ahead of any more fear mongering by having someone
knowledgeable examine the actual threat. This appears to be the exploit:
https://samy.pl/poisontap/

For a protected mode ChromeOS device, what are the actual vulnerabilities
and dangers?

I expect that a logged in device could be exposed to data theft if the user
(or someone else) plugged in a malicious device, but what about a
locked-screen or logged out device?

For logged in, unlocked devices, what mischief could be done?

Anyone care to be a truth-teller here?

Thanks.

--
--
Chromium OS discuss mailing list: chromium-...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Chromium OS discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-dis...@chromium.org.


----- End forwarded message -----

--
Matthias Apitz, ✉ gu...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

[Matthew Seaman]

On 2017/06/20 10:23, Matthias Apitz wrote:
> In the mailing-list about Chromium OS is some interesting discussion
> about some attack vector using an USB plug-in with some Raspery system
> behind to offer to the OS an USB keyboard and ethernet and at the end
> take over the system. More of the discussion here
>
> https://groups.google.com/a/chromium.org/forum/?hl=en#!topic/chromium-os-discuss/UqbGh2kHaVw
>
> and the full technical description here:
>
> https://samy.pl/poisontap/
>
> As far as I can see, the same attack would be possible as well on
> FreeBSD, maybe not so easy because the devd(8) must be configured and
> the module for ethernet on USB cdce(4) must be loaded in advance.
>

Isn't this yet another manifestation of physical access to the hardware
being almost impossible to secure against? Don't plug in any strange
USB devices kids, and don't let your portable kit out of your control so
that other people could take liberties with your USB ports either.

Cheers,

Matthew

[Valeri Galtsev]

As they said in system security manual some 30 years ago: the first step
in securing machine is physical security of your box ;-)

Valeri

>
> Cheers,
>
> Matthew
>
>
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"

[James B. Byrne via freebsd-questions]

On Tue, June 20, 2017 06:38, Matthew Seaman wrote:
> On 2017/06/20 10:23, Matthias Apitz wrote:
>> In the mailing-list about Chromium OS is some interesting discussion
>> about some attack vector using an USB plug-in with some Raspery
>> system behind to offer to the OS an USB keyboard and ethernet and
>> at the end take over the system. More of the discussion here
>>
>> https://groups.google.com/a/chromium.org/forum/?hl=en#!topic/chromium-os-discuss/UqbGh2kHaVw
>>
>> and the full technical description here:
>>
>> https://samy.pl/poisontap/
>>
>> As far as I can see, the same attack would be possible as well on
>> FreeBSD, maybe not so easy because the devd(8) must be configured
>> and the module for ethernet on USB cdce(4) must be loaded in advance.
>>
>
> Isn't this yet another manifestation of physical access to the
> hardware being almost impossible to secure against? Don't plug
> in any strange USB devices kids, and don't let your portable kit
> out of your control so that other people could take liberties
> with your USB ports either.

Every USB device contains a controller which itself operates on the
basis of flash-able microcode. Few such controllers have any
safeguards against being reprogrammed. Consequently, any physical
access to any USB port on a host allows an attacker to permanently
corrupt and infect the USB device controller(s) on a target system.
As such malware likely contains code to prohibit further reprogramming
the infection is permanent and removal of the affected hardware is the
only remedy. On most modern computers this requires discarding the
motherboard.

This issue was demonstrated at BlackHat-2014. To the best of my
knowledge, few if any USB device manufacturers provide hardened
controllers. IronKey is the only external flash memory device that I
know of which claims to. But I have seen nothing respecting host
based controllers.


--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne mailto:Byr...@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

[Polytropon]

I think you're refering to "BadUSB". For reference and context:

https://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/

https://www.blackhat.com/us-14/briefings.html#badusb-on-accessories-that-turn-evil

With physical access to a machine, no matter if via USB or
orhter means, it's more or less game over, and no OS mechanism
can prevent that. As Valeri mentioned, physical security always
is part of the game. ;-)

Regarding the initial submission, I think FreeBSD configuration
determines what happens when a new network device is being found
(even if it's just an emulated one). In "worst" case, the system
recognizes the interface and then does nothing - no DHCP request.
Thas "stops" the attack at this poing.

Everything else explained depends on the network functionality
being established. PoisonTap's primary operation is to act within
a network.




--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...