Ubuntu

USB exploit - cross platform

Bug #1590990 reported by johnmne
This bug report is a duplicate of:  Bug #1393612: Protect against BadUSB device. Edit Remove
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu
New
Undecided
Unassigned

Bug Description

There is available (to the general public) a relatively cheap product which does the "rubberducky" attack.
See the link (found it by searching "rubberducky" in google - clicked first result):
http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe
That is *cross-platform* due to USB's nature - it affects ALL Linux distros.

Therefore I suspect that Ubuntu/Linux fail to protect against that,
because that the "rubberducky" attack can "type" the following commands:

    1. Copy-paste a bash script
    2. chmod it so that it will execute (under normal user - NOT root)
    3. malware is active...

Note that by default - Ubuntu's firewall is disabled, therefore allowing an easy access to the attacker via internet.

I did NOT test this myself, but as long as there's a device that can act like a keyboard in a disguise of a USB flash drive... then an easy exploit is available.

I think that this kind of security should be built into Linux core or perhaps its USB drivers (not sure which one).

-----------------

My solution to this exploit:

On the connection of a device that has a direct physical access, the OS should permit the device to perform actions based on what the users allows it to do.
Does the user allow a USB flash drive to act like a USB keyboard? Probably not!
Also, if from a single USB port - the OS detect a USB flash drive AND a USB keyboard - this kind of event should light a red alert (!).

Thus, the OS should ask the user:
Do you allow the USB stick to act as:
(1) ..
(2) ..
(3) ..

While the options (1) to (3) are the devices that the USB stick presents itself to the PC.

By default:
Ubuntu should allow that only a single keyboard is used at a single time (which is the keyboard that was connected first). This behavior may be modified via the USB permissions system (that should be built).

IMHO, this solution is relatively easy to implement.

-----------------

Also I suspect that it is possible to program a flash drive to act as a keyboard, because that the electrical functionality is available (you only need a different driver),
but I lack a deeper familiarity with the USB device to promise you that it is possible.
I'm sure that among all Ubuntu/Linux developers, some are well familiar with the USB part of linux.

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I've duped this against an earlier bug with much discussion, and links off to further discussion.

Sadly there's no obvious good and easy solution. Consider:

- How would a user interact when plugging in the first keyboard or mouse?
  - What if the malicious device was first only because it was 'earlier' in the USB network?

- How would the system tell a keyboard-with-hub that a user intended to buy from a keyboard-with-hub that a user didn't intend to buy?

- What would the interaction look like on a computer with no displays? With a dozen displays? With a dozen seats?

USB is very flexible. Many devices are really multiple devices -- sometimes connected with internal hubs, sometimes they change their runtime personality. And users expect them all to work in all situations.

Thanks

Revision history for this message
johnmne (phi-reporter) wrote :

Answering your questions:

"- How would a user interact when plugging in the first keyboard or mouse?"
The first keyboard and mouse are normally connected when powering on the PC.
The behaviour should be like today - no restrictions for the first keyboard and mouse.
(Normally the USB flash drive is connected only *after* that the normal keyboard & mouse are already connected.)

"- What if the malicious device was first only because it was 'earlier' in the USB network?"
If by "earlier in the USB network" you mean :
 * "connected before the keyboard and mouse" then for now there is not much I can think of. But normally that does not happen, and *some* protection is better than none.
 * "connected in parallel (same time) to keyboard & mouse" then alert the user that he needs to remove one of them in order to proceed.

"- How would the system tell a keyboard-with-hub that a user intended to buy from a keyboard-with-hub that a user didn't intend to buy?"
Hubs aren't the norm.
In case that someone has a hub (doubtful..) then he can always disable the security behaviour. I sincerely believe that most of the people would prefer to have more protection and little discomfort than having this huge exploit.

"- What would the interaction look like on a computer with no displays? With a dozen displays? With a dozen seats?"
With no displays: Does it connect via ssh? If so, then he could see the message. If not then a sound/beep would be activated. If having no speakers then the user should understand that something is wrong... But I think that this is rarely happen, therefore if it does happen - then it is probably(??) the USB exploit.
With dozen of displays: Simply display an alert window of some sort on one of the desktop (is this really a problem? How does Ubuntu manages to display errors with dozen of displays?).
With a dozen seats: What do you mean by "seats" ?

USB is very flexible indeed, but most people would prefer to know that their system is secure than spending few minutes (or half an hour in worst case) in understanding the (rare) problem and fixing it.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I suspect Windows can implement a solution because Windows is used for far fewer environments with far more predictable settings -- a human in front of a keyboard, mouse, and display, or perhaps a human in front of a touchscreen.

Linux's deployments are far more varied and one-size most certainly doesn't fit all.

I suggest bringing this up on the oss-security mail list. It'd be helpful if you've got suggestions of which packages would need to be modified in which ways to manage:

- systems without displays
- systems with usual windows-style one seat
- systems with many seats
- servers that have both local keyboards / displays and remote access keyboards / displays

Thanks

Revision history for this message
johnmne (phi-reporter) wrote :

Dear Seth,

Indeed but surely there is a solution for this.
You can say the same thing about every other message that should be displayed to the user in every configuration/setup of Ubuntu/Linux.

I sent an email to the OSS security mail list, whose address appears at the following URL:
http://oss-security.openwall.org/wiki/mailing-lists/oss-security
(i.e. "oss [dash] security [at] lists [dot] openwall [dot] com" )

I'm sorry but I don't know which packages should be modified, I'm not well familiar with Ubuntu/Linux.

BTW in every setup or configuration of Linux there is *some* interactive way to alert the user about an error or problem.
Why it is so complicated when dealing with our current problem ?
The user *must* have a screen and a keyboard. Thus the message will be displayed either via the command-line terminal or via the GUI.
(I don't understand what's the problem here...)
If the developers can't implement this security patch, then why would anything else be possible?

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.