touch-packages team mailing list archive

Thread
Date
[Bug 1393612] Re: Protect against BadUSB device

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Martin Pitt <martin.pitt@xxxxxxxxxx>
Date: Tue, 18 Nov 2014 05:19:39 -0000
Reply-to: Bug 1393612 <1393612@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Removing package for now, as it's not at all clear how to design this
(at least udev is way too low in the stack to even potentially ask the
user anything).

I'm very sceptical of these approaches. Experience shows that popping up
dialog boxes with security related questions à la "are you sure that
..." are at least annoying and rarely productive. And on a server you
usually don't even have a way to interactively ask the user anything on
hardware changes.

If there is a way to detect "malicious" USB devices in some way, we
absolutely should do that, but as versatile as they are, USB devices can
do pretty much anything. They could act as an audio device to record
what you are doing, as a network device to re-route traffic, or as a
malicious keyboard (but that's not even the worst IMHO, as you then
usually see that something funky is going on and yank it out again).

It's nothing new at all that malicious hardware can exist and that
hardware always trumps software in terms of trying to keep each other in
check :-)

** Package changed: systemd (Ubuntu) => ubuntu

** Changed in: ubuntu
       Status: Confirmed => New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1393612

Title:
  Protect against BadUSB device

Status in Ubuntu:
  New

Bug description:
  During the last months, it appeared that the theoretical threat of a
  compromised USB device acting as keyboard became a real possibility:
  https://srlabs.de/badusb.

  The solution against such threat is simply to ask the user the
  confirmation before binding a new USB device as keyboard and a
  solution was already documented: http://vogelchr.blogspot.in/2014/08
  /controlling-usb-device-access-on-linux.html

  Similar solution already exist for MS Windows:
  http://robert.penz.name/930/protect-your-pc-against-the-badusb-attack-
  on-linux-and-windows

  Even though the probability to get a compromised USB device is low,
  the security threat is serious and since the solution is simple,
  Ubuntu should be protected properly asap.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: udev 204-5ubuntu20.8
  ProcVersionSignature: Ubuntu 3.13.0-39.66-generic 3.13.11.8
  Uname: Linux 3.13.0-39-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.5
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Tue Nov 18 02:48:36 2014
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2014-08-25 (84 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64+mac (20140417)
  MachineType: LENOVO 4298RD9
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-39-generic root=UUID=fa0ba264-7e15-48e1-89e6-3c88237a1903 ro persistent quiet splash vt.handoff=7
  SourcePackage: systemd
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 07/07/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET50WW (1.20 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4298RD9
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: dmi:bvnLENOVO:bvr8DET50WW(1.20):bd07/07/2011:svnLENOVO:pn4298RD9:pvrThinkPadX220Tablet:rvnLENOVO:rn4298RD9:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 4298RD9
  dmi.product.version: ThinkPad X220 Tablet
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1393612/+subscriptions