Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
from the article it sounds like firmware from the stick executes in the system like a device driver... not good (unacceptable) without a signature, naturally.
? any comments /notes on how this is handled in Linux ?
this was also reported on slashdot. im not sure how Linux will handle this. i hope something is changed fast to prevent this from getting to wide spread in linux. bad things happen when powerful tools like this get into the hands of the real badguys. oh yeah you might know them as the NSA and the like.
Since it's firmware and USB apparently accepts any firmware update you could probably flash it. Then again that would also mean having firmware you trust (read: built yourself). Hmmm, I'll wait for the presentation.
in the comments i found a note stating : "Firmware runs on an embedded microcontroller inside the device, not on your computer." Makes sense to me, and that being the case we are interested in what that firmware instructs the host O/S to do.
Devices, for example, will often go into an install process. Hopefully they are installing authorized drivers, and hopefully the host o/s is checking MD5s or GnuPG signatures
a critical element in security today lies in a change in attitude -- for those who like to throw software around like advertisements. that practice has to end.
I don't really see software abuse as a problem in Linux, -- as it is on some other systems.
Last edited by mike acker; 08-01-2014 at 08:30 AM.
Reason: update
Any one know of a USB firmware reading/writing tool? Seems to me you could at least check what you have now, maybe copy it and use it as a backup/verified version. Better than nothing... a little googling found mptools for Windows in posts a few years old.
BTW, the articles specifically said there is no signature /GPG etc process, and we are all vulnerable.
Last edited by mostlyharmless; 08-01-2014 at 02:47 PM.
from my reading on this: when you plug in a USB device the program stored in the firmware in the USB device's built in microprocessor boots and executes -- in the USB firmware,-- and "announces" itself to the host o/s. at which time then the host o/s will proceed with <whatever>
it's the <whatever> we are concerned with . if <whatever> declares "I must have driver.xxx from xyz.qrs.tuv" then we need the o/s to stop and challenge for credentials. what is the reputation of this driver.xxx from xyz.qrs.tuv ?????
if the host o/s assumes "this is from a manufactured usb stick so it must be ok" then it has signed it's own papers. as an industry we must learn that we must authenticate all software.
I see Linux and Open Source as leaders in this regard as we are able to recognize and respond to issues that other systems may try to just ostridge out on .
The USB device cannot tell the kernel to download drivers and run them. But what it can do, is say, I'm a keyboard or a mouse. The kernel will accept it, and it can send keystokes that can be commands. But since desktops on Linux tend to be so different, I guess it would be difficult to make general malware.
The real problem here is that people plug USB devices like their phones...everywhere...to get power. If someone has a affected phone with a self-propagating firmware, they could infect a lot of public plug in spots. However, I assume, maybe incorrectly, that USB power plugs are immune since they only supply power. But if you plug your phone into a computer, or your car, or a rental car...
It isn't just a matter of plugging a device into your computer, it's also where you plug in any of your devices and bring them home.
As far as being shocked, well, personally, I am surprised that most USBs have rewritable memory that doesn't require special equipment or disassembly and that can be accessed by the USB port. I would have assumed that economic considerations would have made them considerably cheaper without that feature. Without the self-propagating part, I agree that this problem is not much worse than any other.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.