9

After watching Black Hat's presentation on the fundamental problems with USB "security", I'm wondering if there's a way to do USB whitelisting in Linux.

Is there currently a mechanism that will allow only a certain list of USB devices to actually load drivers and run on latest Linux kernels?

Naftuli Kay
  • 6,745
  • 9
  • 47
  • 76
  • You might consider disabling new devices of a specific class, as [shown by me](https://security.stackexchange.com/a/64552/52967) on HID devices. If you're adding an untrusted usb memory stick, you can enable this to protect you from virtual HID interfaces on that device. – user10008 Aug 14 '14 at 01:23

4 Answers4

6

USB devices are normally identified by vendor and device ID, and, in Linux, support for USB devices is handled with udev. You could write udev rules to reject all devices, save for a specific (white) list. See for instance this question.

However, this might not bring the security you wish. Indeed, all devices of a specific model from a given vendor will share the same ID. If you allow, through your whitelist, a device with ID 08e6:3438, then any device that claims to have that ID will be allowed as well. An hostile device can perfectly announce whatever ID it wishes to show. To have a real whitelist, you would need each single device to contain a specific identifier that the attacker cannot guess (i.e, a key). There is nothing of that kind in existing USB protocol and devices.

Such a white list would be, in any case, redundant with physical control. As the tangible human user in front of the machine, it is up to you to decide whether you will or will not insert a specific device in the USB port. If you want to insert a given device that you have in hand, then you can alter the rules to allow it; and if you refrain from inserting the device, then you don't need the whitelist either. USB device filtering would be most useful in situations where untrusted users can access the physical ports. This is, arguably, a pretty bad situation to begin with, since this means that untrusted users have some level of physical access to the hardware. This might apply to self-service kiosks in photography shops -- but in such cases, the untrusted user is supposed to bring his own USB device, thus whitelisting ceases to make sense.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • How about the self service kiosks with a USB printer. And the admin wants the USB port to ONLY work with that printer. – Michael Mar 09 '17 at 01:57
1

Yes. Sort of.

"Load drivers" is a bit ambiguous. Typically USB drivers are baked-in to the kernel as they may be required during startup. Furthermore, you can't query the USB device to find out its device ID without "loading" the USB subsystem, and typically the device-specific driver is simply the mass storage or HID system which is shared by all similar devices. So let's throw that requirement out. It's silly.

But you can whitelist USB devices. This has been covered extensively on SuperUser and similar sites.

SuperUser: White list for USB flash using udev

Ask Ubuntu: Can udev be used (udev rules) to whitelist certain usb devices?

Unix & Linux: What is the udev rule to allow specific thumb drive vendors?

A simple Google search will turn up hundreds of guides on the subject.

tylerl
  • 82,665
  • 26
  • 149
  • 230
1

As other posts have said, you can say things like "16GB Lexar Jumpdrives are allowed to work here, everything else is banned", but not say "This specific flashdrive can only work in this network".

However, as with many things, you can fool the system. Here is a defcon talk where someone built a device to act as a USB MITM, and would convert commands between different devices, so I could plug in a random sandisk to a lexar-only network, and copy files to it just fine.

https://www.defcon.org/images/defcon-20/dc-20-presentations/Polstra/DEFCON-20-Polstra-Bypassing-Endpoint-Security.pdf

This does leave forensic evidence and the like, but it also does raise the bar if this sort of approach makes sense in your environment. Just remember, USB IDs are like barcodes, not MAC addresses. They're NOT unique per device.

Ryan Gooler
  • 759
  • 4
  • 9
0

As of ~2007 it appears to be possible to manually specify which USB-devices (or interfaces of a USB-device) are allowed to associate with a driver.

See documentation:
https://www.kernel.org/doc/Documentation/usb/authorization.txt


(None shall feel bad. I came upon this by accident on an unrelated research expedition, well after deeming the feature nonexistent in the kernel.)

Gima
  • 143
  • 4