BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell

Wed Oct 8 23:47:44 UTC 2014

Hi Hans etc
"Julian H. Stacey" wrote:
> Hans Petter Selasky wrote:
> > Hi,
> > 
> > Can you test the following kernel patch and give some feedback:
> > 
> > https://svnweb.freebsd.org/changeset/base/272733

I'm now on latest current with src & sys/ GENERIC 
/usr/src/.ctm_status	# src-cur 11645

This time I downloaded your files properly
(last time I was severely distracted & made a silly mistake)

> > After the patch you will get something like:
> > hw.usb.disable_enumeration: 0
> > dev.uhub.0.disable_enumeration: 0
> > dev.uhub.1.disable_enumeration: 0
> > ...

sysctl -a | grep  enumeration
  hw.usb.disable_enumeration: 0
  dev.uhub.0.disable_enumeration: 0
  dev.uhub.1.disable_enumeration: 0
  dev.uhub.2.disable_enumeration: 0
  dev.uhub.3.disable_enumeration: 0
  dev.uhub.4.disable_enumeration: 0

sysctl -d hw.usb.disable_enumeration
  hw.usb.disable_enumeration: Set to disable all USB device enumeration.

sysctl -d dev.uhub.4.disable_enumeration
  dev.uhub.4.disable_enumeration: Set to disable enumeration on this USB HUB.

usbconfig
ugen0.1: <EHCI root HUB Intel> at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen1.1: <EHCI root HUB Intel> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen0.2: <product 0x0020 vendor 0x8087> at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen1.2: <product 0x0020 vendor 0x8087> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen0.3: <1.3M WebCam XPA2535XY> at usbus0, cfg=255 md=HOST spd=HIGH (480Mbps) pwr=OFF (500mA)
ugen1.3: <Semi Tech PS2 Keyboard - PS2 Mouse Semi Tech> at usbus1, cfg=0 md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA)
ugen1.4: <USB2.0 Hub vendor 0x05e3> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (100mA)

Inserted a WLAN stick
usbconfig
ugen1.5: <802.11 n WLAN Ralink> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (450mA)
ifconfig -a shows run0 & wlan0

Removed WLAN stick
sysctl dev.uhub.4.disable_enumeration=1

Added WLAN stick
ifconfig -a	No run0 & wlan0

Added WLAN stick on different direct PC socket:
ifconfig -a 	Shows run0 & wlan0

usbconfig
ugen0.1: <EHCI root HUB Intel> at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen1.1: <EHCI root HUB Intel> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen0.2: <product 0x0020 vendor 0x8087> at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen1.2: <product 0x0020 vendor 0x8087> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)
ugen0.3: <1.3M WebCam XPA2535XY> at usbus0, cfg=255 md=HOST spd=HIGH (480Mbps) pwr=OFF (500mA)
ugen1.3: <Semi Tech PS2 Keyboard - PS2 Mouse Semi Tech> at usbus1, cfg=0 md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA)
ugen1.4: <USB2.0 Hub vendor 0x05e3> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (100mA)
ugen1.5: <802.11 n WLAN Ralink> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (450mA)

Great ! Seems to work.

(Though I need to read up on how major & minor of ugen relate to
the digit in eg 4.disable_enumeration)

> > which is also settable through /boot/loader.conf (tunable)

Good, 
I hope/presume loader.conf gets run before any USB, cos I recall
lecturer Karsten Nohl pointing out one could get BadUSB taking up
residence in USB controller chips inside a PC, ie for a built in
mouse or web cam, so one would need to turn off enumeration earlier
than when first external USB approaches to connect.

I've reported back on BBC news form:
	Ref. your 
	6 October 2014 Last updated at 15:29 GMT 
	http://www.bbc.com/news/technology-29475566

	The www.FreeBSD.org project (a Unix OS similar to Linux)
	took just 2 days to develop & test a free solution.
	http://lists.freebsd.org/pipermail/freebsd-usb/2014-October/013304.html

Well done, Thanks Hans!

Cheers,
Julian
-- 
Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com
 Indent previous with "> ".  Interleave reply paragraphs like a play script.
 Send plain text, not quoted-printable, HTML, base64, or multipart/alternative.