BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell

Dewayne Geraghty dewayne.geraghty at heuristicsystems.com.au
Wed Oct 22 01:29:57 UTC 2014 

On 10/10/2014 1:44 AM, Hans Petter Selasky wrote:
> On 10/09/14 15:59, Oliver Pinter wrote:
>> On 10/9/14, Hans Petter Selasky <hps at selasky.org> wrote:
>>> Hi Julian,
>>>
>>> On 10/09/14 01:46, Julian H. Stacey wrote:
>>>> Hi Hans etc
>>>> "Julian H. Stacey" wrote:
>>>>> Hans Petter Selasky wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Can you test the following kernel patch and give some feedback:
>>>>>>
>>>>>> https://svnweb.freebsd.org/changeset/base/272733
>>>>
>>>> I'm now on latest current with src & sys/ GENERIC
>>>> /usr/src/.ctm_status    # src-cur 11645
>>>>
>>>> This time I downloaded your files properly
>>>> (last time I was severely distracted & made a silly mistake)
>>>>
>>>>>> After the patch you will get something like:
>>>>>> hw.usb.disable_enumeration: 0
>>>>>> dev.uhub.0.disable_enumeration: 0
>>>>>> dev.uhub.1.disable_enumeration: 0
>>>>>> ...
>>>>
>>>> sysctl -a | grep  enumeration
>>>>     hw.usb.disable_enumeration: 0
>>>>     dev.uhub.0.disable_enumeration: 0
>>>>     dev.uhub.1.disable_enumeration: 0
>>>>     dev.uhub.2.disable_enumeration: 0
>>>>     dev.uhub.3.disable_enumeration: 0
>>>>     dev.uhub.4.disable_enumeration: 0
>>>>
>>>> sysctl -d hw.usb.disable_enumeration
>>>>     hw.usb.disable_enumeration: Set to disable all USB device
>>>> enumeration.
>>>>
>>>> sysctl -d dev.uhub.4.disable_enumeration
>>>>     dev.uhub.4.disable_enumeration: Set to disable enumeration on
>>>> this USB
>>>> HUB.
>>>>
>>>> usbconfig
>>>> ugen0.1: <EHCI root HUB Intel> at usbus0, cfg=0 md=HOST spd=HIGH
>>>> (480Mbps)
>>>> pwr=SAVE (0mA)
>>>> ugen1.1: <EHCI root HUB Intel> at usbus1, cfg=0 md=HOST spd=HIGH
>>>> (480Mbps)
>>>> pwr=SAVE (0mA)
>>>> ugen0.2: <product 0x0020 vendor 0x8087> at usbus0, cfg=0 md=HOST
>>>> spd=HIGH
>>>> (480Mbps) pwr=SAVE (0mA)
>>>> ugen1.2: <product 0x0020 vendor 0x8087> at usbus1, cfg=0 md=HOST
>>>> spd=HIGH
>>>> (480Mbps) pwr=SAVE (0mA)
>>>> ugen0.3: <1.3M WebCam XPA2535XY> at usbus0, cfg=255 md=HOST spd=HIGH
>>>> (480Mbps) pwr=OFF (500mA)
>>>> ugen1.3: <Semi Tech PS2 Keyboard - PS2 Mouse Semi Tech> at usbus1,
>>>> cfg=0
>>>> md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA)
>>>> ugen1.4: <USB2.0 Hub vendor 0x05e3> at usbus1, cfg=0 md=HOST spd=HIGH
>>>> (480Mbps) pwr=SAVE (100mA)
>>>>
>>>
>>>>
>>>> Great ! Seems to work.
>>>>
>>>> (Though I need to read up on how major & minor of ugen relate to
>>>> the digit in eg 4.disable_enumeration)
>>>>
>>>>
>>>>>> which is also settable through /boot/loader.conf (tunable)
>>>>
>>>> Good,
>>>> I hope/presume loader.conf gets run before any USB, cos I recall
>>>> lecturer Karsten Nohl pointing out one could get BadUSB taking up
>>>> residence in USB controller chips inside a PC, ie for a built in
>>>> mouse or web cam, so one would need to turn off enumeration earlier
>>>> than when first external USB approaches to connect.
>>>
>>> Yes, if set by the loader.conf, you will only see the RootHUB after
>>> boot.
>>>
>>> To get devices back after enabling enumeration again, you will need to
>>> reset the HUBs:
>>>
>>> usbconfig -d X.1 reset
>>>
>>> For example.
>>>
>>> BTW: I've added some exceptions, that existing devices can be detached,
>>> suspend/resumed and reset while the enumeration is disabled.
>>
>> Can we somehow improve this change, to powering down the ports/hubs
>> which has the enumeration disabled?
>>
>
> Hi,
>
> I've added this as an orthogonal feature. Please test and report back:
>
> hw.usb.disable_enumeration: 0
> hw.usb.disable_port_power: 0
>
> dev.uhub.0.disable_enumeration: 0
> dev.uhub.0.disable_port_power: 0
>
> https://svnweb.freebsd.org/changeset/base/272822
>
> Thank you!
>
> --HPS
>
> _______________________________________________
> freebsd-usb at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-usb
> To unsubscribe, send any mail to "freebsd-usb-unsubscribe at freebsd.org"
>
Hans,
Thank-you for these enhancements, as its good to have something in the
armoury to try to address this issue.

I applied the patch
https://lists.freebsd.org/pipermail/svn-src-head/2014-October/063443.html to
an updated 10.Stable overnight.  Disabling enumeration works as
described above except that, placing the following in loader.conf has no
effect? 
--- tail of /boot/loader.conf ---
# 20141022 Didn't work as expected
#dev.uhub.0.disable_enumeration="1"
#dev.uhub.1.disable_enumeration="1"
#dev.uhub.2.disable_enumeration="1"
#dev.uhub.3.disable_enumeration="1"
#dev.uhub.4.disable_enumeration="1"

# 20141022 Also didn't work
hw.usb.disable_enumeration="1"
--- end of /boot/loader.conf ---

I confirmed the setting was correctly read by loader, by interrupting
the boot and showing the variables.

But immediately after booting,
sysctl -a|grep enumer
hw.usb.disable_enumeration: 0
dev.uhub.0.disable_enumeration: 0
dev.uhub.1.disable_enumeration: 0
dev.uhub.2.disable_enumeration: 0
dev.uhub.3.disable_enumeration: 0
dev.uhub.4.disable_enumeration: 0

Any ideas why loader.conf settings weren't applied?  They are applied
via /etc/sysctl.conf, but by that stage, any harm has been done.

It was interesting doing "user testing" (ie dumb things).  Having a
mouse in hub-unit.endpoint=0.2
sysctl dev.uhub.0.disable_enumeration=1
usbconfig -d 0.2 power_off
provides an opportunity to make a fresh cup of tea...  ;)

Regards, Dewayne.

-- 
For the talkers: “The superior man acts before he speaks, and afterwards speaks according to his action.”
For everyone else: “Life is really simple, but we insist on making it complicated.”

More information about the freebsd-usb mailing list