Fwd: [cros-discuss] Hacking possibility? Real or not?

Tue Jun 20 10:07:45 UTC 2017

Hello,

In the mailing-list about Chromium OS is some interesting discussion
about some attack vector using an USB plug-in with some Raspery system
behind to offer to the OS an USB keyboard and ethernet and at the end
take over the system. More of the discussion here 

https://groups.google.com/a/chromium.org/forum/?hl=en#!topic/chromium-os-discuss/UqbGh2kHaVw

and the full technical description here:

https://samy.pl/poisontap/

As far as I can see, the same attack would be possible as well on
FreeBSD, maybe not so easy because the devd(8) must be configured and
the module for ethernet on USB cdce(4) must be loaded in advance.

	matthias

----- Forwarded message from Jim Dantin <jim.dantin at gmail.com> -----

Date: Sun, 18 Jun 2017 15:56:40 -0700 (PDT)
From: Jim Dantin <jim.dantin at gmail.com>
To: Chromium OS discuss <chromium-os-discuss at chromium.org>
Subject: [cros-discuss] Hacking possibility? Real or not?

Mike Frysinger and other Chromium OS experts -

This rather one-sided Microsoft video brings up some interesting claims. 
I'll ignore the claim that Windows is more secure, but I wonder about what 
really is possible with ChromeOS devices.
https://www.youtube.com/watch?v=DJg-mI3tuaU

I'd like us to get ahead of any more fear mongering by having someone 
knowledgeable examine the actual threat. This appears to be the exploit:
https://samy.pl/poisontap/

For a protected mode ChromeOS device, what are the actual vulnerabilities 
and dangers? 

I expect that a logged in device could be exposed to data theft if the user 
(or someone else) plugged in a malicious device, but what about a 
locked-screen or logged out device?

For logged in, unlocked devices, what mischief could be done?

Anyone care to be a truth-teller here?

Thanks.

-- 
-- 
Chromium OS discuss mailing list: chromium-os-discuss at chromium.org
View archives, change email options, or unsubscribe: 
http://groups.google.com/a/chromium.org/group/chromium-os-discuss?hl=en

--- 
You received this message because you are subscribed to the Google Groups "Chromium OS discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-os-discuss+unsubscribe at chromium.org.

----- End forwarded message -----

-- 
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170620/986d79aa/attachment.sig>