1

Many questions and answers on this site discuss the various risks related to USB. I'll refer to this one as an example.

I wonder if it would be possible to devise a different design (or in general, approach) which would allow to mantain (some of) the pros of USB with a reduced possibility for disasters. I mean, something like not frying your computer.

Of course many tradeoffs can be discussed, I wonder if they can be effective or, if you accept to be able to plug hardware made "from anybody", no solution can be found.

Community
  • 1
Francesco
  • 231
  • 3
  • 10
  • This would do better as a wiki question. there's not a single answer to this. – Daisetsu Apr 24 '16 at 20:57
  • @Daisetsu I was hoping for some pointer to relevant alternatives (even only theoretical, not necessarily already on the market, or ever). But if it works better as a community wiki I'll be glad to change it that way. – Francesco Apr 24 '16 at 20:59
  • @Daisetsu - I think that community wikis are for answers, not questions. – Neil Smithline Apr 24 '16 at 21:22
  • I recall there used to be some sort of system on superuser a few years back where people could ask opinion type questions like what's your favorite antivirus. Am I not remembering right, or is that specific to su? – Daisetsu Apr 24 '16 at 21:26
  • @Daisetsu I am not asking what is your favorite AV. I am asking: is there a sound way to avoid some of the pitfall of USB? I am not asking for a list of things to buy, I am asking for a list of papers to read... – Francesco Apr 24 '16 at 21:36
  • Well, I guess I don't have a answer for you then. – Daisetsu Apr 24 '16 at 21:39
  • Dedicated ports for certain types of hardware would help. For example, BadUSB would be ineffective if we had separate ports for keyboards. – André Borie Apr 24 '16 at 21:54
  • @Francesco I'm leaning towards closing this question as you've not specified any actual attacks against USB, so it's incredibly broad. For example, with access to a USB port I might present a keyboard/mouse/display/NIC combo and take over your system, exploit driver bugs to take over your box, or feed 1kV into it and fry your board. Are these what you're thinking of? What's your threat model? – Polynomial Apr 24 '16 at 22:11
  • I'm not clear on what you are asking. Is it possible to redesign USB: of course. But what are you concerned about that you want to change? – schroeder Apr 25 '16 at 03:59

1 Answers1

3

Dedicated ports for certain classes of hardware would help, like in the old days where we had PS/2 for input devices.

If a port is marked as "storage" then it should only accept storage devices, so if a malicious device wants to pretend to be a keyboard and type in nasty stuff well it can't because the OS would just ignore it.

This can actually be implemented pretty easy without any change of hardware, as ports are numbered and the kernel can be configured to accept specific types of devices for specific ports. So you can configure one port (possibly with a hub) that only accepts input devices where you plug your keyboard/mouse, and other ports that accept most general purpose devices excluding dangerous ones that are implicitly trusted like keyboards.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • Sounds like a usability nightmare to me, not really something that “maintain[s] the pros of USB”. – Relaxed Apr 24 '16 at 22:06
  • 1
    This would largely invalidate the 'U' in USB. – Polynomial Apr 24 '16 at 22:07
  • @Polynomial since this can all be done in software, ports can be switched on the fly as well. Want to plug an input device in a storage port? Just use your existing input device to tick a box and your storage port becomes an input port. – André Borie Apr 25 '16 at 17:56
  • @AndréBorie Even if there was a perfect implementation of this from a security perspective (f.e. what if a hub is connected which purposefully does not behave according to spec and allows arbitrary devices? and how do you handle hybrid devices?) it would be a usability nightmare. People still have trouble understanding the concept of zip files, or how to copy/paste files, let alone understanding the difference between HID, mass storage, webcams, USB-to-serial, audio devices, etc. and the various combinations between them. – Polynomial Apr 26 '16 at 13:01