9

This video shows an attack where attaching a USB device to a locked computer pretty much takes over all currently running browsers. The trick is that the USB device acts as Ethernet over USB, and a laptop will automatically attempt a connection to such a device.

My work computer has an actual ethernet port, and I almost exclusively use wifi. I do not foresee a need to use 4G dongles and the such. I could mitigate such an attack by merely preventing USB over ethernet from working in the first place. (The alternative mitigation suggested in the video, applying cement to my USB ports, doesn't sound quite so enticing. Additionally, it can be worked around with a docking station.)

How can I do this?

badp
  • 12,372
  • Are you wanting to disable that particular type of usb device from working, or would all devices being disabled, work? –  Nov 17 '16 at 14:04
  • 3
    You could blacklist all the kernel modules for usb ethernet devices, I suppose. Really, this is a security bug in NetworkManager, and it should be fixed to not automatically bring up Ethernet connections, unless it is configured to do so for a specific interface. – dobey Nov 17 '16 at 15:38
  • 2
    What you are seeing in the video is not taking over the browsers. It is just bringing a general problem of the internet one hop more near to you. Every internet connection is insecure if not secured by cryptographic routines. The device just intercepts the traffic as anybody in the same LAN could do without physical access to the machine. So, blocking USB network interfaces will just stop that particual demonstration from working and not solve the problem. To actually solve it the whole internet needs to be redesigned. – Klaus D. Dec 04 '16 at 05:41
  • You might want to pose this question on Security Stack Exchange – Robert Riedl Feb 09 '18 at 08:45

3 Answers3

1

Using udev rule or Linux kernel blacklist

Yes, it is possible but I not confident it will block all such type of attack. I have only one device and I can't say it is a general solution.

I make a check for a USB net key in Ubuntu 21.10.

Info collecting

  1. udevadm monitor -u

    monitor will print the received events for:
    UDEV - the event which udev sends out after rule processing
    

    UDEV [108.870714] add /devices/pci0000:00/0000:00:06.0/usb2/2-2 (usb) UDEV [108.951632] add /module/mii (module) UDEV [108.970818] add /module/usbnet (module) UDEV [114.296923] add /bus/usb/drivers/dm9601 (drivers) UDEV [114.310640] add /module/dm9601 (module) UDEV [114.316277] add /bus/usb/drivers/sr9700 (drivers) UDEV [114.324254] add /module/sr9700 (module) UDEV [114.325188] add /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0 (usb) UDEV [114.361207] bind /devices/pci0000:00/0000:00:06.0/usb2/2-2 (usb) UDEV [114.446039] add /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458 (net) UDEV [114.471800] add /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/eth0/queues/tx-0 (queues) UDEV [114.591649] add /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/eth0/queues/rx-0 (queues) UDEV [114.602864] bind /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0 (usb) UDEV [115.079106] move /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458 (net)

  2. udevadm info -a -p /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458

     Udevadm info starts with the device specified by the devpath and then
     walks up the chain of parent devices. It prints for every device
     found, all possible attributes in the udev rules key format.
     A rule to match, can be composed by the attributes of the device
     and the attributes from one single parent device.
    

    looking at device '/devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458':

    KERNEL=="enx00e04c534458" SUBSYSTEM=="net" DRIVER=="" ATTR{addr_assign_type}=="0" ATTR{addr_len}=="6" ATTR{address}=="00:e0:4c:53:44:58" ATTR{broadcast}=="ff:ff:ff:ff:ff:ff" ATTR{carrier}=="0" ATTR{carrier_changes}=="3" ATTR{carrier_down_count}=="2" ATTR{carrier_up_count}=="1" ATTR{dev_id}=="0x0" ATTR{dev_port}=="0" ATTR{dormant}=="0" ATTR{duplex}=="full" ATTR{flags}=="0x1003" ATTR{gro_flush_timeout}=="0" ATTR{ifalias}=="" ATTR{ifindex}=="3" ATTR{iflink}=="3" ATTR{link_mode}=="0" ATTR{mtu}=="1500" ATTR{name_assign_type}=="4" ATTR{napi_defer_hard_irqs}=="0" ATTR{netdev_group}=="0" ATTR{operstate}=="down" ATTR{power/async}=="disabled" ATTR{power/control}=="auto" ATTR{power/runtime_active_kids}=="0" ATTR{power/runtime_active_time}=="0" ATTR{power/runtime_enabled}=="disabled" ATTR{power/runtime_status}=="unsupported" ATTR{power/runtime_suspended_time}=="0" ATTR{power/runtime_usage}=="0" ATTR{proto_down}=="0" ATTR{queues/rx-0/rps_cpus}=="0" ATTR{queues/rx-0/rps_flow_cnt}=="0" ATTR{queues/tx-0/byte_queue_limits/hold_time}=="1000" ATTR{queues/tx-0/byte_queue_limits/inflight}=="0" ATTR{queues/tx-0/byte_queue_limits/limit}=="0" ATTR{queues/tx-0/byte_queue_limits/limit_max}=="1879048192" ATTR{queues/tx-0/byte_queue_limits/limit_min}=="0" ATTR{queues/tx-0/tx_maxrate}=="0" ATTR{queues/tx-0/tx_timeout}=="0" ATTR{queues/tx-0/xps_rxqs}=="0" ATTR{speed}=="100" ATTR{statistics/collisions}=="0" ATTR{statistics/multicast}=="0" ATTR{statistics/rx_bytes}=="0" ATTR{statistics/rx_compressed}=="0" ATTR{statistics/rx_crc_errors}=="0" ATTR{statistics/rx_dropped}=="0" ATTR{statistics/rx_errors}=="0" ATTR{statistics/rx_fifo_errors}=="0" ATTR{statistics/rx_frame_errors}=="0" ATTR{statistics/rx_length_errors}=="0" ATTR{statistics/rx_missed_errors}=="0" ATTR{statistics/rx_nohandler}=="0" ATTR{statistics/rx_over_errors}=="0" ATTR{statistics/rx_packets}=="0" ATTR{statistics/tx_aborted_errors}=="0" ATTR{statistics/tx_bytes}=="0" ATTR{statistics/tx_carrier_errors}=="0" ATTR{statistics/tx_compressed}=="0" ATTR{statistics/tx_dropped}=="0" ATTR{statistics/tx_errors}=="0" ATTR{statistics/tx_fifo_errors}=="0" ATTR{statistics/tx_heartbeat_errors}=="0" ATTR{statistics/tx_packets}=="0" ATTR{statistics/tx_window_errors}=="0" ATTR{testing}=="0" ATTR{threaded}=="0" ATTR{tx_queue_len}=="1000" ATTR{type}=="1"

    looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0': KERNELS=="2-2:1.0" SUBSYSTEMS=="usb" DRIVERS=="dm9601" ATTRS{authorized}=="1" ATTRS{bAlternateSetting}==" 0" ATTRS{bInterfaceClass}=="00" ATTRS{bInterfaceNumber}=="00" ATTRS{bInterfaceProtocol}=="00" ATTRS{bInterfaceSubClass}=="00" ATTRS{bNumEndpoints}=="03" ATTRS{power/async}=="enabled" ATTRS{power/runtime_active_kids}=="0" ATTRS{power/runtime_enabled}=="enabled" ATTRS{power/runtime_status}=="active" ATTRS{power/runtime_usage}=="1" ATTRS{supports_autosuspend}=="1"

    looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2/2-2': KERNELS=="2-2" SUBSYSTEMS=="usb" DRIVERS=="usb" ATTRS{authorized}=="1" ATTRS{avoid_reset_quirk}=="0" ATTRS{bConfigurationValue}=="1" ATTRS{bDeviceClass}=="00" ATTRS{bDeviceProtocol}=="00" ATTRS{bDeviceSubClass}=="00" ATTRS{bMaxPacketSize0}=="64" ATTRS{bMaxPower}=="120mA" ATTRS{bNumConfigurations}=="1" ATTRS{bNumInterfaces}==" 1" ATTRS{bcdDevice}=="0101" ATTRS{bmAttributes}=="80" ATTRS{busnum}=="2" ATTRS{configuration}=="" ATTRS{devnum}=="3" ATTRS{devpath}=="2" ATTRS{idProduct}=="9700" ATTRS{idVendor}=="0fe6" ATTRS{ltm_capable}=="no" ATTRS{maxchild}=="0" ATTRS{power/active_duration}=="124280" ATTRS{power/async}=="enabled" ATTRS{power/autosuspend}=="2" ATTRS{power/autosuspend_delay_ms}=="2000" ATTRS{power/connected_duration}=="124280" ATTRS{power/control}=="on" ATTRS{power/level}=="on" ATTRS{power/persist}=="1" ATTRS{power/runtime_active_kids}=="1" ATTRS{power/runtime_active_time}=="123743" ATTRS{power/runtime_enabled}=="forbidden" ATTRS{power/runtime_status}=="active" ATTRS{power/runtime_suspended_time}=="0" ATTRS{power/runtime_usage}=="1" ATTRS{product}=="USB 2.0 10/100M Ethernet Adaptor" ATTRS{quirks}=="0x0" ATTRS{removable}=="unknown" ATTRS{rx_lanes}=="1" ATTRS{speed}=="12" ATTRS{tx_lanes}=="1" ATTRS{urbnum}=="42458" ATTRS{version}==" 1.10"

    looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2': KERNELS=="usb2" SUBSYSTEMS=="usb" DRIVERS=="usb" ATTRS{authorized}=="1" ATTRS{authorized_default}=="1" ATTRS{avoid_reset_quirk}=="0" ATTRS{bConfigurationValue}=="1" ATTRS{bDeviceClass}=="09" ATTRS{bDeviceProtocol}=="00" ATTRS{bDeviceSubClass}=="00" ATTRS{bMaxPacketSize0}=="64" ATTRS{bMaxPower}=="0mA" ATTRS{bNumConfigurations}=="1" ATTRS{bNumInterfaces}==" 1" ATTRS{bcdDevice}=="0513" ATTRS{bmAttributes}=="e0" ATTRS{busnum}=="2" ATTRS{configuration}=="" ATTRS{devnum}=="1" ATTRS{devpath}=="0" ATTRS{idProduct}=="0001" ATTRS{idVendor}=="1d6b" ATTRS{interface_authorized_default}=="1" ATTRS{ltm_capable}=="no" ATTRS{manufacturer}=="Linux 5.13.0-22-generic ohci_hcd" ATTRS{maxchild}=="12" ATTRS{power/active_duration}=="232196" ATTRS{power/async}=="enabled" ATTRS{power/autosuspend}=="0" ATTRS{power/autosuspend_delay_ms}=="0" ATTRS{power/connected_duration}=="232196" ATTRS{power/control}=="auto" ATTRS{power/level}=="auto" ATTRS{power/runtime_active_kids}=="2" ATTRS{power/runtime_active_time}=="232137" ATTRS{power/runtime_enabled}=="enabled" ATTRS{power/runtime_status}=="active" ATTRS{power/runtime_suspended_time}=="0" ATTRS{power/runtime_usage}=="0" ATTRS{power/wakeup}=="disabled" ATTRS{power/wakeup_abort_count}=="" ATTRS{power/wakeup_active}=="" ATTRS{power/wakeup_active_count}=="" ATTRS{power/wakeup_count}=="" ATTRS{power/wakeup_expire_count}=="" ATTRS{power/wakeup_last_time_ms}=="" ATTRS{power/wakeup_max_time_ms}=="" ATTRS{power/wakeup_total_time_ms}=="" ATTRS{product}=="OHCI PCI host controller" ATTRS{quirks}=="0x0" ATTRS{removable}=="unknown" ATTRS{rx_lanes}=="1" ATTRS{serial}=="0000:00:06.0" ATTRS{speed}=="12" ATTRS{tx_lanes}=="1" ATTRS{urbnum}=="65" ATTRS{version}==" 1.10"

    looking at parent device '/devices/pci0000:00/0000:00:06.0': KERNELS=="0000:00:06.0" SUBSYSTEMS=="pci" DRIVERS=="ohci-pci" ATTRS{ari_enabled}=="0" ATTRS{broken_parity_status}=="0" ATTRS{class}=="0x0c0310" ATTRS{consistent_dma_mask_bits}=="32" ATTRS{d3cold_allowed}=="0" ATTRS{device}=="0x003f" ATTRS{dma_mask_bits}=="32" ATTRS{driver_override}=="(null)" ATTRS{enable}=="1" ATTRS{irq}=="22" ATTRS{local_cpulist}=="0" ATTRS{local_cpus}=="1" ATTRS{msi_bus}=="1" ATTRS{numa_node}=="-1" ATTRS{power/async}=="enabled" ATTRS{power/control}=="on" ATTRS{power/runtime_active_kids}=="1" ATTRS{power/runtime_active_time}=="232396" ATTRS{power/runtime_enabled}=="forbidden" ATTRS{power/runtime_status}=="active" ATTRS{power/runtime_suspended_time}=="0" ATTRS{power/runtime_usage}=="2" ATTRS{power/wakeup}=="enabled" ATTRS{power/wakeup_abort_count}=="0" ATTRS{power/wakeup_active}=="0" ATTRS{power/wakeup_active_count}=="0" ATTRS{power/wakeup_count}=="0" ATTRS{power/wakeup_expire_count}=="0" ATTRS{power/wakeup_last_time_ms}=="0" ATTRS{power/wakeup_max_time_ms}=="0" ATTRS{power/wakeup_total_time_ms}=="0" ATTRS{power_state}=="D0" ATTRS{revision}=="0x00" ATTRS{subsystem_device}=="0x0000" ATTRS{subsystem_vendor}=="0x0000" ATTRS{vendor}=="0x106b"

    looking at parent device '/devices/pci0000:00': KERNELS=="pci0000:00" SUBSYSTEMS=="" DRIVERS=="" ATTRS{power/async}=="enabled" ATTRS{power/control}=="auto" ATTRS{power/runtime_active_kids}=="11" ATTRS{power/runtime_active_time}=="0" ATTRS{power/runtime_enabled}=="disabled" ATTRS{power/runtime_status}=="unsupported" ATTRS{power/runtime_suspended_time}=="0" ATTRS{power/runtime_usage}=="0" ATTRS{waiting_for_supplier}=="0"

  3. lsusb; echo;lsusb -t

     Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
     Bus 002 Device 003: ID 0fe6:9700 ICS Advent DM9601 Fast Ethernet Adapter
     Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
     Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
    

    /: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=ohci-pci/12p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M |__ Port 2: Dev 3, If 0, Class=, Driver=dm9601, 12M /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/12p, 480M

Linux kernel blacklist

As you may notice usbnet (module) get loaded from udev monitor output.

Udev rule

One that seems clear, it this condition:

ACTION=="add",SUBSYSTEM=="net", SUBSYSTEMS=="usb",...

So it is the newly added net node which has a parent usb node.

Then target that leaf node or its parent node, to be removed, unauthorized, or unbind its driver. As in this answer about blocking USB storage devices.

user.dz
  • 48,105
0

I think usbguard could be a good fit for you. Looking at device class ids, rules would be like:

block with-interface equals { 02:*:* }
block with-interface equals { 0A:*:* }
block with-interface equals { E0:*:* }
allow

Of course, you can also be more specific, build a whitelist instead, etc. You may also want to whitelist your Bluetooth device. The package has examples; there is also an applet.

A "pure udev" way may also exist.

Jacopo
  • 746
0

I think the attack is not working anymore because the kernel assign a lower priority to the USB ethernet interface.

So the system will continue to use your currently running interface, and not the new plugged in USB-to-ethernet one.

At least, the last time I tried, it worked like that. Just look at the output of ip route. The USB-to-ethernet interface will have a metric higher that the previous interface. So a lower priority.

So for this to work, the attacker has to unplug your ethernet cable or perform a deauth attack on your wifi interface.

solsTiCe
  • 9,231