-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hub detection? #9
Comments
Hey! Happy to hear this :-) Regarding your questions:
Thanks! |
When I plug a hub or any USB device into a computer, the computer detects it (via system log, device manager, etc.) One of the attack methods suggested (in 2010, at defcon 18) was to attach a light sensor (or perhaps a motion sensor) on the device, so it waits for a period of inactivity before injecting keystrokes. He also suggested hiding the HID device inside something using a hub. So, if I plug in a "cable", but it has a device that injects nothing when plugged in, would USBValve detect this? Or for instance suppose I modified the EvilCrow injection script to delay 100 seconds before entering keystrokes. Would USBValue tell me this before those 100 seconds elapsed? (I've ordered that cable, so I plan to test this when it arrives). It seems to me that detecting the presence of new USB devices would be useful. I looked into the code of TinyUSB and I'm not sure how to do this. |
A "pure" data cable is just a breakout of the 4 USB pins, prolonging the connections out of the box. If we speak about other USB devices (or "smart" cables with some "intelligence" in them) we are in a different field.
Yes, but: USBvalve has two kind of messages related to HID devices: one is about
For sure it will not detect the Thanks! |
I will do so when the cable arrives. But it seems to me that a computer can tell the difference between a hub and a HID. It might be nice to have this ability. I wonder if a device can pretend to be a hub, and then change into a HID at a later time. I don't know enough about the protocol to know what can be done. |
Thanks! Without going into USB protocol details, I may say that:
Yes, the HUB devices can be recognized, I think it should be feasible. I'll have a look into it after the release of Thanks. |
I fear there is little to protect you from an an attacker hiding malicious functionality inside a modified cable with extra chips or manipulated devices, if the malicious activity is triggered on special conditions, like mentioned in that defcon talk, then you won't detect it by checking the device with USBvalve. You would need a firewall to allow only specific device classes on USB. For example, if you want to do USB Mass storage, it should not allow HID to prevent from typing as a keyboard. There are some project around doing this like or software: USBvalve would detect relatively simple bad usb devices acting immediately. |
I know this is an older issue. Sorry to resurrect it but I thought I would add some information as of version 17. If the evil crow acts anything like a OMG cable, then I can confirm that the USBvalve does detect it. The OMG cable I tested waits X amount of seconds before executing malicious script. What the USBvalve shows is that the device initially connects. Then after X seconds passes and it attempts to send data the USBvalve shows DEVICE IS SENDING DATA on the screen. It didn't matter if I edited the script to wait less or more time before executing the end result was the same. Additionally I also tested the cable using its built in wifi connection to edit and send malicious code on the fly. The result was the same. Now there are some additional features of the cable, which are more advanced and might be able to go undetected with a USBValve. Unfortunately I wasn't able to test all of its features as I had limited time with the cable before I had to return it. |
Thanks for the info @Tz1rf |
My USBValve is working. THANK YOU!
But I have some questions.
Is it possible to detect if a USB hub (perhaps hidden inside a keyboard or cable) is attached to the USBValve?
A $40 product detects evil cables by monitoring power using a side channel. Is there some way to add this into a new revision?
The text was updated successfully, but these errors were encountered: