New 'USG' Firewalls Protect USB Drives From Malicious Attacks

A developer has created the USG, "a small, portable hardware USB firewall...to prevent malicious USB sticks and devices laden with malware from infecting your computer." An anonymous reader quotes ZDNet: The problem is that most computers automatically trust every USB device that's plugged in, which means malicious code can run without warning... Cars, cash registers, and some ATMs also come with USB ports, all of which can be vulnerable to cyberattacks from a single USB stick. That's where the USG firewall comes in...a simple hardware serial link that only accepts a very few select number of safe commands, which prevents the device from executing system commands or intercepting network traffic. That means the data can flow from the USB device, but [it] effectively blocks other USB exploits.
The firmware has been open sourced, and the technical specifications have also been released online "to allow anyone to build their own from readily available development boards."

good thing is that you can stack them USG-USG-USB

[kiviQr]

Just in case first gets hacked you can stack them USG-USG-USG-USG-...-USB

So what is it for?

[NotInHere]

Sorry, but couldn't get past all that sheep speak (aka dumbed down language). What exactly is that bridge for? Preventing badusb? Actually checking for malware files stored on the usb stick's filesystem? Preventing computers to flash the usb stick's firmware to make attacks permanent?

Re:

[arth1]

Until they get slammed by ZyXEL for using USG as a name for a firewall. Anyone not doing even basic research here deserves to be slammed too.

Re:

[Swave An deBwoner]

You'd have to read the wiki article at the first link four words into the slashdot summary, but yeah, that's what the developer says:

https://github.com/robertfisk/USG/wiki [github.com]

The USG isolates BadUSB devices from your computer, while still passing through the data you need.

Re:

[Hognoxious]

It only has 4 pins. If we can find which one carries the Evil Bit can't we just snip it?

Re:

[gweihir]

It is about preventing an USB stick from claiming to be something else, e.g. a keyboard or a network card. Not that that helps any if there is a malicious executable on the stick...

Re:

[guruevi]

Even trudging through the code, it's hard to decipher what it actually does besides implement a basic USB host and USB target and then proxy the commands (with some minor filtering for things that aren't "spec"). I'm supposing that you plug it in, and you have to program it yourself to accept a certain device or range of devices which you 'trust' but even then, it's not going to prevent someone from making a USB thing that emulates your USB thing and does malicious things.

I'm sure you can eventually turn it

So...

[Wolfrider]

--Will the USG device protect against a thumbdrive that would fry your *computer* (electrically) if you plugged it in?

Re:

[currently_awake]

Assuming the bridge doesn't connect to the computers USB power rails, yes. Once.

USB1 only

[sirsnork]

Sadly it's only USB1, so basically useless for moving files, which I imagine is the designed purpose. A cool device certainly, but at USB1 speeds more of a cool research project than something actually useful

Re:

[retroworks]

Thank you sirsnork for participating on Slashdot. Comments like yours bring me back. I have no mod points at the moment.

Bad Keyboard Still Possible

[mentil]

As far as I could glean from the article, the USG does nothing to stop USB devices from registering as a keyboard and then emulating keypresses to open up a back door. Having a physical switch on the USG that indicates 'this device is a keyboard' could stop that... for malicious devices that aren't actually USB keyboards.

I'm also skeptical hat the 'short list of approved commands' is 100% safe and there are no driver vulnerabilities linked to any of those commands. Also, if you plug a new USB device in thru this USG and it doesn't work, are you going to say 'too bad, probably infected', or are you going to remove the USG and try again?

Re: Bad Keyboard Still Possible

[Anonymous Coward]

Simply lock the computer when you leave it to prevent fake keyboard.
This is more for blocking something like the Bash Bunny. That thing will backdoor a locked computer by pretending it's a USB NIC.

Re:

[AmiMoJo]

I'm also skeptical hat the 'short list of approved commands' is 100% safe and there are no driver vulnerabilities linked to any of those commands.

Me too. USB doesn't use "commands". There are no USB commands. Perhaps they mean that they filter SCSI commands for USB flash drives or something.

In any case, many of the vulnerabilities are likely to be down to malformed descriptors. Descriptors tell the computer what the USB device is and in the case of standard things like keyboards and flash drives there are descriptors that give the parameters required to talk to it. Driver vulnerabilities will mostly be in the way these descriptors are parsed.

It also

Re:

[thegarbz]

It is as useless as a virus scanner is at preventing a user from writing their password on a post-it on the screen. That is to say, both you and the GP are talking about a different attack vector than the BadUSB vulnerability which relies on being able to enumerate two different devices at once at run time on the same bus and do something malicious while pretending to do something else. E.g. a USB mass storage device that logs keystrokes. This device here will prevent either the keylogging or the USB mass s

Re:

[jabuzz]

True, but the next step is to put a hub in the middle integrated into the USB stick. So you see a USB hub plugged into a port with a USB mass storage device and a USB keyboard attached. We are then right back to square one. I guess the firewall could be programmed to reject hubs to prevent this, but it's all getting rather messy. The better solution is to stop using USB anything to move data about; the network is the computer remember.

Re:

[thegarbz]

That's not too silly and I've done this myself. I built a device which presents to the OS as a USB hub as a quick and dirty way to work around two microcontrollers communicating on one USB bus without having to design and program a bus system between them.

This would easily defeat this device as far as I can see.

Re:

[thegarbz]

As far as I could glean from the article, the USG does nothing to stop USB devices from registering as a keyboard and then emulating keypresses to open up a back door.

No it doesn't. As far as I can understand what it does do is prevent a USB mass storage device, or a USB network card, or a USB monitor, etc, etc, pretending to be both what it is and also a keyboard at the same time. It also prevents it from changing at some point while being used to do something malicious and then changing back. What you are describing is a different attack vector to the BadUSB exploit this is designed to prevent.

People picking up dirty USB sticks in the carpark will only continue to use

Re:

[wonkey_monkey]

Because there are some USB devices which have a legitimate purpose for doing all of these "bad" things, so they'd be rendered useless.

Re:

[fibonacci8]

I'll bite... Name one device that presents itself as one type of device to the user and then presents itself as a different type of device to the USB subsystem inside the computer that could be described as "a legitimate purpose". Some devices do, but that doesn't fit any definition of the word "legitimate" that I've encountered. Intentionally hiding things from users is the opposite of legitimate.

Re:

[x0ra]

mass storage + serial interface to the same device.

Re:

[thegarbz]

I have yet to see a device like this. I have seen plenty of devices which will enumerate as different devices on connect by user request (e.g. reboot in firmware download mode, hold down something while plugging it in etc), but I've yet to come across a device that actually will attempt to enumerate both states at once.

Re:why

[heypete]

I have Huawei USB cellular modem that identifies itself simultaneously as:
1. USB mass storage, if one has a microSD card in the internal slot. This is handy for storing files and whatnot on the stick.
2. As a CD-ROM drive with a virtual CD containing the drivers needed for the cellular modem functionality, so the user can install the drivers needed while only possessing the stick itself (e.g. no real CD, no internet download, etc.).
3. As a cellular modem.

Re:

[BronsCon]

And, even if this was disallowed, USB hubs still exist. The device could just as well present itself as a hub with those three things connected. Like you, I don't know why people are getting all worked up over this as though it's something they could actually protect against.

"Accept the things I cannot change" and all that.

Re:

[SandorZoo]

Ubikeys look like secuity dongles, but present themeselves as keyboards [yubico.com] so instead of retyping a long one-time-key, you just press a button and it "types" it for you. All without needing OS specific drivers. But they doen't look like a keyboard.

A waste of money

[techno-vampire]

I've never yet seen an OS where you can't turn autorun off. Once you've done that, why do you need this?

Re:

[Mr0bvious]

USB devices can be more than file systems.

Having autorun off is not going to stop a USB device pretending to be a keyboard or mouse or whatnot.

Re:

[thegarbz]

You can prevent Windows from installing new USB devices by type.

Mind you if you're keyboard then breaks you're screwed without some form of remote access or a PS/2 port.

Re:

[thegarbz]

It's not auto-running a file on a filesystem. It's automatically talking to the firmware on the USB controller, something that every OS needs to allow for a USB device to function.

Re:

[_Sharp'r_]

Why can't you just use a different USB driver for your OS that filters, alerts on, requires additional permission for, or blocks whatever you want, rather than buying a new piece of hardware?

I mean, I get the voltage thing to fry a port, but that's a DOS attack no worse than someone who is physically there just smashing the port/computer. Why not just secure the USB device driver in the first place?

Re:

[thegarbz]

This device won't prevent the frying of the port.

And yes you can prevent BadUSB by diligently disabling auto-installation of new USB devices (no need for a driver, you can do that in Group Policy). You can even do it on a per ID basis. However I mentioned what could go wrong in another thread: Say you've locked down the system by ID to prevent auto-install of new USB HID devices (the key-logging portion of this attack).

And your keyboard / mouse combination breaks.

What now? You need the exact same make and m

The problem is most Windows computers

[najajomo]

"The problem is that most computers automatically trust every USB device that's plugged in, which means malicious code can run without warning"

Windows only I presume ..

Bootstrapping after a keyboard replacement

[tepples]

What might be better is if the OS keeps a whitelist of devices that it's seen and prompts if it sees a new device with some information about what the device actually wants to try and do or be.

When your desktop PC's keyboard breaks, good luck adding the replacement you purchased to its whitelist.

Re:

[BronsCon]

Plug it in, use the mouse to click "OK" on the prompt.

Re:

[BronsCon]

Imagine booting for the first time and not having enabled this yet, or this being a Windows driver-based security measure that doesn't take effect until Windows loads its drivers, allowing the new keyboard to be used to boot into a mode where this protection is temporarily disabled in case of this very situation. My IQ is up there, but I'm no super-genius, and it only took me about 5 seconds to solve both of those problems.

Re:

[tepples]

And use what to enter your password so that the OS knows the click on OK is coming from an administrator?

Re:

[BronsCon]

The on-screen keyboard that Windows has had since at least as far back as XP.

On-screen keyboard failures

[tepples]

I don't see how a user could use the on-screen keyboard to authenticate to Windows when the elevation prompt covers up the on-screen keyboard [microsoft.com] or when pressing Ctrl+Alt+Del on the login or lock screen does not cause the password prompt to appear [superuser.com].

Nor does it help if the user replaced a broken mouse at the same time.

Re:

[BronsCon]

Come to think of it, I don't recall ever having to type my password into a UAC prompt. I'll grant your point about the mouse, but also point out that Windows' driver-based protection measures can't take effect until Windows has loaded those drivers. If actually ever implemented, it should be possible to boot into safe mode with that protection disabled to add a device to the whitlist; the extra paranoid can unplug all but the new keyboard before doing so.

Re:

[BronsCon]

You know, I realize I didn't address your point fully. Let me clarify: non-admin users should not be modifying system security functions in the first place. If the issue you mention affects you, you are a non-admin user and should not be adding USB devices to any whitelist; you should be contacting an admin user, who can log in with the on-screen keyboard and add the new keyboard to the whitelist simply by clicking the "OK" button on the UAC prompt.

Alternately, since you purport to know the administrator

Re:

[tepples]

pressing Ctrl+Alt+Del on the login or lock screen does not cause the password prompt to appear

an admin user, who can log in with the on-screen keyboard

Not if Windows fails to show the login prompt in the first place because it fails to respond to Ctrl+Alt+Del on the on-screen keyboard.

Re:

[kaatochacha]

On a daily basis, I'm forced to modify system security functions under non admin accounts using admin credentials.

Re:

[BronsCon]

... which wouldn't affect safe mode with this protection temporarily disabled. You're smarter than this. Stop, think, and quit embarassing yourself.

Re:

[BronsCon]

That's highly unusual. Have you considered that you are either doing something wrong, or doing something that most users don't do (e.g. unusual)? In any case, though, you have admin credentials in order to be able to do that, which means you could sign in to an admin account to add the new keyboard and/or mouse to the whitelist.

Over charging protection?

[gurps_npc]

This device does not stop the worst of the USB issues the Capacitor killer that draws in electricity, charges a capacitor, then releases it all back into the PC at high voltage and capacity, frying the computer.

If you read the link to the article..

[Neuronwelder]

The USG admits it's not high level. But to me it's a start. And a start is better than having nothing. (I wonder if if protects against bad memory sticks that fry your computer??)

Will it protect the PC from the USB Killer device?

[ayesnymous]

There was an article here a few months ago about a USB Killer device that will send a stream of electricity to whatever device it's plugged into, destroying the USB port at minimum, or the entire device at worst.

USG?

[c10]

It's probaly more drywall than firewall.