New issue
Advanced search Search tips

Issue 734408 link

Starred by 5 users
Status: Assigned
Owner:
marcuskoehler@chromium.org
Cc:
kerrnel@chromium.org
jorgelo@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Feature



Sign in to add a comment

Policy needed to disable external USB device by hardware ID

Reported by paulrich...@gmail.com, Jun 18 2017 
UserAgent: Mozilla/5.0 (X11; CrOS aarch64 9334.72.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.140 Safari/537.36

Steps to reproduce the problem:
1. Create PoisonTap USB device per https://samy.pl/poisontap/
2. Plug PoisonTap into Chromebook
3. Chromebook trusts PoisonTap as Ethernet device and is exploited https://youtu.be/DJg-mI3tuaU

What is the expected behavior?
Chrome Policy blacklists specific hardware ID of the USB device.

What went wrong?
There appears to be no Chrome device policy to disable specific USB external device by hardware ID. Only complete disable of all USB devices, which is not practical in many scenarios such as schools.

Did this work before? N/A 

Chrome version: 58.0.3029.140  Channel: stable
OS Version: 9334.72.0
Flash Version: Shockwave Flash 25.0 r0

An alternate approach could be to disable all USB hardware IDs except those on a whitelist.

Comment 1 by est...@chromium.org, Jun 19 2017

Cc: jorgelo@chromium.org kerrnel@chromium.org
jorgelo, kerrnel, can you take a look and see if there's anything to be done here? This sounds to me like a feature request so I'm inclined to remove security labels, but let me know if you disagree.

Comment 2 by elawrence@chromium.org, Jun 19 2017 

What stops an attacker from just changing the hardware ID of the attack device?

FWIW: PoisonTap was previously filed as  Issue 673105 .

Comment 3 by paulrich...@gmail.com, Jun 19 2017 

Nothing prevents a determined attacker from spoofing USB hardware ID, however a hardware ID blacklist or whitelist policy is an additional granular layer of security that is appreciated by enterprise IT security teams. It would at least frustrate the unskilled bad actors, e.g. people following instructions they found online. 

Also consider that this is being portrayed (dishonestly in my opinion) by Microsoft marketing as a security weakness of ChromeOS.

Comment 4 by mnissler@chromium.org, Jun 19 2017

Components: Enterprise
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Feature
Owner: dskaram@chromium.org
Status: Untriaged (was: Unconfirmed)
FWIW, the only realistic meaningful mitigation that I can see is to disable or prompt for classes of devices (i.e. not specific vendor/device IDs). E.g. give the user (or more realistically, admins on enterprise devices) the ability to say "disallow" or "prompt user" before loading drivers for USB network devices, USB input devices, etc. (the latter only makes sense for devices with built-in input devices obviously).

Agree with the assessment that this is working as intended, so not a security bug but a feature request. Relabeling accordingly.

FWIW, we already do have a policy to block external storage media, which this may fit in with. Over to dskaram@ to prioritize from the Enterprise side.

Comment 5 by benhenry@chromium.org, Aug 1

Status: Assigned (was: Untriaged)

Comment 6 by dskaram@chromium.org, Aug 23

Owner: marcuskoehler@chromium.org

Sign in to add a comment