Comment by megous
6 years ago
USB protocols are often times handled in SW, some in Linux kernel, some in userspace. So if someone discovers RCE over USB in Linux USB stack, modem will have direct memory access, or even RCE on the main CPU with kernel privileges.
I have no experience with PCIe so maybe it's harder with USB to abuse the host system, than with PCIe these days.
You can think of USB as being similar to using a TCP/IP protocol between multiple machines capable of executing code, and having to execute code to handle higher level protocols, like HTTP or whatnot. If there's a code execution bug anywhere, the USB capable device will be able to exploit it.
And by default, there's a code-execution bug on all normally configured Linux machines. If you'll not create a USB "firewall", modem can just create a virtual keyboard and kernel will happily accept all input from it, for example. So modem can just type whatever it wants to your shell. It will be obvious, but, it's still device->host RCE.
We're not in disagreement (I never claimed or even implied that USB is bug-free) -- but in order to get an RCE or DMA-like access you first need to exploit the USB stack. PCIe gives you that kind of access for free by design (almost -- there is IOMMU these days but there is little evidence that it is nearly as secure as hardware vendors claim, and you'd need to have phone hardware which supports it).