Comment by Findecanor

21 hours ago

A few years ago, plugging in a Razer USB mouse made Windows download and run a installer from which the current user could start PowerShell with administrator privileges. Razer first tried to downplay the issue, but fixed it later. [1]

The USB protocol does not have any authentication, just a VendorID/ProductID pair: 2×16 bits that Windows uses for looking up the driver package to install. Programming a MCU to use any VendorID/ProductID is straightforward. A USB device could even appear innocuous at first but after a timer or external trigger disconnect and reconnect masquerading as another device.

1. https://arstechnica.com/information-technology/2021/08/need-...

not a usb programmer, but are you saying i can buy any old usb chip and program it with any vendors ID and spoof windows into giving me admin? if so, gj micrcosoft.

  • You could use any programmable microcontroller with a USB interface. Consumer products tend to have fuses set to they can't be programmed again.

    The latest driver registered with Microsoft for the product you're going to spoof would need to have a vulnerability to exploit. You can't supply any driver.

  • You can pretend to be any vid:pid with usb gadget mode. For example with a raspberry pi zero something.

    But you can't pretend to be any vendors id, only the ones with vulnerabilities. And the drivers or spyware will be downloaded by windows from the vendor's site, not from your peripheral.

    But yes, usb device identifier is done through software/firmware.

    • Oh, it's worse than that.

      A USB attack-widget isn't limited to just one VID:PID pair. It can present itself as as hub with as many VID:PIDs behind it as is useful. (This isn't new or exotic functionality; the very first USB thumb drive I ever owned did this as a built-in, maybe 20 years ago.)

      So, for instance: A single physical widget can present as a thing that makes Windows install vulnerable software, and as a keyboard that issues commands hook that vulnerability, and as a storage device that provides a payload, while also [or ultimately] appearing as the fully-functional device that the user actually intended to use.

      Game over.

      The end-user might see a brief flurry of stuff happening while this goes on, but that's no big deal: End-users are already accustomed to seeing that kind of thing when new hardware is introduced, and clicking whatever button it is that they're required to click in order to proceed.

  • You can also spoof a keyboard and simulate keystrokes to open terminals and run arbitrary commands. I don't know about Windows, but on Linux it's possible to block USB connections by default and filter them in userspace:

    https://usbguard.github.io/

    This allows enforcing rules like "never add an additional keyboard". But the USB protocol has no support for strong device authentication, so there's no way to prevent a device from acting like a malicious version of something in the device class you expected it to be without abandoning "plug and play" altogether (a reasonable solution in secure environments where unused ports are often physically blocked).

    • You can also spoof a keyboard and simulate keystrokes to open terminals and run arbitrary commands

      This is what any decent barcode reader does, by the way; and before USB, they would be inline taps that pass through a regular PS/2 keyboard.

  • I've heard so before: that USB is a massive security hole. At least in Windows; I don't know if other OSs are also vulnerable.

    Better to just never stick strange USB sticks in your computer.

  • You can "spoof" any system where you can load older drivers into giving you admin/root, you just need to find a vulnerable driver. Nothing Windows-specific in that.

    • Also, disabling drivers from windows update is enforceable with group policy (iirc).

      The BSDs have config, Linux can run without module support.