Is there a way to prevent USB over ethernet from working?
This video shows an attack where attaching a USB device to a locked computer pretty much takes over all currently running browsers. The trick is that the USB device acts as Ethernet over USB, and a laptop will automatically attempt a connection to such a device.
My work computer has an actual ethernet port, and I almost exclusively use wifi. I do not foresee a need to use 4G dongles and the such. I could mitigate such an attack by merely preventing USB over ethernet from working in the first place. (The alternative mitigation suggested in the video, applying cement to my USB ports, doesn't sound quite so enticing. Additionally, it can be worked around with a docking station.)
How can I do this?
networking usb
asked Nov 17 '16 at 13:47
badp
5,774123652
add a comment |
This video shows an attack where attaching a USB device to a locked computer pretty much takes over all currently running browsers. The trick is that the USB device acts as Ethernet over USB, and a laptop will automatically attempt a connection to such a device.
My work computer has an actual ethernet port, and I almost exclusively use wifi. I do not foresee a need to use 4G dongles and the such. I could mitigate such an attack by merely preventing USB over ethernet from working in the first place. (The alternative mitigation suggested in the video, applying cement to my USB ports, doesn't sound quite so enticing. Additionally, it can be worked around with a docking station.)
How can I do this?
networking usb
asked Nov 17 '16 at 13:47
badp
5,774123652
Are you wanting to disable that particular type of usb device from working, or would all devices being disabled, work?
– bc2946088
Nov 17 '16 at 14:04
3
You could blacklist all the kernel modules for usb ethernet devices, I suppose. Really, this is a security bug in NetworkManager, and it should be fixed to not automatically bring up Ethernet connections, unless it is configured to do so for a specific interface.
– dobey
Nov 17 '16 at 15:38
2
What you are seeing in the video is not taking over the browsers. It is just bringing a general problem of the internet one hop more near to you. Every internet connection is insecure if not secured by cryptographic routines. The device just intercepts the traffic as anybody in the same LAN could do without physical access to the machine. So, blocking USB network interfaces will just stop that particual demonstration from working and not solve the problem. To actually solve it the whole internet needs to be redesigned.
– Klaus D.
Dec 4 '16 at 5:41
You might want to pose this question on Security Stack Exchange
– Robert Riedl
Feb 9 '18 at 8:45
add a comment |
This video shows an attack where attaching a USB device to a locked computer pretty much takes over all currently running browsers. The trick is that the USB device acts as Ethernet over USB, and a laptop will automatically attempt a connection to such a device.
My work computer has an actual ethernet port, and I almost exclusively use wifi. I do not foresee a need to use 4G dongles and the such. I could mitigate such an attack by merely preventing USB over ethernet from working in the first place. (The alternative mitigation suggested in the video, applying cement to my USB ports, doesn't sound quite so enticing. Additionally, it can be worked around with a docking station.)
How can I do this?
networking usb
asked Nov 17 '16 at 13:47
badp
5,774123652
This video shows an attack where attaching a USB device to a locked computer pretty much takes over all currently running browsers. The trick is that the USB device acts as Ethernet over USB, and a laptop will automatically attempt a connection to such a device.
My work computer has an actual ethernet port, and I almost exclusively use wifi. I do not foresee a need to use 4G dongles and the such. I could mitigate such an attack by merely preventing USB over ethernet from working in the first place. (The alternative mitigation suggested in the video, applying cement to my USB ports, doesn't sound quite so enticing. Additionally, it can be worked around with a docking station.)
How can I do this?
networking usb
networking usb
asked Nov 17 '16 at 13:47
badp
5,774123652
asked Nov 17 '16 at 13:47
badp
5,774123652
asked Nov 17 '16 at 13:47
badp
5,774123652
asked Nov 17 '16 at 13:47
badp
5,774123652
asked Nov 17 '16 at 13:47
badp
5,774123652
5,774123652
Are you wanting to disable that particular type of usb device from working, or would all devices being disabled, work?
– bc2946088
Nov 17 '16 at 14:04
3
You could blacklist all the kernel modules for usb ethernet devices, I suppose. Really, this is a security bug in NetworkManager, and it should be fixed to not automatically bring up Ethernet connections, unless it is configured to do so for a specific interface.
– dobey
Nov 17 '16 at 15:38
2
What you are seeing in the video is not taking over the browsers. It is just bringing a general problem of the internet one hop more near to you. Every internet connection is insecure if not secured by cryptographic routines. The device just intercepts the traffic as anybody in the same LAN could do without physical access to the machine. So, blocking USB network interfaces will just stop that particual demonstration from working and not solve the problem. To actually solve it the whole internet needs to be redesigned.
– Klaus D.
Dec 4 '16 at 5:41
You might want to pose this question on Security Stack Exchange
– Robert Riedl
Feb 9 '18 at 8:45
add a comment |
Are you wanting to disable that particular type of usb device from working, or would all devices being disabled, work?
– bc2946088
Nov 17 '16 at 14:04
3
You could blacklist all the kernel modules for usb ethernet devices, I suppose. Really, this is a security bug in NetworkManager, and it should be fixed to not automatically bring up Ethernet connections, unless it is configured to do so for a specific interface.
– dobey
Nov 17 '16 at 15:38
2
What you are seeing in the video is not taking over the browsers. It is just bringing a general problem of the internet one hop more near to you. Every internet connection is insecure if not secured by cryptographic routines. The device just intercepts the traffic as anybody in the same LAN could do without physical access to the machine. So, blocking USB network interfaces will just stop that particual demonstration from working and not solve the problem. To actually solve it the whole internet needs to be redesigned.
– Klaus D.
Dec 4 '16 at 5:41
You might want to pose this question on Security Stack Exchange
– Robert Riedl
Feb 9 '18 at 8:45
Are you wanting to disable that particular type of usb device from working, or would all devices being disabled, work?
– bc2946088
Nov 17 '16 at 14:04
Are you wanting to disable that particular type of usb device from working, or would all devices being disabled, work?
– bc2946088
Nov 17 '16 at 14:04
3
3
You could blacklist all the kernel modules for usb ethernet devices, I suppose. Really, this is a security bug in NetworkManager, and it should be fixed to not automatically bring up Ethernet connections, unless it is configured to do so for a specific interface.
– dobey
Nov 17 '16 at 15:38
You could blacklist all the kernel modules for usb ethernet devices, I suppose. Really, this is a security bug in NetworkManager, and it should be fixed to not automatically bring up Ethernet connections, unless it is configured to do so for a specific interface.
– dobey
Nov 17 '16 at 15:38
2
2
What you are seeing in the video is not taking over the browsers. It is just bringing a general problem of the internet one hop more near to you. Every internet connection is insecure if not secured by cryptographic routines. The device just intercepts the traffic as anybody in the same LAN could do without physical access to the machine. So, blocking USB network interfaces will just stop that particual demonstration from working and not solve the problem. To actually solve it the whole internet needs to be redesigned.
– Klaus D.
Dec 4 '16 at 5:41
What you are seeing in the video is not taking over the browsers. It is just bringing a general problem of the internet one hop more near to you. Every internet connection is insecure if not secured by cryptographic routines. The device just intercepts the traffic as anybody in the same LAN could do without physical access to the machine. So, blocking USB network interfaces will just stop that particual demonstration from working and not solve the problem. To actually solve it the whole internet needs to be redesigned.
– Klaus D.
Dec 4 '16 at 5:41
You might want to pose this question on Security Stack Exchange
– Robert Riedl
Feb 9 '18 at 8:45
You might want to pose this question on Security Stack Exchange
– Robert Riedl
Feb 9 '18 at 8:45
add a comment |
2 Answers
2
active
oldest
votes
I think usbguard could be a good fit for you. Looking at device class ids, rules would be like:
block with-interface equals { 02:*:* }
block with-interface equals { 0A:*:* }
block with-interface equals { E0:*:* }
allow
Of course, you can also be more specific, build a whitelist instead, etc. You may also want to whitelist your Bluetooth device. The package has examples; there is also an applet.
A "pure udev" way may also exist.
answered Oct 18 '18 at 6:18
Jacopo
2064
add a comment |
I think the attack is not working anymore because the kernel assign a lower priority to the USB ethernet interface.
So the system will continue to use your currently running interface, and not the new plugged in USB-to-ethernet one.
At least, the last time I tried, it worked like that. Just look at the output of ip route. The USB-to-ethernet interface will have a metric higher that the previous interface. So a lower priority.
So for this to work, the attacker has to unplug your ethernet cable or perform a deauth attack on your wifi interface.
answered Dec 4 '18 at 8:17
solsTiCe
5,95422048
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f850475%2fis-there-a-way-to-prevent-usb-over-ethernet-from-working%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I think usbguard could be a good fit for you. Looking at device class ids, rules would be like:
block with-interface equals { 02:*:* }
block with-interface equals { 0A:*:* }
block with-interface equals { E0:*:* }
allow
Of course, you can also be more specific, build a whitelist instead, etc. You may also want to whitelist your Bluetooth device. The package has examples; there is also an applet.
A "pure udev" way may also exist.
answered Oct 18 '18 at 6:18
Jacopo
2064
add a comment |
I think usbguard could be a good fit for you. Looking at device class ids, rules would be like:
block with-interface equals { 02:*:* }
block with-interface equals { 0A:*:* }
block with-interface equals { E0:*:* }
allow
Of course, you can also be more specific, build a whitelist instead, etc. You may also want to whitelist your Bluetooth device. The package has examples; there is also an applet.
A "pure udev" way may also exist.
answered Oct 18 '18 at 6:18
Jacopo
2064
add a comment |
I think usbguard could be a good fit for you. Looking at device class ids, rules would be like:
block with-interface equals { 02:*:* }
block with-interface equals { 0A:*:* }
block with-interface equals { E0:*:* }
allow
Of course, you can also be more specific, build a whitelist instead, etc. You may also want to whitelist your Bluetooth device. The package has examples; there is also an applet.
A "pure udev" way may also exist.
answered Oct 18 '18 at 6:18
Jacopo
2064
I think usbguard could be a good fit for you. Looking at device class ids, rules would be like:
block with-interface equals { 02:*:* }
block with-interface equals { 0A:*:* }
block with-interface equals { E0:*:* }
allow
Of course, you can also be more specific, build a whitelist instead, etc. You may also want to whitelist your Bluetooth device. The package has examples; there is also an applet.
A "pure udev" way may also exist.
answered Oct 18 '18 at 6:18
Jacopo
2064
edited Oct 18 '18 at 6:28
answered Oct 18 '18 at 6:18
Jacopo
2064
answered Oct 18 '18 at 6:18
Jacopo
2064
answered Oct 18 '18 at 6:18
Jacopo
2064
2064
add a comment |
add a comment |
I think the attack is not working anymore because the kernel assign a lower priority to the USB ethernet interface.
So the system will continue to use your currently running interface, and not the new plugged in USB-to-ethernet one.
At least, the last time I tried, it worked like that. Just look at the output of ip route. The USB-to-ethernet interface will have a metric higher that the previous interface. So a lower priority.
So for this to work, the attacker has to unplug your ethernet cable or perform a deauth attack on your wifi interface.
answered Dec 4 '18 at 8:17
solsTiCe
5,95422048
add a comment |
I think the attack is not working anymore because the kernel assign a lower priority to the USB ethernet interface.
So the system will continue to use your currently running interface, and not the new plugged in USB-to-ethernet one.
At least, the last time I tried, it worked like that. Just look at the output of ip route. The USB-to-ethernet interface will have a metric higher that the previous interface. So a lower priority.
So for this to work, the attacker has to unplug your ethernet cable or perform a deauth attack on your wifi interface.
answered Dec 4 '18 at 8:17
solsTiCe
5,95422048
add a comment |
I think the attack is not working anymore because the kernel assign a lower priority to the USB ethernet interface.
So the system will continue to use your currently running interface, and not the new plugged in USB-to-ethernet one.
At least, the last time I tried, it worked like that. Just look at the output of ip route. The USB-to-ethernet interface will have a metric higher that the previous interface. So a lower priority.
So for this to work, the attacker has to unplug your ethernet cable or perform a deauth attack on your wifi interface.
answered Dec 4 '18 at 8:17
solsTiCe
5,95422048
I think the attack is not working anymore because the kernel assign a lower priority to the USB ethernet interface.
So the system will continue to use your currently running interface, and not the new plugged in USB-to-ethernet one.
At least, the last time I tried, it worked like that. Just look at the output of ip route. The USB-to-ethernet interface will have a metric higher that the previous interface. So a lower priority.
So for this to work, the attacker has to unplug your ethernet cable or perform a deauth attack on your wifi interface.
answered Dec 4 '18 at 8:17
solsTiCe
5,95422048
edited Dec 4 '18 at 8:39
answered Dec 4 '18 at 8:17
solsTiCe
5,95422048
answered Dec 4 '18 at 8:17
solsTiCe
5,95422048
answered Dec 4 '18 at 8:17
solsTiCe
5,95422048
5,95422048
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f850475%2fis-there-a-way-to-prevent-usb-over-ethernet-from-working%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Are you wanting to disable that particular type of usb device from working, or would all devices being disabled, work?
– bc2946088
Nov 17 '16 at 14:04
3
You could blacklist all the kernel modules for usb ethernet devices, I suppose. Really, this is a security bug in NetworkManager, and it should be fixed to not automatically bring up Ethernet connections, unless it is configured to do so for a specific interface.
– dobey
Nov 17 '16 at 15:38
2
What you are seeing in the video is not taking over the browsers. It is just bringing a general problem of the internet one hop more near to you. Every internet connection is insecure if not secured by cryptographic routines. The device just intercepts the traffic as anybody in the same LAN could do without physical access to the machine. So, blocking USB network interfaces will just stop that particual demonstration from working and not solve the problem. To actually solve it the whole internet needs to be redesigned.
– Klaus D.
Dec 4 '16 at 5:41
You might want to pose this question on Security Stack Exchange
– Robert Riedl
Feb 9 '18 at 8:45