Skip to content

Technical Details for the Curious

robertfisk edited this page May 24, 2018 · 6 revisions

The USG contains two STM32F4 microprocessors communicating over a high-speed serial link. This internal link forms a firewall barrier that effectively blocks malicious USB commands from reaching your computer.

Why is USB insecure?

Your computer automatically trusts every device you plug into it. But every USB device is actually a small embedded computer (microprocessor) that runs software you cannot control. There are three ways a BadUSB device can attack your computer:

Type 1 Attacks: USB Driver Exploits

USB driver exploits work by sending malformed or unexpected input to your computer's USB drivers. Your computer likely has hundreds of USB device drivers installed, and a programming error in any one of them leaves you exposed.

How the USG protects you: The USG blocks these attacks by passing data through an internal serial link with a very simple protocol. Only a limited number of safe commands are accepted by the receiving microprocessor, so no malformed or unexpected data is transmitted to your computer. This effectively blocks USB driver exploits.

Type 2 Attacks: Hidden Evil Functionality

What appears to be a single USB device can actually contain more than one function. The hidden function can perform any action allowed by the USB standard, including executing system commands or intercepting network traffic. Only 100% legitimate USB commands are used, so you can't defend against this by fixing driver bugs. But the USG, being a hardware device, can enforce rules designed to block hidden USB functionality:

  • Only one device attached at a time: By supporting only one attached device, we eliminate attacks that use a hidden device to perform unexpected actions.

  • No run-time device class changes: Once a USB device is enumerated through the USG, it cannot re-enumerate itself as a different device class until power is removed and reapplied to the USG. This stops attacks where a device unexpectedly changes its functionality to perform malicious actions.

Type 3 Attacks: Evil Functionality in Plain Sight

Type 3 attacks are where the attached device abuses its position of trust even while performing the function you want. This attack involves no malformed or unusual commands, so it is the most difficult to defend against. For example, a malicious keyboard may enter commands to install malware while you are away from the computer. Or a malicious flash drive may insert viruses on-the-fly as they are read by the host computer.

How the USG protects you: USG firmware version r04 includes an HID 'bot detect' feature that monitors attached keyboards and mice for malicious input. If the input looks too much like a bot (insufficiently random) then the USG will temporarily lock for 4 seconds and you will see a red LED double-flash every second. Repeated bot detection will cause a permanent lock.

Protection against a type 3 malicious flash drive can be achieved by encrypting the user's data on-the-fly before it reaches the flash drive. This feature may be added to a future version of the USG's firmware.

Clone this wiki locally