i learned to my displeasure that thick manuals are sometimes distributed with products as USB sticks these days, i immediately thought of this when i opened up an inverter box and saw a USB stick sitting there
I understand that not sticking USB sticks into sensitive systems is the prudent conservative security choice.
The “silly users picking up USB sticks dropped in the parking lot” is a basically a security trope nowadays. But I feel there should be some blame associated with our operating systems too. Like why is this an axiom that if you use an untrusted USB stick you are going to get eaten by the Grue?
If an Os would say “sorry bad people got into your network, your computer is now owned by them” that would be an unacceptable security vulnerability, why is the equivalent accepted as a fact of life with “bad usb sticks”?
I understand the OS cant do much with a usb device which burns out the motherboard with an electric shock. But there is a whole set of other things it should reasonably protect itself from.
I was thinking about that. What the OS could do is to ask for confirmation on the second keyboard. It could be something as simple as “Looks like you connected a secondary keyboard. Please type in the following random 3 numbers before it becomes active.”
If on boot it finds two keyboards it can do the same with both.
Appearently the os can't differentiate between any USB devices.
I saw a great video years ago (which I haven't been able to locate for years) that went into detail as to how you can basically make a custom usb device arbitrarily malicious. The trick that sounded particularly good was that you can impersonate a usb device that requests a driver that has a known security vulnerability.
Yep, the issue is that the host OS has no way to verify the identity of the USB device. It has to believe whatever the device claims. Something that looks like a charging cable might actually "be" a 1990s-era Wacom tablet with crappy drivers, which also charges your phone.
The only protection is to restrict what types of devices are allowed to connect. The kernel is not obligated to recognize any device that you attach (though of course most users will expect it to do so!). And of course some host OSes make such restrictions difficult or impossible.
It's more of a systemic problem. We don't have this problem with bluetooth or wifi because it uses encryption and individual keys. But usb is unencrypted with no secure identification mechanism.
Some home broadband routers have a NAS-like ability to mount USB sticks as a SAMBA share - I use a spare one for iffy sticks on the assumption they’re unlikely to come ready to compromise some random non-PC embedded OS.
