Hacker News new | ask | show | jobs
by T3OU-736 2491 days ago
If the USB device can proffer a spoofed ID, there is no auth a-la PKI. Maybe there is a USB controller where it is possible to turn off the data lanes and only keep the power ones active, but short of that, USBGuard had to trust the ID of the device. Raspberry Pi Zero's USB controller, AFAIK, had the ability to present itself as a target, so that seems like a quick experiment.
1 comments
rkagerer 2491 days ago
Thanks! One benefit of the approach I envisioned above is that even a perfect imposter would be restricted to the access rights I granted the original device.
link
T3OU-736 2491 days ago
Take a look at USB Rubber Ducky or similar device(s). HackADay [1] [2] has a couple of write-ups about it and some associated tools.

[1]https://hackaday.com/2019/02/12/a-malicious-wifi-backdoor-in...

[2]https://hackaday.com/2014/10/05/badusb-means-were-all-screwe...

link