[Zenst]

Would it also not be possible to measure power draw upon the device and with that, add another metric to device profiling. So if you have say a keyboard that uses 200ma power and then suddenly a device that has the same ID's is plugged in and uses 500ma of power, that would trigger a flag.

[Ajedi32]

Good idea. Though that can also be bypassed rather easily by including a small battery in the malicious device and only drawing the expected amount of power from the USB connection itself.

The real solution needs to be some sort of standardized auth system, where devices are identified by a public key rather than a static serial number. In the absence of that though, I think whitelisting serial numbers is the next best thing. It'll slow down attacks at least, and open the door for future improvements to the system.

[rasz]

Currently deployed hardware has no ability to measure that.

[Zenst]

Yes it does: lsusb -v upon linux shows exactly that information. Not sure upon windows flavours of doing that beyond gui digging some properties, but the values are in there.

[rasz]

Sadly the number you are thinking about is self reported by the device - it is required by the spec to report its bMaxPower in USB Configuration Descriptor. This field is merely a convenience and a promise. http://dangerousprototypes.com/docs/Designing_USB_Devices_fo...

[Zenst]

Aha, my humble apologies for my confusions, appreciate being educated. I learned something today, thank you.