[hunter2_]

Regarding rogue client devices: Suppose it's not just storage and instead is something additional, like a device for which the host will decide (without autorun.ini in this case) to install drivers, or interact in some other capacity along those lines. Can this automatically cause arbitrary code execution? I would not consider code supplied through official OS channels ("let windows search for a driver online" type of stuff) to be arbitrary, because those repositories ought to be trusted as not containing malware. Rather, by arbitrary I mean the USB device supplies the payload or supplies a URL that the OS requests, and then the OS automatically executes that. I've never heard of such a thing, but it's conceivable... source?

Regarding rogue host devices (not just a power port): I agree 100%, these are dangerous. Luckily a typical USB port on a Windows computer can only interact with client devices, not host devices, as far as I'm aware. The inverse of OTG doesn't seem like it would exist.

[rcxdude]

The most obvious rogue client device exploit is to pretend to be a mouse and/or keyboard, which on most devices will allow you to execute arbitrary code trivially, though not completely stealthily. "USB rubber ducky" is one such device available to consumers now. As for exploiting drivers: while the software might be 'trusted', I highly doubt that it is all actually secure. Emulating a USB device with a low-quality driver and then exploiting that driver by violating its assumptions about the hardware its expected to be talking to is a rich field of potential exploits (even on linux, there's vast swaths of low-quality driver code which has nowhere near the hardening of the network stack).

[marcosdumay]

> Can this automatically cause arbitrary code execution?

USB has capability to launch any arbitrary code that the user itself could without inputting any secret.

On anything that isn't the best protected Linux GUI (better protected than the configurations that everybody use), this is enough to install a keylogger on your environment and sniff any secret that it's lacking (but root/administrator rights are overrated anyway).

There has been some work on restricting USB so that it can't initiate anything. But that brings extreme usability problems, so it's very rare for people to do it in practice.