[Cryptography] You can't trust any of your hardware

[Natanael]

Den 4 aug 2014 19:33 skrev "Bear" <bear at sonic.net>:
>
> On Sun, 2014-08-03 at 22:28 -0400, Jerry Leichter wrote:
>
> > USB memory
> > sticks are extremely cheap and produced in the hundreds of millions.
> > No one thinks of them as active devices.  And yet ... they are.  They
> > contain significant processing power running non-trivial code - and
> > that code can be replaced.

[... ]

> Meanwhile, can anybody come up with the firmware for an update-
> blocking USB hub?  I have a feeling that when somebody finally
> gets around to wanting one, they'll want it yesterday.

Others have mentioned the idea of a USB firewall before. Now I'm thinking
of taking an FPGA and programming it to work as a USB hub, but filtering
out anything not following a predefined set of protocols (USB HID with
limitation to keyboard keys & mouse input, etc).

You could even go further and perform fingerprinting on your whitelisted
devices and refuse anything not exactly matching the fingerprint (timing,
behavior, etc). Potentially you could then be able to reject other devices
of the same model (if the variance is measurable) or anything with modified
firmware.

There is already FPGA circuit designs that copy a full computer (although
using relatively simple circuits as you'd need a huge FPGA to copy an Intel
i7 with motherboard), with an open source CPU design and USB hub, etc. One
could start from there to create something that can do USB filtering
(although this approach would add latency, potentially noticeable; a more
integrated approach would perform better but is more complex).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140805/3df4699c/attachment.html>