Don't worry about those 40 Linux USB security holes. That's not a typo

Move along. Nothing to see here. By the way, try this flash drive in your laptop, ta


The Linux kernel USB subsystem has more holes than a donut shop. On Monday, Google security researcher Andrey Konovalov disclosed 14 Linux USB flaws found using syzkaller, a kernel fuzzing tool developed by another Google software engineer, Dmitry Vyukov.

That's just the tip of the iceberg. In an email to The Register, Konovalov said he asked for CVEs for another seven vulnerabilities on Tuesday, and noted there are something like 40 that have not been fixed or triaged.

Konovalov downplayed the risk posed by the flaws, based on the fact that physical access is a prerequisite to an attack. In other words, to exploit these vulnerabilities and potentially hijack a machine or infect it with spyware, you have to be be able to actually insert a malicious USB gadget into a Linux-powered system.

Still, there are plenty of these ports around – like on your Linux-powered in-flight entertainment unit on an airplane, and on your Linux-powered Android handheld and ChromeOS laptop.

"The impact is quite limited, all the bugs require physical access to trigger," said Konovalov. "Most of them are denial-of-service, except for a few that might be potentially exploitable to execute code in the kernel."

In an online discussion of the flaws, it was suggested that the WebUSB API might provide a way to take advantage of the bugs remotely, but Konovalov expressed skepticism.

"I might be wrong here, but as far as I understand, WebUSB API can be used by a web page to interact with a USB device (or USB device driver) from user space (which can potentially be used to exploit bugs in the kernel)," he said. "Those 14 bugs that I found are triggerable externally by connecting malicious USB devices, so in this case we attack the kernel kind of 'from the other side.' In theory it might be possible to exploit a vulnerability in a USB device itself, and then use the compromised device to externally trigger a kernel bug."

Nonetheless, such flaws are just the sort of thing hackers and other miscreants may appreciate were they looking to conduct dropped-drive attacks – leaving a booby-trapped gizmos in a parking lot, say – which happen to be rather more effective than they should be. ®

The CVEs so far...

Similar topics


Other stories you might like

  • AMD claims its GPUs beat Nvidia on performance per dollar
    * Terms, conditions, hardware specs and software may vary – a lot

    As a slowdown in PC sales brings down prices for graphics cards, AMD is hoping to win over the market's remaining buyers with a bold, new claim that its latest Radeon cards provide better performance for the dollar than Nvidia's most recent GeForce cards.

    In an image tweeted Monday by AMD's top gaming executive, the chip designer claims its lineup of Radeon RX 6000 cards provide better performance per dollar than competing ones from Nvidia, with all but two of the ten cards listed offering advantages in the double-digit percentages. AMD also claims to provide better performance for the power required by each card in all but two of the cards.

    Continue reading
  • Google opens the pod doors on Bay View campus
    A futuristic design won't make people want to come back – just ask Apple

    After nearly a decade of planning and five years of construction, Google is cutting the ribbon on its Bay View campus, the first that Google itself designed.

    The Bay View campus in Mountain View – slated to open this week – consists of two office buildings (one of which, Charleston East, is still under construction), 20 acres of open space, a 1,000-person event center and 240 short-term accommodations for Google employees. The search giant said the buildings at Bay View total 1.1 million square feet. For reference, that's less than half the size of Apple's spaceship. 

    The roofs on the two main buildings, which look like pavilions roofed in sails, were designed that way for a purpose: They're a network of 90,000 scale-like solar panels nicknamed "dragonscales" for their layout and shimmer. By scaling the tiles, Google said the design minimises damage from wind, rain and snow, and the sloped pavilion-like roof improves solar capture by adding additional curves in the roof. 

    Continue reading
  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading

Biting the hand that feeds IT © 1998–2022