The author is right that USB-C docks can be used to hide malicious devices - but the same is true of any USB device. You could hide a Pi Zero in a mouse, keyboard, memory stick, or anything else that you can open up and access the USB headers. Scary - but also requires a higher level of physical access than other vectors such as phishing.
This is just the tip of the iceberg. Turns out our operating systems are actually just sandboxed applications in the hardware manufacturer's proprietary hellscape. Not only are they not real operating systems anymore, they are no longer even in real control of pretty much anything.
ARM doesn't have a concept of anything like the management engine, but remember it's just an ISA and actual SoC implementations like from Qualcomm, Samsung, Apple, Amazon, etc. are free to add their own logic and side controllers.
That's different. It's a feature where Apple deliberately keeps some components running after shutdown, in a very low-power way, and provides an option to turn that off. Those components (the Bluetooth chip, for example) are all strictly separated from each other by IOMMUs.
Intel Management Engine is very different. It's basically another CPU within your real CPU, running its own software with no visibility to the main OS, and it has (AFAIK) full access to other components. If it's compromised, or has a factory backdoor, you're 0wned.
The closest thing to Intel IME that the iPhone has, is the baseband, which can run its own code. But if I'm reading marcan correctly (https://news.ycombinator.com/item?id=30393283), modern iPhones/Android phones all use IOMMUs to isolate that (with the exception of a few so-called "free/libre" phones). The IOMMUs can be easily inspected from the OS to make sure they're correct, so it's just not a concern, unlike IME.
The baseband doesn't have control over the application (main) processor the way IME does, however, and Apple is rightfully distrustful of Qualcomm's security and the two are fairly stringently separated. What a baseband (or WiFi controller) rootkit can do, however, is intercept all your network traffic, and inject exploits for software bugs in the main OS.
I would expect apples quality control processes to pick this up. They’re so closely involved in the chip design process that it’s hard to imagine Apple’s engineers are debugging wouldn’t notice something was amass.
Not to mention the technical challenge of quickly understanding and editing Apple’s designs from the limited information that is shared with the foundry.
The device could be dormant until it gets a signal, meaning Apple won't find it unless they cut up the die. And they could attach it to anything that looks like a bus, then figure out how to exploit it later.
I love how people forget what this is for. that's "love" in sarcasm quotes, if it isn't clear.
this is for me when I want to enable virtualization on a user's laptop remotely, without sending a human to their desk or to their house to enter the bios password and to enable virtualization or do whatever else I need done in there.
this is how I ship a laptop from the manufacturer directly to an end user, at their home, and they unbox it, turn it on, log in, and the computer becomes a corporate-managed device. I don't have to fly someone out so they can set up the computer, or ship the computer to the office for configuration before it gets shipped again to the end user.
this is not a nefarious thing, nor is it a target for hackers, because there are far easier ways to trick someone into doing something which lets the hacker onto their system.
well if you aren't in an enterprise it is unused and inactive
if you don't want to spend $0.10 on the feature in the chip, spend 100 billion times more than that to start a CPU fabrication company and license x86_64 so you can make your own CPU.
we can't have everything a la carte. it doesn't make sense.
Framing it as a $0.10 cost issue is disingenuous. It's not that I want to save $0.10, it's that I want hardware that specifically does not have that functionality. And I'm willing to spend more to get it; though not $10billion more.
And it's not that they'd have to re-tool their fabs to make it either; they're already set up to make non-ME systems for certain government buyers. Please let civilians buy those systems.
I think hackers will decide on this, not you. And at least acknowledge that IME/PSP seriously expands the attack surface of the hardware at a very low level, enabling new classes of exploits against which the OS has no defense.
So this is made for noble purposes so it must be no risk?
So is the internet. And a few other things. I do not feel your arguments particularly strong.
E.g. wouldn't this purpose a target for specially prepared external managmenet dongles (similar like those hinted in the article but of course made professionally and with the noblest of noble system admin motives) that could be plugged in where and when corporate management is necessary to set up, then remove, send to the next computer if necessary? And not built into EVERY computer, from granny to the schoolboy so YOU could do something? This concept soulds like the key under the doormat kind of security. And you rely corporate systems on this.
yep all the hacks which have broken it sure have me proven wrong. gosh.
the thing isn't even capable of the devastating things you all fear. it's a minimal CPU (a slow 486 on Intel chips) with a miniscule web server which is off unless configured to be on and it can't read your disk or read RAM. all it can do is talk to hardware. it's how you configure the bios without rebooting at the console.
yeah I was saying that these are not always enabled on consumer devices and are protected by firewalls in most consumer and corporate situations by default.
you are smart enough to have firewalls in place, right? or are you so knowledgeable about security that you turn those off?
I see you linking to attempts and maybe some real vulns but even if they were exploited in the wild without local USB access, which I don't see in those links, firewalls would have prevented them.
physical access appears to be a requirement for those now-patched vulnerabilities, so while I was mistaken about a bit of this, my overall point stands. wow I guess you sure proved your side!
if you don't like this kind of thing in your CPUs, please feel free to start a CPU company and make your own stuff.
Good for you I guess but I sure as hell don't want no "corporate management" malware anywhere near my stuff let alone inside the chips where they can't be disabled. Please keep this crap fully isolated in your "corporate devices" so that we don't have to deal with it.
It's true that we haven't got a remote exploit yet, or at least, it's not publicly known. And I agree that it can be useful, convenient even, for everyone involved. It does however give up a good amount of control, the end user's control over their own machine.
>this is not a nefarious thing
Hell is paved with good intentions. The intent is irrelevant. Every substance that we banned so far in agriculture were developed, and used with the intent of improving the crops. Yet, they turned out to be a net negative. We don't know the end game of the ME/PSP yet, but I'm not keen to participate, I'd gladly buy a CPU without it, and let other people find out.
Or they could pre-make a bunch of docks and swap them out at a cowering space or target office building. Easy enough to gain physical access to most offices. You could get a job with the cleaning crew
Even a simple charging cable can contain e.g. a HID chip while still working as a charging cable. I saw an unattended cable on a table at work once, I'm sure someone who needs one would've used it without second thought. But our employer is also sending fake phishing emails to make people aware, I wouldn't be surprised if they also plant devices like that.
...and if they don't I should propose it, sounds like a fun project. Leave a random cable or USB stick that just shows a warning that it could have been malicious. Or something that just opens up https://nyan.cat and sets the volume to max :D.
Use the simplest USB dock with the least amount of ports for your specific use case. Simpler docks have less physical room and lower baseline power to hide malicious mods. e.g. this StarTech dock costs 50% less than one with ethernet. It can be used with a USB-ethernet adapter, which allows both the dock and ethernet adapter to be evaluated separately, https://www.amazon.com/gp/product/B09DGRJMYK/
We need crowdsourced behavioral fingerprints and open-source test suites for peripherals which may be subject to supply chain or shipment interdiction. Measure power consumption and response latency baselines, when idle and with reference workloads. Fingerprint units of the same model procured via multiple supply chains: brick & mortar, online, different couriers, new/used.
More generally, there is ongoing work for integrity verification of devices, including PCIe device authentication [1][2], USB device authentication [3] and SPDM for remote attestation between DICE-RoT and system firmware, before allowing a device to communicate with the system.
I bought one of these cheap no name USB-C cables that shows the current charging PD wattage on a tiny built in LCD. I have been using it for months to charge my Android phone and MacBook.
I recently bought a little used Yoga Thinkpad, I’m not really a Windows guy. On plugging just the cable into a USB port with nothing on the other end Windows made its little “device plugged in” ba-da-doop sound that Windows makes.
I didn’t see anything interesting in my quick scan of device manager but that single ba-da-doop stopped me from using my favorite cable cold turkey. I should investigate it further.
I use iStat Menus on macOS, and configure it such that it displays the MacBook power draw. It only works on Intel-based laptops; on the new ARM-based M1 MacBooks, that sensor no longer available. Probably a security thing (rowhammer?).
Such a cable would be very useful but your comment makes me think twice...
I don't think you can determine much, without looking into the actual device somehow, and being also knowledgeable to make sense of what you see.
Even with trusted brands, a malicious actor can attack the vendor. For example, one could order devices, tamper with them, and then send them back via returns. The vendor likely tests it a bit, and then repackages it and sells it as refurbished, or maybe even as a new one.
The fun thing is that the same is true with software. Looking at a source code is hard enough, even for experienced programmers, and then how do you verify a piece of software that you don't even have the source code to? And if you have the code, how do you verify that the software is made out of that code?
People basically just operate on trust, you can't verify much of the stuff. Just try to stick to entities with reputation, and hope for the best.
you have to trust him, as the author of emacs and gcc, if you use them. admittedly, they are foss software, but have you (or anyone) ever trawled thru either for loopholes? i know i haven't.
rms seemed as every bit the fanatic and extremist, but I knew, even entering college in 1989, that software (and hardware) freedom was endangered, and needed us to take extraordinary steps to preserve and expand it.
I deeply appreciate his work as the founder of the free software movement. Digital goods can be replicated for no cost, and this, combined with the spirit of free software really made for something special.
Yes, I do think that way, but of course it doesn't mean that I don't participate. I just consider it when it comes to choosing these things into my life.
I don't even think that most people need to think about this. It's enough that a few security minded people do, and that they end up pushing for good regulation. Similarly to food safety, we then end up in a system where you can go to most places and expect to not get food poisoning.
The US government rerouted CISCO routers to a factory that tampered with them before sending them to their final destinations. There's no reason to believe this stopped or isn't still being done in similar ways. It doesn't have to be a USB-C dock, it could be anything.
We don’t talk about the Snowden leaks enough. It’s truly shocking what was in there and we’ve all uttered a collective “meh”. I don’t know what SHOULD be done, or could be done, but it’s odd how rarely that data is incorporated into popular perception of the government and how much rarer still it is that we discuss it and contemplate what has been taking place in the intervening years.
These are targeted attacks by a nation state. That's not my threat model. I'm just trying to be reasonably secure against ordering a name brand device and having it exfil secrets.
Imho, there's a big difference between supply chain attacks on core Cisco routers vs USB hubs.
These attacks are not easy or cheap, and by their very nature need to be deployed in small % of total installs (as every use increases the likelihood of discovery).
Criminal organizations interested in ransoming details might be interested in casting a wide net, but intelligence services less so.
I can't quite wrap my head around this. Apparently they advertised a consumer device with remote access over the WWW as "No Clouds"? And the advertisement actually worked, as in, many "privacy-minded security camera buyers" believed that obvious bullshit?
"No clouds" is supposed to imply "this device isn't dependent upon a cloud-hosted service of some kind". i.e. data is either stored locally or sent to another device configured by the owner, and any remote access is direct over the internet instead of being mediated by a service like a lot of IoT devices use. It's not supposed to imply "no internet".
It's a solid niche IMO. I don't like buying devices that will effectively stop working if the manufacturer goes out of business or shuts down the services they're dependent upon. OTOH, there's generally a lot more effort required by the end user to get it working, so I completely understand why most manufacturers go with a service-mediated design.
Yep. I have a few of them, that I bought specifically because I fell for it. In fairness, they can be configured that way (as an RTSP streaming host that you can directly connect a client to to watch), but the rest of the cloud bullshit stays on unless you firewall it off manually.
It's hard to have any realistic basis for trust, absent maybe independent review. Even then companies have been known to significantly adjust components for the same SKU after the review cycle ends.
For Anker in particular, sadly there may be a reason _not_ to trust them. See the recent Anker-owned Eufy cloud camera scandel
Supply chain management is a whole area of study. iPhones and ChromeOS are the only two devices I trust in the retail supply chain to be too difficult to be casually pwned but still boot. But even then, the evil maid attack doesn't have to fully subvert the booted OS to be useful. A device inside an up to date ChromeOS laptop could just record the keyboard keystrokes to an SD card to be retrieved later, which would get the evil maid your passwords. That's why you've got MFA but it's scary to think about!
These are normally used for targeted attacks. Unless someone is specifically after you such a device is usually safe.
Sometimes the USB ID can be used to figure out the vendor but that could also be fake.
You could determine something is odd by looking at what device comes up when it is connected. Does it come with drivers? A new network interface etc.
Or by comparing the inside/firmware of a known good one with the model you have.
lsusb will tell you what it is pretending to be on a real os. Everyone else is hosed & hopeless.
Even still, it could be intercepting & mitm'ing your devices. There are some potential advanced games here. But without also having a network device to exfiltrate out on, it seems pointless. As soon as you have USB networking the risk skyrockets though.
That assumes it is constantly advertising itself. If it say reconfigured itself every hour for a couple seconds the odds of seeing in on any given lsusb are quite low.
> How could anyone determine if it contains a keylogger, or an HDMI screen grabber, or a network sniffer, or a reverse shell, or a rootkit installer?
I like to think people that know their trade (electronics, etc) can figure this out; the absence of proof of there being things like keyloggers in these docks is enough for me. Same with the distrust of ZTE devices, has there been any conclusive evidence that there actually IS espionage or remote controls in there, or is it fearmongering to protect the US / western market?
They indeed add invisible hardware. Many smartphones have radio chip. It's hard to find a household appliance or consumer electronics without some bluetooth chip. Can I listen to radio or connect external speaker to them? hell no...
Maybe I’m missing something but these USB attacks require interaction with kernel drivers so if you plug in a dock that then presents mysterious storage or HID functions, you’re going to know.
Does anything on your PC notify you about plugging in a keyboard? I know mine doesn’t, and it definitely doesn’t prompt me about whether to use it either.
You could check what devices you have connected but I doubt many people would do that every single time they come to work.
Yeah, this is more of a UI problem that could be solved with a little effort. I would be concerned about a device that replaced the hub itself rather than simply adding a function. The core issue is that a system can always notify the user of newly connected devices (Windows seems to about half the time). But a malicious MCU emulating a hub and compromising or stealing data at the USB protocol level could appear exactly as expected. It could key log, inject, etc., undetected because it doesn’t have to interact with kernel drivers as anything other than the expected hub.
MacOS has a pop up that tries to identify the keyboard layout. If this screen came up when I plugged something in that wasn’t a keyboard, I would assume the device was malicious.
It is probably possible to automate the keystrokes to quickly kill this screen though.
If I were a bad actor with the resources, I would dedicate more engineering effort to making the device subtle. It would try to remain invisible until a mouse/keyboard was plugged into the dock. The interceptor would then read that fingerprint and present that to the host OS, keeping the user unaware of the middleman.
My point is that no matter what you tell the OS, there will still be one more device connected than expected. If you plug in a keyboard and two are suddenly connected, it’s still very noticeable. This counting problem is occurring at the hardware level in the USB hubs and host. The attacker needs to compromise an external hub to behave like a USB protocol analyzer capable of intercepting and modifying data seamlessly in order for an attack like this to be anything other than trivially detectable. Fitting something like that into an existing enclosure means writing lots of low level code and embedded hardware design which is a different level of difficulty.
Sorry, I think I misunderstood your original comment - we’re having the same thought with MITM. Definitely more technically challenging but much harder to detect.
This is why I keep all the hardware I use at home or in my backpack. If I have to go to the bathroom, I will take my backpack with me when I'm not at home.
With all that space inside it would be interesting to try adding a mmwave presence detector. It could be extremely hard to detect if it only connects to the machine when nobody's nearby.
I was referring to companies who do this to hardware that crosses their trust boundaries, and I can safely say that those who care enough about this stuff will definitely do that.
