Secure USB - Preventing Hacking over USB

Really would like to see real security hw module implemented to prevent malicious USB devices. Ideally really would be interesting to have USB ports with ON/OFF switchable both dataline/power options, or datablockers.

Would it be possible to have a such secured USB module shipped by default?

2 Likes

+1 great idea to implement a data blocker as an expansion card.

2 Likes

These devices only provide charging. I’m sorry but if you want to charge a device that you really don’t trust maybe don’t use your expensive laptop as a dumb charger? Use an AC adapter or power bank.

3 Likes

Does USB-PD not use these lines? At that point just use a barrel jack.

It is the other way. It is so you can charge the laptop from a source you do not trust.

Yes, they do. You can find devices that block all data except the PD messages.

Really you don’t need to worry about juice jacking if you’re a normal person with a normal threat model / not a target of nation-state & not executive of corporation with seriously valuable trade secrets.

Ars also goes into why this fear mongering is suddenly in the news again. Also " There are no documented cases of juice jacking ever taking place in the wild."
If you’re still worried, there are plenty of sellers of USB condoms that are happy to take your money. Just buy one of them? There isn’t really a need for Framework to make a limited charge-only expansion card for a threat that never been documented as actually taking place in the real world.

The OP has a link to USB-A devices.

For charging the Framework laptop itself you would be using USB-C with a PD charger capable of higher wattage. USB-C PD is negotiated over the CC line, I haven’t tied it but you might not even need the data lines at all. Easy to test if you wish using a spare USB-C cable. Just slit the side of the cable’s jacket and cut the USB2 data lines, they are normally green and white twisted together. The high speed data lines are unlikely to be involved, you can leave them. If a USB-C PD device charges from the cable then the CC line is the only thing you need. You could then create a “secure” USB-C PD expansion card by a opening one up & cutting all the data line traces with an exacto knife. Just leave power and CC.

Btw, don’t google “USB killer”. Another threat you’ll never run into that even a standard USB condom won’t protect you from.

1 Like

To be completely honest, the best way against those stuff is just don’t plugin things you don’t trust.

Next best would be require authentication for attaching usb devices which is what I plan to do. It seems to be quite easy on linux but I haven’t get around to try that yet Authorizing (or not) your USB devices to connect to the system — The Linux Kernel documentation

threat model-wise. It is mostly 1. you found something random and you plug it in, or 2. someone pluged something in your computer.
In case 1, don’t be stupid and, if you have to, use some device you don’t care about.
In case 2, you really have more serious problem than what you are trying to prevent, and it does not stop the attacker to just use the inner usbc port. don’t forget framework input cover can be swapped and nobody is stopping someone from putting something malicious in place of a expansion card that look the same as the original. tbh that is more concerning since I am working on rp2040 expansion card which can be easily programmed to do HID injection, it will cost <$20 ea if I make 10 of them.

1 Like

Oh boy, somehow I forgot about that. A malicious expansion card would be interesting to see. But, as fans of Framework also not something you want to see. Could use a USB-C or USB-A expansion card, which is something most people are likely to have in their frame work. Keep the original shell so it looks 100% legit. Pass though the USB-C or USB-A so it still works as a real one would. But again you have to consider that the average user just isn’t a valuable enough target to warrant the skill & effort needed to make a malicious module that has the ability to act silently and do something truly worthwhile.

1 Like

I know right.
In my opinion framework is the best platform to make a super secure laptop but definite isn’t that out of the box.

For instance, if I were to make framework physically secure, I would add cryptographic chips to the modules and require authentication to enable the usbc port underneath when a module is detached. possibly adding intrution detection to modules themselves through metalic layers.

the chassie intrution detection switch that is used to alert people the laptop is on when opening it can definitely be configured to wipe all data in RAM and TPM which framework have, effectively erase all meaningful data if disk encryption is used with TPM. and more sensors such as light and temperature can be added to protect against other attacks

All these can make repairing the laptop a nightmare which is why framework won’t do it. but the beauty about framework is that it is so well documented that you can do most if not everything yourself

2 Likes

There is also hdmi, displayport, ethernet… adaptors, and yet the modules were done. Not sure why you guys are so up in arms about it. It does not even have to be Framework, it could be done by a third party, for people interested in it. It is a good idea.

1 Like

PortaPow makes a dongle that does this for $6, however according the reviews it doesn’t support PD, which is odd.
Even if you need a microcontroller to forward the PD messages this would be a pretty easy thing to make.
At some point the paranoia might escalate to distrust of Intel Management Engine and the purchase of an MNT Reform though.
Side note: I myself have the USB-A blocker, but every time I’ve needed to charge any kind of USB device since purchase I’ve had a trustworthy charger and cable with me too.

I have a couple of USB data blocker plugs but I only use them for ports that are powering a DAC.

Don’t leave your computer in a place you don’t trust.

I suppose that depends on what you are defending against. As PD negotiation involves bidirectional communication, if the intention is to defend against an attacker able to exploit flaws/backdoors in PD implementations themselves, then it would be very difficult to make a secure device, and arguably impossible to do so perfectly. And, of course none of these devices secure against the much more common risk, especially with PD, of the wrong voltage being provided.

However, I think there could be a place for a device like this that would make PD reasonably secure against typical (show up as keyboard / mass storage) USB attacks, and poor power implementations. It could reasonably interpret and translate PD negotiation with a well written, tested, and verified firmware, so that it would appear consistent to the end device, and could implement strong protection, even if sacrificial, against wrong voltages.

If you’re using Linux, this is a good solution https://usbguard.github.io/ , it blocks unknown usb devices on the kernel level.

1 Like