Sure, you can fix it so devices don't appear as unauthorized keyboards... you still leave yourself open to a near infinite number of other attacks. What stops me from creating a USB device that appears as a storage medium, yet contains a transmitter which slowly exfiltrates any data written? What about a USB-powered microphone or camera posing as a flash drive? Hell, it would be of great value to just have an software defined radio which could execute arbitrary bluetooth and WiFi attacks while allowing remote control via RF.
Am I the only one old enough to remember 'disk bombs' from the 90s where you filled 3.5" floppies with paste made from strike anywhere match heads so when the disk spun up it melted? You could do similar things with a USB stick. You could have a high voltage converter which fries your PC the second you plug it in.
Basically, it is always a bad idea to plug in unknown peripherals to your computers. The OS isn't going to save you in all cases.
I suspect you're arguing from the point of view of a determined attacker against a specific target, in which case, I agree -- there's an infinite number of different attacks you can try, with the caveat that any failed attempt is possibly going to tip your target off and make them up their opsec game, becoming a much more difficult target.
I took the OP to be talking more about general case. Random people plugging into a public recharge station, using (shady) Amazon/Ebay USB drives, plugging in a "found" USB stick, etc. The OS can at least help thwart simple attacks here.
In the worst case, the device contains a GSM modem which is powered by USB but otherwise only appears to the host as a USB drive -- and if you can get the target to write useful data to it, I guess you have something? That's an awfully expensive attack that I would assume has relatively low chance of yielding something useful. (Unless maybe you market it as a "secure cryptocurrency wallet", and hope you can sell enough to people that then put on enough cryptocurrency to make up for the significant manufacturing expensive which you're able to steal before anyone notices there's a modem in it and sounds the alarm..)
> You could do similar things with a USB stick. You could have a high voltage converter which fries your PC the second you plug it in.
While being obnoxious and causing one (random?) person some money (presumably they will destroy or throw out this USB drive aftward), it doesn't really get you anything. There's many other cheaper ways to destroy someone's computer, as there are many other things you can destroy to cause a person expense and/or inconvenience.
> Basically, it is always a bad idea to plug in unknown peripherals to your computers. The OS isn't going to save you in all cases.
100% agree, but that doesn't mean it shouldn't try at all.
> I suspect you're arguing from the point of view of a determined attacker against a specific target
Not necessarily a specific target(although maybe in a sense). If I were, say, the Chinese intelligence apparatus, I'd be sprinkling exfiltration devices around D.C., military bases, and defense contractor offices(especially the small ones, who don't always seem to have their shit together).
You can fit a lot of smarts in a small form factor these days. I could, with the budget of an intelligence agency, cheaply mass produce USB storage controllers which only activate when specific files of interest(say, OrCAD schematics, or source code) are saved to the device. I could sprinkle them around, or even just strongarm one of my country's manufacturers so that the bug goes into wide distribution. Now I use sniffer vans, like were used to execute the Tempest attacks against military bases in the 80s, to find my beacons and exfiltrate.
GSM modems might be expensive, although it would be a great way to get data out. You could also add GPS and use a small geofencing database to activate when you're within a target radius.
Keep in mind this is just the musings of a bored idiot(me). I suspect an intelligence agency could find more useful things to do with a USB stick.
>Am I the only one old enough to remember 'disk bombs' from the 90s where you filled 3.5" floppies with paste made from strike anywhere match heads so when the disk spun up it melted?
Damn dude that really worked? I remember reading about it in the anarchist cookbook but didn't go through with the effort after getting thoroughly punked re: smoking banana peels and trying out pressure points on older kids
> 1. Obtain 15 lb. of ripe yellow bananas. 2. Peel the bananas and eat the fruit. Save the skins. 3. With a sharp knife, scrape off the insides of the skins and save the scraped material. 4. Put all scraped material in a large pot and add water. Boil for three to four hours until it has attained a solid paste consistency. 5. Spread this paste on cookie sheets and dry it in an oven for about 20-30 minutes. This will result in a fine black powder (bananadine). Usually one will feel the effects of bananadine after smoking three or four cigarettes.
It just made a little fire, it didn't "explode". It would melt your floppy drive and make it useless but wouldn't come close to doing enough damage to hurt anyone unless they had their face a few inches from the front of the PC.
I'm guessing that there are plenty of things that would fit in the floppy and cause serious damage. Mercury fulminate maybe, or ammonium triiodide(?), assuming they didn't just self-detonate.
> USB device that appears as a storage medium, yet contains a transmitter which slowly exfiltrates any data written
I won't copy my data on unknown device. Mics and cameras trigger prompts in MacOS. The keyboard device on the other hand, can be used for 5 seconds walk by attack, running install scripts (Bad USB) attack.
You won't, but many people will. They'll plug it in, figure the device is fine, and begin to trust it.
Mics and cameras trigger prompts if they present themselves as USB devices. I'm saying they do not need to do that. They can draw power from the port and send captured data out wirelessly.
That's assuming it presents itself as a mic or camera. What's to say it can't have the hardware embedded in the device but not present it to the host machine? Then any exfiltration technique can get a direct look into audio/video of the area.
That's different. Car crashes are unpreventable, unexpected events that we can prepare for. Plugging random USB stick into your computer is preventable, and adding these safety features may cause people to think it is safe to plug in random USB sticks into their computer.
Most car crashes are extremely preventable. Do some people not drive more dangerously because they believe themselves to be safe because of things like seat belts?
You are so right.
I never understood the prevalent idea that traffic accidents are somehow random rolls of the dice. Seemingly the vast majority of them are not. Adjust your speed, not too fast, not too slow; stay focused on road, mirrors, and other traffic; keep your distance; don't be drunk; don't fall asleep; know and follow the rules, and you will hugely reduce your risk of harm.
> I never understood the prevalent idea that traffic accidents are somehow random rolls of the dice.
It's pushed by the auto manufacturers and insurance companies to normalize driving and make you pay for more expensive safety features. If people drive irresponsibly enough to wreck their cars, but not enough to kill themselves (modulo the safety level of their car), they buy more cars and spend more money on car insurance.
Am I the only one old enough to remember 'disk bombs' from the 90s where you filled 3.5" floppies with paste made from strike anywhere match heads so when the disk spun up it melted? You could do similar things with a USB stick. You could have a high voltage converter which fries your PC the second you plug it in.
Basically, it is always a bad idea to plug in unknown peripherals to your computers. The OS isn't going to save you in all cases.