Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Google Security

Chrome OS To Block USB Access While the Screen is Locked (zdnet.com) 91

Google will add a new security feature to Chrome OS, the company's web-based operating system that powers its Chromebooks devices, it announced this week. From a report: The new feature, named USBGuard, will block access to the USB port access while the device's screen is locked. According to a Chrome OS source code commit spotted by Chrome Story earlier this week, the new feature is currently available in Chrome OS Canary builds and is expected to land in the stable branch of Chrome OS soon. Once this happens, users can enable it by modifying the following Chrome OS flag: chrome://flags/#enable-usbguard . The way this security feature is meant to work is by preventing the operating system from reading or executing any code when a USB-based device is plugged in, and the screen is locked.
This discussion has been archived. No new comments can be posted.

Chrome OS To Block USB Access While the Screen is Locked

Comments Filter:
  • At least, as Mass Storage Devices is concerned.

    If you insert a mass storage device in a mac while locked, it will not be recognized or mounted.

    So, welcome ChromeOS

    • by war4peace ( 1628283 ) on Sunday December 23, 2018 @02:05PM (#57849972)

      So if you have a locked screen and the keyboard stops functioning, plugging a new one in the USB port will not work?

      • by PsychoSlashDot ( 207849 ) on Sunday December 23, 2018 @02:12PM (#57850008)

        So if you have a locked screen and the keyboard stops functioning, plugging a new one in the USB port will not work?

        The parent to your comment specifically said "mass storage", which human interface devices are not. The summary also refers to not being able to read or execute code while locked and USB inserted, which sounds similar... since key-presses/mouse-clicks aren't code.

        I suspect someone smarter than both you and I thought about this before implementing it.

        • I suspect someone smarter than both you and I thought about this before implementing it.

          Well, unlike most people here I have been reading TFA and lookie here:

          Google took this precaution to prevent Rubber Ducky-type of attacks. A Rubber Ducky is a well-known term used to describe a malicious USB thumb drive that when plugged into a computer mimics a keyboard and runs malicious commands.

          So what happens when you plug in a regular keyboard? My guess is "nothing". So there might be a problem when you want to troubleshoot a machine which is supposed to run unattended (NAS, video monitoring, etc).

        • Actually, I suspect the real reason behind this is because Google wants you to use (their) cloud storage, instead of local storage. So rather than simply preventing ChromeOS from running executables located on external media (have to copy it to the Chromebook first), they made so a screen lock will prevent you from doing anything with external storage, like, say playing a music playlist located on a USB flash drive. Oh well, at least they made it optional.
      • by rtb61 ( 674572 )

        Well that depends upon how much you spent on your Chromebook, if these prices are anything to go by https://www.techradar.com/news... [techradar.com], if you keyboard stops working, toss it in the bin and buy a new one, though I suspect that the $35AUD price tag might not be quite accurate ;D.

        • You missed the point entirely, congrats. It's not about the value of the keyboard, it's about the inability to access your machine in case the connected keyboard stops working.

  • by FullCircle ( 643323 ) on Sunday December 23, 2018 @02:07PM (#57849988)

    Isn't that the real issue?

    If I mount a filesystem, I don't expect it to start executing random files on it at all.

    • by munch117 ( 214551 ) on Sunday December 23, 2018 @02:28PM (#57850066)

      On the other hand, you do expect it to start executing file system driver code. So if you can trigger an exploitable vulnerability in a driver using a specially crafted file system image, that'll do the trick.

      Of course that applies to any driver, not just a file system driver. Perhaps the idea is that without a mass storage device it becomes harder to load an attack payload. Not a very convincing idea, I admit; there are certainly ways around that.

      • by gweihir ( 88907 )

        On the other hand, you do expect it to start executing file system driver code.

        Well, I expect it to have exactly the filesystem drivers I compiled in. But you are correct that many pre-packaged OSes include a lot of filesystem and other drivers that are not strictly needed and, to make it worse, will load them automatically if they detect the respective filesystem or device. Linux was a while vulnerable via some very old and obscure driver for some MAC OS fs, for example. That is why in any system hardening you remove all drivers that are not strictly needed, not only for file systems

        • Well, I expect it to have exactly the filesystem drivers I compiled in.

          And you're 100% certain, beyond the shadow of a doubt, that the file system drivers you compiled in contain no vulnerabilities at all ?

          • You just made me curious about whether formal verification [wikipedia.org] has ever been applied to file system drivers distributed to the public as free software. Because if so, then one could prove beyond reasonable doubt that a file system driver has no vulnerabilities.

            • by gweihir ( 88907 )

              Hahahahaha, no. There are formally verified protocols than then was found to be vulnerable because somebody successfully attacked it. The thing with formal verification is that you _always_ need to be make assumptions and they can have errors. Also, you cannot (due to effort) formally verify the compiler and the CPU and the rest of the system (e.g. DMA unit), so formal verification does very much not give you that "beyond a reasonable doubt" either.

            • by tlhIngan ( 30335 )

              You just made me curious about whether formal verification has ever been applied to file system drivers distributed to the public as free software. Because if so, then one could prove beyond reasonable doubt that a file system driver has no vulnerabilities.

              The problem is it's not just a file system driver. The filesystem driver relies on potentially a multi-block device driver to provide fault tolerance support, which relies on block device driver(s) to implement a block interface. That block driver relies

          • by gweihir ( 88907 )

            Why would I need that? Expecting 100% security is a noob mistake. This is risk-management and that is not a beginner's game.
            The only thing I need is that I am reasonably sure they are well-maintained, current and actually fs drivers I regularly use.

      • by Anonymous Coward

        Fuck a duck. If you have physical access to the machine, stopping access to the USB ports is going to give you FUCK ALL extra security. What next? Disable charging on the intelligent power port on the device because it's USB-C or some other fucking communicative DC jack in case there's a vulnerability? Ban the WiFi or ethernet socket on screen lock? You know what that's called? The fucking power button.

        This reminds me of a CVE for OpenBSD a long time ago which complained an unpatchable DoS vulnerability

    • by gweihir ( 88907 )

      It is a real issue in the sense that the people creating configurations that do this demented thing are real. If we only had sane people doing default configurations, most security problems would go away. But there is a lot of people that do not get it and are unaware of that and hence mess it up. Dunning-Kruger effect at work.

    • If I mount a filesystem, I don't expect it to start executing random files on it at all.

      Who is talking about mounting filesystems?

      What about a HID device that captures keystrokes or inserts its own?
      What about a network device that captures packets while the device is locked, or overrides your settings to send your data elsewhere?

      And when we start talking about mounting filesystems then you have to remember that most attack vectors don't rely on "executing random files" as much as use existing bugs in software that would legitimately look at the mounted filesystem. Stuxnet spread via a file on

    • by AmiMoJo ( 196126 )

      I think TFA is confused. Chrome OS does not execute code from flash drives at all. It only runs apps you install, it doesn't run anything that wasn't installed.

      What they are actually doing is spotting the OS driver even enumerating USB devices when the screen is off/locked. That prevents attacks on the USB stack itself.

    • by AHuxley ( 892839 )
      Because new users are from the OS X and Windows side of computing.
      Having to type and use the CLI to get USB working every time is distracting from viewing ads.
  • by Anonymous Coward

    ... because you know they're going to block *everything*, even if they only do it by accident.

    And woe be those servers that use an internal USB port as a secure boot device.

    And finally, all those programs that use a USB dongle as part of a two-factor security system.

  • Windows XP (Score:5, Interesting)

    by darkain ( 749283 ) on Sunday December 23, 2018 @02:19PM (#57850036) Homepage

    Microsoft already had this in the initial release of Windows XP a long ass time ago. They removed it with the very first SP. Why? Because if there are ANY keyboard issues, you cannot add another one at all. Windows XP Pre-SP USB device detection only happens AFTER login. You run the risk of literally be locked on the password screen with zero way to enter a password. Things may be different with attached keyboards and touch screens now, but I still like the idea of the safety net of being able to attach a keyboard during trouble shooting.

    • by Anonymous Coward

      Or at least PS/2 emulating usb subsystem for the primary console.

      Linux has this same problem under certain types of lockups/crashes. The USB subsystem can freeze keeping you from rebooting the system or getting to a console to fix the issue, while a PS/2 keyboard can ALT-SYSRQ to freedom.

      Unfortunately most modern linux distros lock out those sysrq keys by default, even though they can sometimes allow a power user to solve hardware/software issues without a full system reset.

      captcha was 'teletype'. Even 50+

    • by AmiMoJo ( 196126 )

      The commit mentions that there is a whitelist of allowed devices, and presumably HID keyboards are on it.

      • by darkain ( 749283 )

        That's really good to know, thanks! I'd hate to have a repeat of the WinXP days. Thats was annoying as hell. Only solution back then was to hopefully still have a PS/2 keyboard in stock and the mobo having a port for it, otherwise it required either hacking the OS via boot media to remove the password, or a full reinstall.

    • This is particularly true since waking computers up from sleep mode does tend to cause input devices to stop responding. Hell, I've had plenty of wake-up problems on both PCs and Macs for over 20 years, so it's obviously a problem that's not easy to solve, either technically or politically.

  • I don't want those dangerous potentials and currents getting to the battery if I've locked my phone.

  • ok, i get it, if you're not near your computer and somebody plugs in a usb stick your computer can get hacked without you knowing it.
    but, if you, while working, plug in a usb stick with malware on it yourself it will still execute?
    how about not executing anything at all when inserting a usb device, sounds like a much better idea.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...