Linux Tries To Dump Windows' Notoriously Insecure RNDIS Protocol

An anonymous reader quotes a report from ZDNet: Microsoft's proprietary protocol, Remote Network Driver Interface Specification (RNDIS), started with a good idea. It would enable hardware vendors to add networking support to USB devices without having to build them from scratch. There was only one little problem. RNDIS has no security to speak of. As Greg Kroah-Hartman, the Linux Foundation fellow responsible for stable Linux kernel releases, wrote in November 2022 on the Linux Kernel Mailing List (LKML), "The Microsoft RNDIS protocol is, as designed, insecure and vulnerable on any system that uses it with untrusted hosts or devices. Because the protocol is impossible to make secure, just disable all RNDIS drivers to prevent anyone from using them again."

He added, in another message, "The protocol was never designed to be used with untrusted devices. It was created, and we implemented support for it, when we trusted USB devices that we plugged into our systems, AND we trusted the systems we plugged our USB devices into." That's no longer the case. Kroah-Hartman concluded, "Today, with untrusted hosts and devices, it's time just to retire this protocol. As I mentioned in the patch comments, Android disabled this many years ago in their devices, with no loss of functionality."

[...] But now, sick and tired of having a built-in Windows security exploit in Linux, Kroah-Hartman has decided that enough was enough. He's disabled all the RNDIS protocol drivers in Linux's Git repository. That means that while the RNDIS code is still in the Linux kernel, if you try to build Linux using this new patch, all your RNDIS drivers will be broken and won't build. This is one step short of purging RNDIS from Linux.

That's ok

[Anonymous Coward]

I'm sure systemd will take over this job.

Re: That's ok

[klipclop]

Is that a windows server administrator's joke?

Re: That's ok

[Zero__Kelvin]

Thanks for reminding us that systemd haters are so ignorant with regard to it that they think it is a "startup sequencer".

Re:

[F.Ultra]

it doesn't. But I see that you are one of those that are confused that different binaries can have similar names so you confuse one for the other.

Re: That's ok

[OrangeTide]

Indeed. For example systemd-timesyncd comes in just a component that runs independently of the main systemd process. Which is good because I disable that one the first chance I get on a new Linux box. Run chrony, ntpd, or whatever. Anything is better than timesyncd.

Re: That's ok

[dowhileor]

I'm convinced that RNDIS was conceived with the sincere hope that something like HTTPS was close at hand. Maybe even something session layer based with the same principles.

Someone is wrong

[laughingskeptic]

Greg Kroah-Hartman, Linux Foundation:
- Android disabled this many years ago in their devices, with no loss of functionality

VS

Maciej enczykowski, a Google Linux Kernel Networking Developer
- people use the RNDIS driver Linux laptops to USB tether off Android phones ... "this will break USB tethering off of the *vast* majority of Android phones - likely including most of those currently being manufactured and sold."

Re:

[Ostracus]

Already handicapped by some carriers.

Re:

[Narcocide]

Fun fact: if you're running Linux they can't even tell. Could this be an additional, secret reason they're so hasty to disable it? So that tethering stops working on my pinephone? I mean, it is ridiculously insecure but that hasn't stopped anyone from using Samba.

Re:Someone is wrong

[ChunderDownunder]

Greg is saying Google trailblazed by switching to a safer protocol but Maciej is saying other vendors didn't.

Your non-Google Android phone ought to continue to tether using this obsolete protocol as long as you don't upgrade your desktop distro's kernel to 6.7 or higher - I should be good for a couple more years with Debian stable. :)

Anyway... Google, if you're reading this, you have 12 months - why not mandate the NCM protocol in Linux kernels for Android 15?

Re:

[dlarge6510]

6.7? Wow, I'm still on the 4.X branch

Re:

[Z00L00K]

Stoned Beaver FTW.

Why Android can't use CDC Ethernet

[barcarolle]

Android messed up years and years ago with a simple RegExp pattern mistake. This guy explains it well in his blog. As far as I'm aware it remains unfixed to date. https://jordemort.dev/blog/why... [jordemort.dev]

Re:

[The Evil Atheist]

Most Android phone users aren't Linux laptop/desktop users and those who do probably use Linux on a laptop/desktop don't use tethering often enough, so they're both correct in their own way.

Re:

[dlarge6510]

> people use the RNDIS driver Linux laptops to USB tether off Android phones

Do people still do that? Tethering?

I'd think most just hotspot these days.

Re:

[ctilsie242]

A lot of phones are good enough for tethering, and if a phone can do it, that is one less item + accessories (charger, cable) to lug around and get lost. Some routers allow one to plug in a phone to use for tethering, so one can keep the same network settings, and still get out to the Internet if the cable link is inoperative.

Re:

[kobaz]

I travel and USB tether quite frequently with my Linux laptop. It's spectacular. It's like 30% less battery usage and instead of 4g/5g.. if I have wifi but my laptop can't connect to it for some reason, I can also re-share my phone's wifi connection to my laptop via USB

Re:

[SteelCamel]

I don't think there's a conflict between those statements. As I read it, Android does not support using RNDIS devices - so you can't connect an RNDIS device to your phone and use it to access the network. However, the USB tethering support on some (most?) Android devices presents an RNDIS device to the host, so if the host doesn't support RNDIS it won't work. In other words, Android cannot be a host to a RNDIS device, but can be an RNDIS device to another host.

On the other hand - I would have thought that

What makes RNDIS insecure?

[Anonymous Coward]

What exactly makes the RNDIS protocol insecure? I just see this statement in the summary and articles but no real explanation.

Does it pose a danger to the host machine in some way? USB doesn't allow DMA like PCIe or FireWire do.

Or does it expose network traffic in some way? Why don't sandboxing, firewalling, or encryption help?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re: What makes RNDIS insecure?

[tap]

Any more specific examples?

I found this, https://github.com/szymonh/rnd... [github.com]

But it's easily patchable and common buffer overflow caused by not sanitizing an offset value stored in a packet. Practically every protocol is vulnerable to this kind of thing.

Re:

[tlhIngan]

Buffer exploits are particularly easy. Fixing it would break compatibility. CDC ethernet doesn't have this problem. And it's already there.

Except RNDIS and CDC Ethernet are two different (but similar) protocols to do different things.

Microsoft created RNDIS to do point to point networking over USB. That is, you have RNDIS host and RNDIS client, and the two endpoints will have an Ethernet-like link connected to each other. So you connect your PC to a "smart device" (at the time) and you can do network applic

What changed?

[dlarge6510]

> when we trusted USB devices that we plugged into our systems, AND we trusted the systems we plugged our USB devices into

This hasnt changed one bit. Everything USB is fully trusted on any system...

Now thunderbolt devices, I've seen those require "authorisation" but that also is totally optional (I'm refering to windows now where if you merely uninstall the Intel Thunderbolt software, all thunderbolt devices are fully trusted wink wink).

I dont see any reason *not* to get rid of this protocol, but the re

Re:

[jsonn]

No, USB devices are not fully trusted. Unlike FireWire, USB devices cannot do memory transfers to arbitrary locations. The summary doesn't make any sense to me at all.

Re:

[dlarge6510]

> USB devices cannot do memory transfers to arbitrary locations

That is not a matter of trust. I'm talking about trusting the device/disallowing a device.

I just stuck a flash drive into my Win 10 machine and guess what. I got no prompts, nothing. No "Do you wish to use this device message" with a tickbox to make it permamnant. Nothing, that flash drive could have emulated a keyboard as we all know...

Android devices do have an element of USB trust, but only on the android side. You have to confrim that

Re:

[drinkypoo]

All USB devices are inherently trusted by all PC's and Laptops running ann Windows versions and Linux distros. Unless As I asked, something has changed and some distros have such user control.

By default, what you say is true. But you can change this easily on Linux with usbguard. This is kind of a PITA to actually use since there is no UI, you have to do it all through the terminal, but installing it is easy enough.

Re:

[jsonn]

I'm mentioning FireWire specifically, because there is nothing inherent in USB that allows a device to "attack" the machine (I don't count frying the port). All items you mentioned are policy decisions - the difference between recognizing a device and having an appropriate driver vs using the device automatically.

Re:

[Gavagai80]

Any flash drive I've stuck into any of my computers has not done anything until I click "mount and open". I can see a "mount and open" prompt for a USB device on my PC right now. And this is Kubuntu, not known for being a security-conscious distro. Devices don't mount until I tell them to, so no, they're not automatically trusted.

This is not only phone tethering

[AlexanderPatrakov]

Many IPMI implementations in servers present a fake USB network device that speaks RNDIS.