|
Message-ID: <9c8ef246-0e75-793b-6995-51e50a730701@ehuk.net> Date: Thu, 22 Aug 2019 19:44:50 +0100 From: Eddie Chapman <eddie@...k.net> To: oss-security@...ts.openwall.com Subject: Re: Linux kernel: multiple vulnerabilities in the USB subsystem x2 On 22/08/2019 18:57, Perry E. Metzger wrote: > Android phones run Linux. People routinely plug those phones in to USB > charging stations in airports, on airplanes, at booths in public > places, etc. > > Perry I would argue that this kind of behaviour is far too trusting and asking for trouble. Should we request a CVE for foolish user behaviour? Yes, USB was designed to make it easy be able to plug/unplug devices without having to open your device up, but it doesn't mean people should do stupid things with it. Ok there are different levels of risk, you can never be totally sure if any device is safe unless you open it up and start examining. If it is a dumb charger or you know the person who supplies you with a more sophisticated charging device (either a manufacturer you trust you bought it from or a friend you trust obtained the device from a trusted manufacturer) then the risk is lower, but not eliminated completely. If I designed a box with PCIe slots on the outside of the case, would you go around plugging in random circuit boards into it if they were available at an airport and provided some useful function? I would not. Whatever interface it is I will only plug it in if I have some reasonable level of confidence about the device. Or maybe people have already started reviewing the kernel code looking for ways in which a malicious PCIe device could own the system.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.