Hi!
A successful attack resulting in data theft is nothing else than someone exploiting a software on your system so it does things you never wanted it to do. The only way to avoid this is to hinder someone calling such function on your system.
We use IP firewalls to minimize our publically available attack surface in a desperate hope that the remaining surface doesn't expose such functions anymore.
While most people tend to know about the utter importance of IP firewalls, few know their system is also exposed to other security threats. No, this time I am not talking about UEFI, which is nothing else than a well decorated trojan horse, but about USB security.
An USB isn't the same as the good old (nearly eradicated) serial port. While the serial port requires you to start the software first, which is meant to talk to the other end of the serial cable and to plug in the cable after it, the USB will actually start the software on your computer automatically as soon as you insert the device.
Unfortunately our attack surface grows as the list of supported USB devices grows. And it does grow all the time. As a reminder: An attacker just needs to find ONE critical bug in your attack surface to break through.
Since the attack surface labeled "USB" has grown steadily, it's long time due to address it.
Fortunately, in order to successfully breach into your computer, the person needs local access to it. At first glance, this sounds like a good thing. But if you look closer, it actually doesn't make things much better in many cases. An attacker needs around 5 seconds to successfully infect a system with a rongue USB device and none of your devices will always be attended by you.
Strictly speaking, a system isn't proven uninfected anymore as soon as you have left it unattended for one time and you can't tell that no other person could have attached an USB device in the meantime. And no, a locked screensaver doesn't help anything. Everything USB-related is running in the background as root.
The safest approach to address this issue is to make the user actively approve the newly inserted device via whitelists, which glues the VID/PID of an USB device with a certain driver. The attack surface is minimized drastically that way, as most people are only attaching certain HIDs anyway.
It doesn't protect you from keyloggers secretly hidden into your keyboard tough, but that's another story.
So, after all that explainations.... what I actually wanted to ask: Is there an USB-Firewall for FreeBSD?
A successful attack resulting in data theft is nothing else than someone exploiting a software on your system so it does things you never wanted it to do. The only way to avoid this is to hinder someone calling such function on your system.
We use IP firewalls to minimize our publically available attack surface in a desperate hope that the remaining surface doesn't expose such functions anymore.
While most people tend to know about the utter importance of IP firewalls, few know their system is also exposed to other security threats. No, this time I am not talking about UEFI, which is nothing else than a well decorated trojan horse, but about USB security.
An USB isn't the same as the good old (nearly eradicated) serial port. While the serial port requires you to start the software first, which is meant to talk to the other end of the serial cable and to plug in the cable after it, the USB will actually start the software on your computer automatically as soon as you insert the device.
Unfortunately our attack surface grows as the list of supported USB devices grows. And it does grow all the time. As a reminder: An attacker just needs to find ONE critical bug in your attack surface to break through.
Since the attack surface labeled "USB" has grown steadily, it's long time due to address it.
Fortunately, in order to successfully breach into your computer, the person needs local access to it. At first glance, this sounds like a good thing. But if you look closer, it actually doesn't make things much better in many cases. An attacker needs around 5 seconds to successfully infect a system with a rongue USB device and none of your devices will always be attended by you.
Strictly speaking, a system isn't proven uninfected anymore as soon as you have left it unattended for one time and you can't tell that no other person could have attached an USB device in the meantime. And no, a locked screensaver doesn't help anything. Everything USB-related is running in the background as root.
The safest approach to address this issue is to make the user actively approve the newly inserted device via whitelists, which glues the VID/PID of an USB device with a certain driver. The attack surface is minimized drastically that way, as most people are only attaching certain HIDs anyway.
It doesn't protect you from keyloggers secretly hidden into your keyboard tough, but that's another story.
So, after all that explainations.... what I actually wanted to ask: Is there an USB-Firewall for FreeBSD?
