Is there a way to prevent USB over ethernet from working?
This video shows an attack where attaching a USB device to a locked computer pretty much takes over all currently running browsers. The trick is that the USB device acts as Ethernet over USB, and a laptop will automatically attempt a connection to such a device.
My work computer has an actual ethernet port, and I almost exclusively use wifi. I do not foresee a need to use 4G dongles and the such. I could mitigate such an attack by merely preventing USB over ethernet from working in the first place. (The alternative mitigation suggested in the video, applying cement to my USB ports, doesn't sound quite so enticing. Additionally, it can be worked around with a docking station.)
How can I do this?
Solution 1:
Using udev rule or Linux kernel blacklist
Yes, it is possible but I not confident it will block all such type of attack. I have only one device and I can't say it is a general solution.
I make a check for a USB net key in Ubuntu 21.10.
Info collecting
-
udevadm monitor -umonitor will print the received events for: UDEV - the event which udev sends out after rule processing UDEV [108.870714] add /devices/pci0000:00/0000:00:06.0/usb2/2-2 (usb) UDEV [108.951632] add /module/mii (module) UDEV [108.970818] add /module/usbnet (module) UDEV [114.296923] add /bus/usb/drivers/dm9601 (drivers) UDEV [114.310640] add /module/dm9601 (module) UDEV [114.316277] add /bus/usb/drivers/sr9700 (drivers) UDEV [114.324254] add /module/sr9700 (module) UDEV [114.325188] add /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0 (usb) UDEV [114.361207] bind /devices/pci0000:00/0000:00:06.0/usb2/2-2 (usb) UDEV [114.446039] add /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458 (net) UDEV [114.471800] add /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/eth0/queues/tx-0 (queues) UDEV [114.591649] add /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/eth0/queues/rx-0 (queues) UDEV [114.602864] bind /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0 (usb) UDEV [115.079106] move /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458 (net) -
udevadm info -a -p /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458Udevadm info starts with the device specified by the devpath and then walks up the chain of parent devices. It prints for every device found, all possible attributes in the udev rules key format. A rule to match, can be composed by the attributes of the device and the attributes from one single parent device. looking at device '/devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458': KERNEL=="enx00e04c534458" SUBSYSTEM=="net" DRIVER=="" ATTR{addr_assign_type}=="0" ATTR{addr_len}=="6" ATTR{address}=="00:e0:4c:53:44:58" ATTR{broadcast}=="ff:ff:ff:ff:ff:ff" ATTR{carrier}=="0" ATTR{carrier_changes}=="3" ATTR{carrier_down_count}=="2" ATTR{carrier_up_count}=="1" ATTR{dev_id}=="0x0" ATTR{dev_port}=="0" ATTR{dormant}=="0" ATTR{duplex}=="full" ATTR{flags}=="0x1003" ATTR{gro_flush_timeout}=="0" ATTR{ifalias}=="" ATTR{ifindex}=="3" ATTR{iflink}=="3" ATTR{link_mode}=="0" ATTR{mtu}=="1500" ATTR{name_assign_type}=="4" ATTR{napi_defer_hard_irqs}=="0" ATTR{netdev_group}=="0" ATTR{operstate}=="down" ATTR{power/async}=="disabled" ATTR{power/control}=="auto" ATTR{power/runtime_active_kids}=="0" ATTR{power/runtime_active_time}=="0" ATTR{power/runtime_enabled}=="disabled" ATTR{power/runtime_status}=="unsupported" ATTR{power/runtime_suspended_time}=="0" ATTR{power/runtime_usage}=="0" ATTR{proto_down}=="0" ATTR{queues/rx-0/rps_cpus}=="0" ATTR{queues/rx-0/rps_flow_cnt}=="0" ATTR{queues/tx-0/byte_queue_limits/hold_time}=="1000" ATTR{queues/tx-0/byte_queue_limits/inflight}=="0" ATTR{queues/tx-0/byte_queue_limits/limit}=="0" ATTR{queues/tx-0/byte_queue_limits/limit_max}=="1879048192" ATTR{queues/tx-0/byte_queue_limits/limit_min}=="0" ATTR{queues/tx-0/tx_maxrate}=="0" ATTR{queues/tx-0/tx_timeout}=="0" ATTR{queues/tx-0/xps_rxqs}=="0" ATTR{speed}=="100" ATTR{statistics/collisions}=="0" ATTR{statistics/multicast}=="0" ATTR{statistics/rx_bytes}=="0" ATTR{statistics/rx_compressed}=="0" ATTR{statistics/rx_crc_errors}=="0" ATTR{statistics/rx_dropped}=="0" ATTR{statistics/rx_errors}=="0" ATTR{statistics/rx_fifo_errors}=="0" ATTR{statistics/rx_frame_errors}=="0" ATTR{statistics/rx_length_errors}=="0" ATTR{statistics/rx_missed_errors}=="0" ATTR{statistics/rx_nohandler}=="0" ATTR{statistics/rx_over_errors}=="0" ATTR{statistics/rx_packets}=="0" ATTR{statistics/tx_aborted_errors}=="0" ATTR{statistics/tx_bytes}=="0" ATTR{statistics/tx_carrier_errors}=="0" ATTR{statistics/tx_compressed}=="0" ATTR{statistics/tx_dropped}=="0" ATTR{statistics/tx_errors}=="0" ATTR{statistics/tx_fifo_errors}=="0" ATTR{statistics/tx_heartbeat_errors}=="0" ATTR{statistics/tx_packets}=="0" ATTR{statistics/tx_window_errors}=="0" ATTR{testing}=="0" ATTR{threaded}=="0" ATTR{tx_queue_len}=="1000" ATTR{type}=="1" looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0': KERNELS=="2-2:1.0" SUBSYSTEMS=="usb" DRIVERS=="dm9601" ATTRS{authorized}=="1" ATTRS{bAlternateSetting}==" 0" ATTRS{bInterfaceClass}=="00" ATTRS{bInterfaceNumber}=="00" ATTRS{bInterfaceProtocol}=="00" ATTRS{bInterfaceSubClass}=="00" ATTRS{bNumEndpoints}=="03" ATTRS{power/async}=="enabled" ATTRS{power/runtime_active_kids}=="0" ATTRS{power/runtime_enabled}=="enabled" ATTRS{power/runtime_status}=="active" ATTRS{power/runtime_usage}=="1" ATTRS{supports_autosuspend}=="1" looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2/2-2': KERNELS=="2-2" SUBSYSTEMS=="usb" DRIVERS=="usb" ATTRS{authorized}=="1" ATTRS{avoid_reset_quirk}=="0" ATTRS{bConfigurationValue}=="1" ATTRS{bDeviceClass}=="00" ATTRS{bDeviceProtocol}=="00" ATTRS{bDeviceSubClass}=="00" ATTRS{bMaxPacketSize0}=="64" ATTRS{bMaxPower}=="120mA" ATTRS{bNumConfigurations}=="1" ATTRS{bNumInterfaces}==" 1" ATTRS{bcdDevice}=="0101" ATTRS{bmAttributes}=="80" ATTRS{busnum}=="2" ATTRS{configuration}=="" ATTRS{devnum}=="3" ATTRS{devpath}=="2" ATTRS{idProduct}=="9700" ATTRS{idVendor}=="0fe6" ATTRS{ltm_capable}=="no" ATTRS{maxchild}=="0" ATTRS{power/active_duration}=="124280" ATTRS{power/async}=="enabled" ATTRS{power/autosuspend}=="2" ATTRS{power/autosuspend_delay_ms}=="2000" ATTRS{power/connected_duration}=="124280" ATTRS{power/control}=="on" ATTRS{power/level}=="on" ATTRS{power/persist}=="1" ATTRS{power/runtime_active_kids}=="1" ATTRS{power/runtime_active_time}=="123743" ATTRS{power/runtime_enabled}=="forbidden" ATTRS{power/runtime_status}=="active" ATTRS{power/runtime_suspended_time}=="0" ATTRS{power/runtime_usage}=="1" ATTRS{product}=="USB 2.0 10/100M Ethernet Adaptor" ATTRS{quirks}=="0x0" ATTRS{removable}=="unknown" ATTRS{rx_lanes}=="1" ATTRS{speed}=="12" ATTRS{tx_lanes}=="1" ATTRS{urbnum}=="42458" ATTRS{version}==" 1.10" looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2': KERNELS=="usb2" SUBSYSTEMS=="usb" DRIVERS=="usb" ATTRS{authorized}=="1" ATTRS{authorized_default}=="1" ATTRS{avoid_reset_quirk}=="0" ATTRS{bConfigurationValue}=="1" ATTRS{bDeviceClass}=="09" ATTRS{bDeviceProtocol}=="00" ATTRS{bDeviceSubClass}=="00" ATTRS{bMaxPacketSize0}=="64" ATTRS{bMaxPower}=="0mA" ATTRS{bNumConfigurations}=="1" ATTRS{bNumInterfaces}==" 1" ATTRS{bcdDevice}=="0513" ATTRS{bmAttributes}=="e0" ATTRS{busnum}=="2" ATTRS{configuration}=="" ATTRS{devnum}=="1" ATTRS{devpath}=="0" ATTRS{idProduct}=="0001" ATTRS{idVendor}=="1d6b" ATTRS{interface_authorized_default}=="1" ATTRS{ltm_capable}=="no" ATTRS{manufacturer}=="Linux 5.13.0-22-generic ohci_hcd" ATTRS{maxchild}=="12" ATTRS{power/active_duration}=="232196" ATTRS{power/async}=="enabled" ATTRS{power/autosuspend}=="0" ATTRS{power/autosuspend_delay_ms}=="0" ATTRS{power/connected_duration}=="232196" ATTRS{power/control}=="auto" ATTRS{power/level}=="auto" ATTRS{power/runtime_active_kids}=="2" ATTRS{power/runtime_active_time}=="232137" ATTRS{power/runtime_enabled}=="enabled" ATTRS{power/runtime_status}=="active" ATTRS{power/runtime_suspended_time}=="0" ATTRS{power/runtime_usage}=="0" ATTRS{power/wakeup}=="disabled" ATTRS{power/wakeup_abort_count}=="" ATTRS{power/wakeup_active}=="" ATTRS{power/wakeup_active_count}=="" ATTRS{power/wakeup_count}=="" ATTRS{power/wakeup_expire_count}=="" ATTRS{power/wakeup_last_time_ms}=="" ATTRS{power/wakeup_max_time_ms}=="" ATTRS{power/wakeup_total_time_ms}=="" ATTRS{product}=="OHCI PCI host controller" ATTRS{quirks}=="0x0" ATTRS{removable}=="unknown" ATTRS{rx_lanes}=="1" ATTRS{serial}=="0000:00:06.0" ATTRS{speed}=="12" ATTRS{tx_lanes}=="1" ATTRS{urbnum}=="65" ATTRS{version}==" 1.10" looking at parent device '/devices/pci0000:00/0000:00:06.0': KERNELS=="0000:00:06.0" SUBSYSTEMS=="pci" DRIVERS=="ohci-pci" ATTRS{ari_enabled}=="0" ATTRS{broken_parity_status}=="0" ATTRS{class}=="0x0c0310" ATTRS{consistent_dma_mask_bits}=="32" ATTRS{d3cold_allowed}=="0" ATTRS{device}=="0x003f" ATTRS{dma_mask_bits}=="32" ATTRS{driver_override}=="(null)" ATTRS{enable}=="1" ATTRS{irq}=="22" ATTRS{local_cpulist}=="0" ATTRS{local_cpus}=="1" ATTRS{msi_bus}=="1" ATTRS{numa_node}=="-1" ATTRS{power/async}=="enabled" ATTRS{power/control}=="on" ATTRS{power/runtime_active_kids}=="1" ATTRS{power/runtime_active_time}=="232396" ATTRS{power/runtime_enabled}=="forbidden" ATTRS{power/runtime_status}=="active" ATTRS{power/runtime_suspended_time}=="0" ATTRS{power/runtime_usage}=="2" ATTRS{power/wakeup}=="enabled" ATTRS{power/wakeup_abort_count}=="0" ATTRS{power/wakeup_active}=="0" ATTRS{power/wakeup_active_count}=="0" ATTRS{power/wakeup_count}=="0" ATTRS{power/wakeup_expire_count}=="0" ATTRS{power/wakeup_last_time_ms}=="0" ATTRS{power/wakeup_max_time_ms}=="0" ATTRS{power/wakeup_total_time_ms}=="0" ATTRS{power_state}=="D0" ATTRS{revision}=="0x00" ATTRS{subsystem_device}=="0x0000" ATTRS{subsystem_vendor}=="0x0000" ATTRS{vendor}=="0x106b" looking at parent device '/devices/pci0000:00': KERNELS=="pci0000:00" SUBSYSTEMS=="" DRIVERS=="" ATTRS{power/async}=="enabled" ATTRS{power/control}=="auto" ATTRS{power/runtime_active_kids}=="11" ATTRS{power/runtime_active_time}=="0" ATTRS{power/runtime_enabled}=="disabled" ATTRS{power/runtime_status}=="unsupported" ATTRS{power/runtime_suspended_time}=="0" ATTRS{power/runtime_usage}=="0" ATTRS{waiting_for_supplier}=="0" -
lsusb; echo;lsusb -tBus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 003: ID 0fe6:9700 ICS Advent DM9601 Fast Ethernet Adapter Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub /: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=ohci-pci/12p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M |__ Port 2: Dev 3, If 0, Class=, Driver=dm9601, 12M /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/12p, 480M
Linux kernel blacklist
As you may notice usbnet (module) get loaded from udev monitor output.
Udev rule
One that seems clear, it this condition:
ACTION=="add",SUBSYSTEM=="net", SUBSYSTEMS=="usb",...
So it is the newly added net node which has a parent usb node.
Then target that leaf node or its parent node, to be removed, unauthorized, or unbind its driver. As in this answer about blocking USB storage devices.