[OWASP-Security101] Security101 Digest, Vol 3, Issue 2

Thomas Stiehm thomas.stiehm at gmail.com
Sun Apr 8 22:11:23 UTC 2012


Given how cheaply USB sticks are manufactured I would assume that it
is within the skills of any mediocre but determined attacker to break
any built-in identity system. While it might be possible that the
hardware id is entered into some sticks in an unchangeable way, I
wouldn't count on that being true for all sticks. These id systems
were not designed to be secure, just good enough to assign a drive
letter to a flash drive if a user decided to assign it a permanent
drive letter. I don't think it can be counted on as part of the
security of a system.

I would bet there is a system to emulate USB devices that allow you to
set the hardware id but I haven't used them. If there isn't and your
attacker has to build one from scratch it is hard but certainly doable
(hard as in it will take a good device driver programmer a month or
more to do it, 100% within the reach of a financed attacker).

There are other systems you could use depending on your use case and
what you want to do with the flash drive. For instance, you could use
TrueCrypt or something like that to make an encrypted partition on the
flash drive and put a cert in the partition to use to identify the
flash drive or just encrypt the whole flash drive. There are down
sides to this and reasons why it wouldn't work for specific use cases.

Tom

On Fri, Apr 6, 2012 at 8:00 AM,  <security101-request at lists.owasp.org> wrote:

> Hi,
> I need to identify a usb stick uniquely and I have been trying to find out weather using just hardwareID is enough?
> I have heard of a driver that lets you emulate an usb device and set that ID, but quick googleing didn?t give any results. Does anybody know of something like that? Is it possible to (for someone with mediocre hacking skills) to manipulate with these values? Is there a better way to uniquely identify that device?
>
> Thanks,
> erki


More information about the Security101 mailing list