[OWASP-Security101] Security101 Digest, Vol 3, Issue 2

Adam Sheesley asheesley at trone.com
Mon Apr 9 13:12:08 UTC 2012

This covers a basic introduction of USB on a low level:

tl;dr: 9m30s

As to your question, based on what I understand of USB, you're going to have an extremely hard time doing authentication based entirely on the USB spec.

-----Original Message-----
From: security101-bounces at lists.owasp.org [mailto:security101-bounces at lists.owasp.org] On Behalf Of Thomas Stiehm
Sent: Sunday, April 08, 2012 6:11 PM
To: security101 at lists.owasp.org
Subject: Re: [OWASP-Security101] Security101 Digest, Vol 3, Issue 2

Given how cheaply USB sticks are manufactured I would assume that it is within the skills of any mediocre but determined attacker to break any built-in identity system. While it might be possible that the hardware id is entered into some sticks in an unchangeable way, I wouldn't count on that being true for all sticks. These id systems were not designed to be secure, just good enough to assign a drive letter to a flash drive if a user decided to assign it a permanent drive letter. I don't think it can be counted on as part of the security of a system.

I would bet there is a system to emulate USB devices that allow you to set the hardware id but I haven't used them. If there isn't and your attacker has to build one from scratch it is hard but certainly doable (hard as in it will take a good device driver programmer a month or more to do it, 100% within the reach of a financed attacker).

There are other systems you could use depending on your use case and what you want to do with the flash drive. For instance, you could use TrueCrypt or something like that to make an encrypted partition on the flash drive and put a cert in the partition to use to identify the flash drive or just encrypt the whole flash drive. There are down sides to this and reasons why it wouldn't work for specific use cases.


On Fri, Apr 6, 2012 at 8:00 AM,  <security101-request at lists.owasp.org> wrote:

> Hi,
> I need to identify a usb stick uniquely and I have been trying to find out weather using just hardwareID is enough?
> I have heard of a driver that lets you emulate an usb device and set that ID, but quick googleing didn?t give any results. Does anybody know of something like that? Is it possible to (for someone with mediocre hacking skills) to manipulate with these values? Is there a better way to uniquely identify that device?
> Thanks,
> erki
Security101 mailing list
Security101 at lists.owasp.org
List Run By OWASP
List Admin: Michael.Coates at owasp.org

Adam Sheesley
Interactive Programmer, Trone
asheesley at trone.com

Confidentiality Notice: This e-mail communication and any attachments may
contain confidential and privileged information for the use of the designated
recipients named above. If you are not the intended recipient, you are hereby
notified that you have received this communication in error and that any review,
disclosure, dissemination, distribution or copying of it or its contents is
prohibited. If you have received this communication in error, please notify me
immediately by replying to this message and deleting it from your computer.
Thank you.

More information about the Security101 mailing list