[OWASP-Security101] uniquely identifing USB device

Dave Hylands dhylands at mozilla.com
Wed Apr 11 06:50:15 UTC 2012


Hi Erki,

> I need to identify a usb stick uniquely and I have been trying to
> find out weather using just hardwareID is enough?
> I have heard of a driver that lets you emulate an usb device and set
> that ID, but quick googleing didn’t give any results. Does anybody
> know of something like that? Is it possible to (for someone with
> mediocre hacking skills) to manipulate with these values? Is there a
> better way to uniquely identify that device?

So here's a page that uses a readily available HW device to spoof VID and PID, and presumably with some minor changes you could spoof any of the other fields as well.
http://seclists.org/pauldotcom/2010/q3/111

USB devices are supposed to have unique serial numbers, but not every device has a unique VID/PID/serial (i.e.not all manufacturers actually follow this, and you wind up with devices that are not unique.

Also, devices for allowing say an SD card to be used in a USB slot won't necessarily present a unique serial number for different MMC cards.

What are you trying to do?

Dave Hylands


More information about the Security101 mailing list