SoK: "Plug & Pray" Today - Understanding USB Insecurity in Versions 1 Through C

SoK: "Plug & Pray" Today - Understanding USB Insecurity in Versions 1 Through C

USB-based attacks have increased in complexity in recent years. Modern attacks now incorporate a wide range of attack vectors, from social engineering to signal injection. To address these challenges, the security community has responded with a growing set of fragmented defenses. In this work, we su...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Jing Tian, Scaife, Nolen, Kumar, Deepak, Bailey, Michael, Bates, Adam, Butler, Kevin
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Authentication
Companies
Data transfer
Ecosystems
Protocols
Security
Type C
Universal Serial Bus
USB
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 1047
container_issue
container_start_page 1032
container_title
container_volume
creator Jing Tian
Scaife, Nolen
Kumar, Deepak
Bailey, Michael
Bates, Adam
Butler, Kevin
description USB-based attacks have increased in complexity in recent years. Modern attacks now incorporate a wide range of attack vectors, from social engineering to signal injection. To address these challenges, the security community has responded with a growing set of fragmented defenses. In this work, we survey and categorize USB attacks and defenses, unifying observations from both peer-reviewed research and industry. Our systematization extracts offensive and defensive primitives that operate across layers of communication within the USB ecosystem. Based on our taxonomy, we discover that USB attacks often abuse the trust-by-default nature of the ecosystem, and transcend different layers within a software stack; none of the existing defenses provide a complete solution, and solutions expanding multiple layers are most effective. We then develop the first formal verification of the recently released USB Type-C Authentication specification, and uncover fundamental flaws in the specification's design. Based on the findings from our systematization, we observe that while the spec has successfully pinpointed an urgent need to solve the USB security problem, its flaws render these goals unattainable. We conclude by outlining future research directions to ensure a safer computing experience with USB.
doi_str_mv 10.1109/SP.2018.00037
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_RIE</sourceid><recordid>TN_cdi_ieee_primary_8418652</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>8418652</ieee_id><sourcerecordid>8418652</sourcerecordid><originalsourceid>FETCH-LOGICAL-i214t-6e980ea1766b1cef89b79d07f6ce2e8eba1abb9eb022b0b6eead47f427d152fa3</originalsourceid><addsrcrecordid>eNotzDtPwzAUQGGDhERbGJlYrjqwpdxrJ7bDBhGPikqN1Ia1spub1qgkKI8h_x4kmM7wSUeIG8IFEab3m3whkewCEZU5E1NKlNWxSpQ5FxOpTBKRRHMppl33iShRpfFErDfN-wPM89NwgDvIWzfOYduUboQIirrktutdXYb6AMXmCZZ1x_uhDf0IoYaPXw1N3QHB9tg2w-EI2ZW4qNyp4-v_zkTx8rzN3qLV-nWZPa6iICnuI82pRXZktPa058qm3qQlmkrvWbJl78h5n7JHKT16zezK2FSxNCUlsnJqJm7_voGZd99t-HLtuLMxWZ1I9QOKs0vN</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>SoK: "Plug &amp; Pray" Today - Understanding USB Insecurity in Versions 1 Through C</title><source>IEEE Electronic Library (IEL)</source><creator>Jing Tian ; Scaife, Nolen ; Kumar, Deepak ; Bailey, Michael ; Bates, Adam ; Butler, Kevin</creator><creatorcontrib>Jing Tian ; Scaife, Nolen ; Kumar, Deepak ; Bailey, Michael ; Bates, Adam ; Butler, Kevin</creatorcontrib><description>USB-based attacks have increased in complexity in recent years. Modern attacks now incorporate a wide range of attack vectors, from social engineering to signal injection. To address these challenges, the security community has responded with a growing set of fragmented defenses. In this work, we survey and categorize USB attacks and defenses, unifying observations from both peer-reviewed research and industry. Our systematization extracts offensive and defensive primitives that operate across layers of communication within the USB ecosystem. Based on our taxonomy, we discover that USB attacks often abuse the trust-by-default nature of the ecosystem, and transcend different layers within a software stack; none of the existing defenses provide a complete solution, and solutions expanding multiple layers are most effective. We then develop the first formal verification of the recently released USB Type-C Authentication specification, and uncover fundamental flaws in the specification's design. Based on the findings from our systematization, we observe that while the spec has successfully pinpointed an urgent need to solve the USB security problem, its flaws render these goals unattainable. We conclude by outlining future research directions to ensure a safer computing experience with USB.</description><identifier>EISSN: 2375-1207</identifier><identifier>EISBN: 1538643537</identifier><identifier>EISBN: 9781538643532</identifier><identifier>DOI: 10.1109/SP.2018.00037</identifier><identifier>CODEN: IEEPAD</identifier><language>eng</language><publisher>IEEE</publisher><subject>Authentication ; Companies ; Data transfer ; Ecosystems ; Protocols ; Security ; Type C ; Universal Serial Bus ; USB</subject><ispartof>2018 IEEE Symposium on Security and Privacy (SP), 2018, p.1032-1047</ispartof><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/8418652$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,776,780,785,786,792,23909,23910,25118,27902,54733</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/8418652$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Jing Tian</creatorcontrib><creatorcontrib>Scaife, Nolen</creatorcontrib><creatorcontrib>Kumar, Deepak</creatorcontrib><creatorcontrib>Bailey, Michael</creatorcontrib><creatorcontrib>Bates, Adam</creatorcontrib><creatorcontrib>Butler, Kevin</creatorcontrib><title>SoK: "Plug &amp; Pray" Today - Understanding USB Insecurity in Versions 1 Through C</title><title>2018 IEEE Symposium on Security and Privacy (SP)</title><addtitle>SP</addtitle><description>USB-based attacks have increased in complexity in recent years. Modern attacks now incorporate a wide range of attack vectors, from social engineering to signal injection. To address these challenges, the security community has responded with a growing set of fragmented defenses. In this work, we survey and categorize USB attacks and defenses, unifying observations from both peer-reviewed research and industry. Our systematization extracts offensive and defensive primitives that operate across layers of communication within the USB ecosystem. Based on our taxonomy, we discover that USB attacks often abuse the trust-by-default nature of the ecosystem, and transcend different layers within a software stack; none of the existing defenses provide a complete solution, and solutions expanding multiple layers are most effective. We then develop the first formal verification of the recently released USB Type-C Authentication specification, and uncover fundamental flaws in the specification's design. Based on the findings from our systematization, we observe that while the spec has successfully pinpointed an urgent need to solve the USB security problem, its flaws render these goals unattainable. We conclude by outlining future research directions to ensure a safer computing experience with USB.</description><subject>Authentication</subject><subject>Companies</subject><subject>Data transfer</subject><subject>Ecosystems</subject><subject>Protocols</subject><subject>Security</subject><subject>Type C</subject><subject>Universal Serial Bus</subject><subject>USB</subject><issn>2375-1207</issn><isbn>1538643537</isbn><isbn>9781538643532</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2018</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNotzDtPwzAUQGGDhERbGJlYrjqwpdxrJ7bDBhGPikqN1Ia1spub1qgkKI8h_x4kmM7wSUeIG8IFEab3m3whkewCEZU5E1NKlNWxSpQ5FxOpTBKRRHMppl33iShRpfFErDfN-wPM89NwgDvIWzfOYduUboQIirrktutdXYb6AMXmCZZ1x_uhDf0IoYaPXw1N3QHB9tg2w-EI2ZW4qNyp4-v_zkTx8rzN3qLV-nWZPa6iICnuI82pRXZktPa058qm3qQlmkrvWbJl78h5n7JHKT16zezK2FSxNCUlsnJqJm7_voGZd99t-HLtuLMxWZ1I9QOKs0vN</recordid><startdate>20180723</startdate><enddate>20180723</enddate><creator>Jing Tian</creator><creator>Scaife, Nolen</creator><creator>Kumar, Deepak</creator><creator>Bailey, Michael</creator><creator>Bates, Adam</creator><creator>Butler, Kevin</creator><general>IEEE</general><scope>6IE</scope><scope>6IH</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIO</scope></search><sort><creationdate>20180723</creationdate><title>SoK: "Plug &amp; Pray" Today - Understanding USB Insecurity in Versions 1 Through C</title><author>Jing Tian ; Scaife, Nolen ; Kumar, Deepak ; Bailey, Michael ; Bates, Adam ; Butler, Kevin</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i214t-6e980ea1766b1cef89b79d07f6ce2e8eba1abb9eb022b0b6eead47f427d152fa3</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2018</creationdate><topic>Authentication</topic><topic>Companies</topic><topic>Data transfer</topic><topic>Ecosystems</topic><topic>Protocols</topic><topic>Security</topic><topic>Type C</topic><topic>Universal Serial Bus</topic><topic>USB</topic><toplevel>online_resources</toplevel><creatorcontrib>Jing Tian</creatorcontrib><creatorcontrib>Scaife, Nolen</creatorcontrib><creatorcontrib>Kumar, Deepak</creatorcontrib><creatorcontrib>Bailey, Michael</creatorcontrib><creatorcontrib>Bates, Adam</creatorcontrib><creatorcontrib>Butler, Kevin</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan (POP) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP) 1998-present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Jing Tian</au><au>Scaife, Nolen</au><au>Kumar, Deepak</au><au>Bailey, Michael</au><au>Bates, Adam</au><au>Butler, Kevin</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>SoK: "Plug &amp; Pray" Today - Understanding USB Insecurity in Versions 1 Through C</atitle><btitle>2018 IEEE Symposium on Security and Privacy (SP)</btitle><stitle>SP</stitle><date>2018-07-23</date><risdate>2018</risdate><spage>1032</spage><epage>1047</epage><pages>1032-1047</pages><eissn>2375-1207</eissn><eisbn>1538643537</eisbn><eisbn>9781538643532</eisbn><coden>IEEPAD</coden><abstract>USB-based attacks have increased in complexity in recent years. Modern attacks now incorporate a wide range of attack vectors, from social engineering to signal injection. To address these challenges, the security community has responded with a growing set of fragmented defenses. In this work, we survey and categorize USB attacks and defenses, unifying observations from both peer-reviewed research and industry. Our systematization extracts offensive and defensive primitives that operate across layers of communication within the USB ecosystem. Based on our taxonomy, we discover that USB attacks often abuse the trust-by-default nature of the ecosystem, and transcend different layers within a software stack; none of the existing defenses provide a complete solution, and solutions expanding multiple layers are most effective. We then develop the first formal verification of the recently released USB Type-C Authentication specification, and uncover fundamental flaws in the specification's design. Based on the findings from our systematization, we observe that while the spec has successfully pinpointed an urgent need to solve the USB security problem, its flaws render these goals unattainable. We conclude by outlining future research directions to ensure a safer computing experience with USB.</abstract><pub>IEEE</pub><doi>10.1109/SP.2018.00037</doi><tpages>16</tpages><oa>free_for_read</oa></addata></record>
fulltext fulltext_linktorsrc
identifier EISSN: 2375-1207
ispartof 2018 IEEE Symposium on Security and Privacy (SP), 2018, p.1032-1047
issn 2375-1207
language eng
recordid cdi_ieee_primary_8418652
source IEEE Electronic Library (IEL)
subjects Authentication
Companies
Data transfer
Ecosystems
Protocols
Security
Type C
Universal Serial Bus
USB
title SoK: "Plug & Pray" Today - Understanding USB Insecurity in Versions 1 Through C
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-21T17%3A39%3A36IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=SoK:%20%22Plug%20&%20Pray%22%20Today%20-%20Understanding%20USB%20Insecurity%20in%20Versions%201%20Through%20C&rft.btitle=2018%20IEEE%20Symposium%20on%20Security%20and%20Privacy%20(SP)&rft.au=Jing%20Tian&rft.date=2018-07-23&rft.spage=1032&rft.epage=1047&rft.pages=1032-1047&rft.eissn=2375-1207&rft.coden=IEEPAD&rft_id=info:doi/10.1109/SP.2018.00037&rft_dat=%3Cieee_RIE%3E8418652%3C/ieee_RIE%3E%3Curl%3E%3C/url%3E&rft.eisbn=1538643537&rft.eisbn_list=9781538643532&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=8418652&rfr_iscdi=true