Re: USB Examiner Package? Special USB Kernel Modules?

[Ben Caradoc-Davies <ben@transient.nz>]

On 26/11/2019 16:37, Kenneth Parker wrote:
> Here's an interesting one:  A Windows friend handed me a USB Dongle,
> knowing that I'm a Linux user.  He says he got it 3rd hand, with info that
> it might be "Very Dangerous".  He would be interested, if I find out
> something about it.  (And, indeed, Google has many hits on "USB Malware").
> So, what I want, is a USB Debugging Package, that will  *NOT*  attempt to,
> actually open this device, but will give me information about it.
> Obviously, this has to be handled carefully because, for one, it's not
> always obvious which USB goes where.
> For example, before I plug it in, "lsusb" should not show anything plugged
> in. 
> End of preliminaries.  When I plug in something, (i.e. Serial Mouse in Text
> Only environment, or a USB Thumb Drive), a Flurry of Activity ensues, with
> lots of Kernel Messages (and before I get to examine it).   Does that mean
> I have to make a Custom Kernel for this, or limit the Kernel Modules used?
> Any insights so far?

I take it that you are aware that there are malicious USB devices that 
look like thumb drives and can:

(1) impersonate an HID (e.g. keyboard), fingerprint the host, open a 
terminal, and start typing at maximum rate to download malicious 
software (hence your interest in disabling kernel USB support), or

(2) deliver a high voltage to the USB bus to inflict physical damage.

At the least, I hope you have watched all USB-related DEFCON videos on 
YouTube, especially those on BadUSB. One or two were enough for me to 
never want to use a USB thumb drive of unknown provenance. That is all I 
know.

Kind regards,

--
Ben Caradoc-Davies <ben@transient.nz>
Director
Transient Software Limited <https://transient.nz/>
New Zealand