Re: USB Examiner Package? Special USB Kernel Modules?

[Henning Follmann <hfollmann@itcfollmann.com>]

On Mon, Nov 25, 2019 at 10:37:42PM -0500, Kenneth Parker wrote:
> Here's an interesting one:  A Windows friend handed me a USB Dongle,
> knowing that I'm a Linux user.  He says he got it 3rd hand, with info that
> it might be "Very Dangerous".  He would be interested, if I find out
> something about it.  (And, indeed, Google has many hits on "USB Malware").
> 
> So, what I want, is a USB Debugging Package, that will  *NOT*  attempt to,
> actually open this device, but will give me information about it.
> 
> Obviously, this has to be handled carefully because, for one, it's not
> always obvious which USB goes where.
> 
> For example, before I plug it in, "lsusb" should not show anything plugged
> in.
> 
> -----
> 
> End of preliminaries.  When I plug in something, (i.e. Serial Mouse in Text
> Only environment, or a USB Thumb Drive), a Flurry of Activity ensues, with
> lots of Kernel Messages (and before I get to examine it).   Does that mean
> I have to make a Custom Kernel for this, or limit the Kernel Modules used?
> 
> Any insights so far?

First:
How are you looking at something without opening?
Unless you have some forensic electronics lab, where you can inspect
the underlying hardware, you alway have to "open" (aka get a handle) it.

It has been mentioned that there are devices which fry your hardware by
sending high voltage pulses to the host.

Get a raspberry pi and setup a usb debug stack there. It's
cheap. If you fry it it's only $35 you lose.
Insert a udev rule to capture all events (especially "add").

And from there slowly pry your way in.





-- 
Henning Follmann           | hfollmann@itcfollmann.com