I want to have a code which it checks if certain USB flash memory is connected to my system. I mean I want to fetch something like product ID
and serial Number
from the usb flash memory which is connected to my linux
based system and check if these numbers match my valid numbers. I also want to know is there a way that someone can fake this numbers? I mean someone uses a invalid flash memory device and generates these numbers to pass my validation process?
问题:
回答1:
USB devices are described in the kernel pseudofile hierarchy at /sys/bus/usb/devices/
. Tools like lsusb
examine this hierarchy. Each device, including USB hubs and ports your computer provides, are listed here, one device per symlink/directory.
Each device directory may contain the following interesting files:
idVendor (vendor code, four hexadecimal characters)
idProduct (product code, four hexadecimal characters)
manufacturer (vendor string as reported by the device)
product (product string as reported by the device)
serial (serial number string as reported by the device)
Only those that are distinguishable as separate devices have the files (the exact definition is USB jargon I've personally never bothered to find out), so not all directories have them.
However, if you scan all /sys/bus/usb/devices/*/
directories with idVendor
and idProduct
files, you obtain the list of all USB devices attached to the current computer; similar to the list lsusb
provides.
It is trivial to clone an USB device vendor and product codes, as well as manufacturer, product, and serial strings. All it requires is a microcontroller with a native USB interface, and you can buy suitable microcontroller boards that fit in a typical USB dongle, for under $20. It is quite easy to do, too; you only need to tweak a little bit of freely available example code on the net, to do exactly this. No expert needed, just a bit of curiosity, Google-Fu, and basic C skills suffice.
So no, you cannot rely on those details for security purposes.
You could instead use a "key file" or a "license file" on the USB stick to identify the USB stick holder to your application. However, that'd be trivial to bypass, if users copy their key files to others. They often do.
It is possible to use a cheap microcontroller with a microSD interface to double as an USB memory stick, but also provide other USB endpoints: one physical chip can show up as more than one USB device. You could verify the authenticity of the microcontroller/storage via e.g. HID messages (having one of those extra USB endpoints be a HID device, for example a keyboard). Such devices can be built from off-the-shelf parts for under $30 (retail, much less if bought in bulk); adding a USB-stick-like enclosure and a 2-8 GB microSD card would not make them too expensive. That would avoid key copying, but stealing the physical key, or reverse-engineering it (given either the application binaries, or an example key), would still not be that difficult: all it would need is comparable hardware, and a bit more work.
In short, security dongles have always been more of a nuisance to the users than a real hindrance to those who wish to break the security. Just like physical keys, USB keys are not that difficult to clone.
Perhaps you should rethink your business strategy instead?