How to block USB modem?

Hello,

I have got HUAWEI USB modem. I need to be able to block modem devices with my device class filter driver. After all SW was installed for this device, I observed several new devices in system. One is in modem class, another one is virtual COM port and last one is virtual network adapter. Then there is user mode application, which can connect modem to provider’s network.
If I block device in modem class or disable it in device manager, network is still functional, also connect/disconnect. It seems that object is not used at all. If I disable virtual COM port or virtual network adapter, then network is off. I observed that user mode application communicates with one of COM port driver’s DO. So if I disable COM port, application reports device is not available and I am not able to connect to network.
My question is how can I block modems with device class filter driver? If I register as class filter driver in class Modems, then it has no impact. On the other side if I register in class Ports, then I block all LPC and COM ports, since I can not find the virtual one for modem. The same for Network class, I can not find the right network adapter of modem. Is there any solution for that?
Thanks.

Why do you want to block the modem? AOL reported that last year, they had
200,000 customers sign up for dial-up access. Is it a security issue? Or
is it just that you don’t want people to use a modem? Without knowing the
problem, there’s no way to know how to answer the question.

SLIP, the Serial Line Internet Protocol, is an IP-over-modem protocol that
has been around since the early 1990s, and lots of people use it.

If you don’t want people to use a modem, don’t install one. If somebody
has one, it might just be because that is their only access to the
Internet, and they are not going to appreciate your attempt to isolate
them.

It also sounds like you are saying that you don’t want people to access
the modem except through your software. Why is it critical to deny the
use of the modem to programs other than yours? Note that if your software
opens a serial pirt, it has already denied access to any other software,
and this behavior is already built in.

Or, it sounds like a project was initiated, has achieved completion, and
due to a serious design oversight now has a problem for which this
proposed solution is nothing but a bad hack. All that discussion about
networks and virtual ports doesn’t explain how blocking access to the
device solves any problem.

I continue to be amazed and/or appalled at the number of people who seem
to want to disable and cripple machines. One response to the “I want to
disable sendinput to my game to prevent people from using macros”
rightfully pointed out that any number of physically handicapped people
would be denied access by such mechanisms. I just observed that it would
be a waste of time. So how does blocking a USB modem stop anyone from
using a modem that isn’t USB-based?

The New Hackers Dictionary (a repackaging of the MIT Jargon File) offers
the definition:

copy protection - A class of methods for preventing incompetent pirates
from stealing software and legitimate customers from using it. Considered
silly.

I think this can equally apply to the class of questions about “how do I
stop X from happening?” where X is considered a normal behavior by some or
most computer users.

Tell us what goal you want to achieve, and ask how to achieve that goal.
If you ask how to block access to a modem, it means you have decided that
is going to solve your problem. If this is a security issue, I suspect
that there are a couple dozen ways to bypass this once you have spent far
too much time and money implementing it. Don’t ask the question in terms
of an implementation choice (such as a filter driver). State the problem,
and ask if there is a technically-feasible solution to it. The solution
might be a filter driver, or it might be something else. Or it might
simply not be possible. But the people who can answer this question need
to know what the problem is, and why it is a problem. All you told us was
that you need to “block access” to a modem (and perhaps just the one model
you mentioned) and that a couple attempts failed.

I once consulted at a secure site. Their approach to security was epoxy
glue. They glued the keyboard and mouse connectors in place, and then
filled in all the other USB connectors with epoxy. It was expensive to
replace a failed keyboard or mouse (labor cost, primarily) but it was the
only acceptable way to achieve the goal. If you can’t maintain physical
security (not plugging a USB modem in is a good implementation) then the
rest is pointless.
joe

Hello,

I have got HUAWEI USB modem. I need to be able to block modem devices with
my device class filter driver. After all SW was installed for this device,
I observed several new devices in system. One is in modem class, another
one is virtual COM port and last one is virtual network adapter. Then
there is user mode application, which can connect modem to provider’s
network.
If I block device in modem class or disable it in device manager, network
is still functional, also connect/disconnect. It seems that object is not
used at all. If I disable virtual COM port or virtual network adapter,
then network is off. I observed that user mode application communicates
with one of COM port driver’s DO. So if I disable COM port, application
reports device is not available and I am not able to connect to network.
My question is how can I block modems with device class filter driver? If
I register as class filter driver in class Modems, then it has no impact.
On the other side if I register in class Ports, then I block all LPC and
COM ports, since I can not find the virtual one for modem. The same for
Network class, I can not find the right network adapter of modem. Is there
any solution for that?
Thanks.

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

I am working on SW for blocking various removable devices for security reasons. One of them are modems. As an example I took one model from HUAWEI (it is USB modem). I thought registering my device class filter driver in Modems class can solve the issue. But I found out, that there are no IRPs coming to this device. It means blocking in modems class doesn’t prevent internet access. Then I disabled virtual COM port created by HUAWEI. From that moment their user mode application can not connect to internet. But it means, I must be hooked on ports, be registered in Ports class. But I can not distinguish between their virtual COM port and other real COM ports. So I will block not only modem’s COM port but all COM and LPT ports in Ports class. Other solution is to block their virtual network adapter, but again I can not distinguish it from other network cards adapters, so then I block all internet access and that I don’t want, I want to block only internet access through modems.

xxxxx@centrum.cz wrote:

I am working on SW for blocking various removable devices for security reasons.

The only reliable way to do that is to fill the USB ports with silicone
sealant.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

>The only reliable way to do that is to fill the USB ports with silicone
sealant.

You can poke it out with a toothpick. Only epoxy would do.

You can disable automatic installation of certain device classes. OF COURSE, the users must not have administrative privileges.

And how does blocking a USB modem increase security if someone can plug a
modem into an ordinary COM port? It sounds like blocking the COM ports is
a Good Thing in this situation. And if I know the LPT ports are not
blocked, it might take me a week to build a hardware device that takes
printer output and writes it to a flash drive; copy /b business-plan.xls
lpt will give me all the data I want.

Note that it would take me a week; a hardware guy that had all the parts
in inventory could probably assemble it by tomorrow.

Site security is very simple: there shall be NO user-connectable devices
or devices with removable media on the computer. The secure site I was at
had no floppy drives, and the cases were soundly locked so that hard
drives could not be “borrowed” for the weekend. They had no serial ports,
no parallel ports (well, they did, but epoxy works very well for these,
also), and no available USB ports. Entering or leaving the facility with
any portable media was a fireable offense (the employment agreement every
employee signed before they were hired said so) and would result in
immediate arrest followed by a friendly visit by various agents of
three-letter agencies. I was wanded going in and out, and had to turn on
my laptop and disable the wireless. While it was on, they made some
notes, and then informed me that if I enabled wireless, in under 5 minutes
I would be escorted out by armed guards, and if it happened on Monday, I’d
better not have any weekend plans.

If you are serious about security, you have to do things like this. If
you want to give the illusion of caring about security while not actually
doing anything really serious, you install software hacks that are either
incomplete or trivially bypassed.

Oh, yes, make sure all your equipment, including cables and peripherals,
are TEMPEST-certified. And, as repeatedly pointed out, never, ever allow
any users to have admin privileges.
joe

I am working on SW for blocking various removable devices for security
reasons. One of them are modems. As an example I took one model from
HUAWEI (it is USB modem). I thought registering my device class filter
driver in Modems class can solve the issue. But I found out, that there
are no IRPs coming to this device. It means blocking in modems class
doesn’t prevent internet access. Then I disabled virtual COM port created
by HUAWEI. From that moment their user mode application can not connect to
internet. But it means, I must be hooked on ports, be registered in Ports
class. But I can not distinguish between their virtual COM port and other
real COM ports. So I will block not only modem’s COM port but all COM and
LPT ports in Ports class. Other solution is to block their virtual network
adapter, but again I can not distinguish it from other network cards
adapters, so then I block all internet access and that I don’t want, I
want to block only internet access through modems.

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Such installations should be all dumb RDP terminals (minimally configured Windows system with guest-privileged local accounts only) connecting to VMs running on physically protected server. Those VMs should not have any path to open Internet. Any local email server should be able to forward to non-classified email server.

With HDMI and flat panels, interception of video is virtually impossible. If the network TP cables are forced to 1GBaseT rate only, their traffic also practically cannot be intercepted remotely. Although fiber would be even better.

> The only reliable way to do that is to fill the USB ports with silicone sealant.

Not necessarily…

The most obvious solution under, say, Linux in such situation is simply to rebuild a kernel with the right configurations. For example, you don’t want any external USB devices. No worries - you simply rebuild a kernel without USB support, so that entire USB subsystem stack is not even compiled into it. Unless you give users root privileges that are required for kernel installation, there is nothing they can do here. Simple, ugh.

Once we are speaking about Windows, instead of rebuilding kernel you may simply try to disable/uninstall certain services, effectively reaching the same logical solution . As Alex has pointed out already, they key here is about privileges - as long as you allow users to run as admins all your security measures are doomed to failure…

Anton Bassov

The problem with removing, say, all USB support, is that you can end up
with a system that has no mouse or keyboard. The number of machines with
PS/2 connections for these is diminishing, which is a real pain for me
because my KVM switch doesn’t support USB connections.
joe

> The only reliable way to do that is to fill the USB ports with silicone
> sealant.

Not necessarily…

The most obvious solution under, say, Linux in such situation is simply to
rebuild a kernel with the right configurations. For example, you don’t
want any external USB devices. No worries - you simply rebuild a kernel
without USB support, so that entire USB subsystem stack is not even
compiled into it. Unless you give users root privileges that are required
for kernel installation, there is nothing they can do here. Simple, ugh.

Once we are speaking about Windows, instead of rebuilding kernel you may
simply try to disable/uninstall certain services, effectively reaching the
same logical solution . As Alex has pointed out already, they key here is
about privileges - as long as you allow users to run as admins all your
security measures are doomed to failure…

Anton Bassov

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

> The problem with removing, say, all USB support, is that you can end up with a system that

has no mouse or keyboard.

Sorry, but physically crippling USB ports by means of sealant or epoxy glue will result in the same scenario, don’t you think. Actually, solving the problem by uninstalling services that correspond to certain device classes offers more flexibility. After all, there is no need to remove all USB support, right. For example, imagine that while you don’t mind USB kbd or mouse you still don’t want to allow external USB drives of any description. No worries - you can just uninstall USBSTOR and leave the rest intact…

Anton Bassov

> And if I know the LPT ports are not blocked, it might take me a week to build a hardware device that takes printer output and writes it to a flash drive

If I register as LowerFilter in class Ports I expect I will be hooked to LPT ports too. The class has description: Ports (COM & LPT).

> Actually, solving the problem by uninstalling services that correspond to certain device classes offers more flexibility.

Is it somewhere documented which services to uninstall to disable certain device classes?

you can just uninstall USBSTOR
UsbStor is a driver, did you mean to disable it or how to uninstall it?

On 27-Feb-2012 09:17, xxxxx@centrum.cz wrote:

> Actually, solving the problem by uninstalling services that correspond to certain device classes offers more flexibility.

Is it somewhere documented which services to uninstall to disable certain device classes?

> you can just uninstall USBSTOR
UsbStor is a driver, did you mean to disable it or how to uninstall it?

A simpler idea: What if your software will just detect a forbidden
device/activity and display a big red popup to user, saying that this is
against the IT policy or whatever, and will be reported.

The user should unplug the device (or at least not to use it) and be
prepared to explain to IT when (s)he is back to the office.

Assumed that only legitimate user has access to the computer in
question (by means of secured boot, etc), otherwise the game is over.

– pa

> A simpler idea: What if your software will just detect a forbidden device/activity and display a big red

popup to user, saying that this is against the IT policy or whatever, and will be reported.

Well, I guess this kind of solution, although perfectly reasonable, is not going to satisfy those maximalists who don’t trust anything other than physically disabling ports. Therefore, I offered them a more radical software-based approach, although it may be a bit to the extreme…

Anton Bassov

Presumably, such an action will cause a notification to be sent to
Security Central.

Some years ago, when I was consulting for a company that had contracted
for a device driver, we installed the hardware and driver on a testbed
machine. Fifteen minutes later, IT security showed wanting to know who
was responsible for installing an unauthorized driver (apparently,
corporate security policy didn’t embody the concept of research labs or
software development).

I taught my Systems Programming course at one aerospace corporation (I
can’t say where, but I can say that one afternoon I stood about a mile
from a satellite launch). They got a good price because they said they
would provide the machines in their existing teaching facility.
Everything went fine until the linker ran, at which point security alerts
went out that some software was modifying the contents of a .exe file. In
fact, creation of the file was blocked, and in less than five minutes the
IT security guy showed up wanting to know what was going on. Turns out
that there was no way they would disable the AV software to allow creation
of executable files, not negotiable. So after lunch, the students showed
up carrying each of their development machines from their lab. Everything
worked, until they discovered their NIC cards were not registered on the
subnet, so they couldn’t get out to the Internet. So they had to carry the
machines BACK to their offices every night so they could answer their
email!

I worked in one place where the computers were literally chained to the
floor, and every night, as his last action, the head of IT security went
office-to-office and inventoried each machine by serial number. These
were top- secret workstation prototypes.

I’ve worked in, and trained people for, seriously secure environments.
What it boils down to is (a) never, under any circumstances imaginable,
let a user gain root/admin/sysadmin privileges and (b) you must have
physical security. Software is just far too vulnerable otherwise.
joe

On 27-Feb-2012 09:17, xxxxx@centrum.cz wrote:
>> Actually, solving the problem by uninstalling services that correspond
>> to certain device classes offers more flexibility.
>
> Is it somewhere documented which services to uninstall to disable
> certain device classes?
>
>> you can just uninstall USBSTOR
> UsbStor is a driver, did you mean to disable it or how to uninstall it?
>

A simpler idea: What if your software will just detect a forbidden
device/activity and display a big red popup to user, saying that this is
against the IT policy or whatever, and will be reported.

The user should unplug the device (or at least not to use it) and be
prepared to explain to IT when (s)he is back to the office.

Assumed that only legitimate user has access to the computer in
question (by means of secured boot, etc), otherwise the game is over.

– pa

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

On 2/24/2012 6:53 PM, Tim Roberts wrote:

xxxxx@centrum.cz wrote:
> I am working on SW for blocking various removable devices for security reasons.
The only reliable way to do that is to fill the USB ports with silicone
sealant.
…don’t forget to lock the PC with a good tough physical lock.
Otherwise they can open it and hook up to the internal USB ports.

On 2/25/2012 11:36 AM, xxxxx@flounder.com wrote:

Oh, yes, make sure all your equipment, including cables and peripherals,
are TEMPEST-certified.
Ah! – Reminds me… don’t forget “optical tempest”:

Someone could write a simple program [with anything that’s available
(VBA, WSH, bash, …)] to alter the color of a part of the screen
following the bit pattern of a file. To pick up the sequence all you
need is a small recording device (light sensor, mcu, flash, power) and
stick it [close] to the screen. No WLAN, no HDD or FLASH drive, no
physical intrusion.
(Of course a mobile phone camera would do just as well. But I assume
these are already taken care of.)

To prevent this attack, just completely cover all screens with black
resin.

> Someone could write a simple program [with anything that’s available (VBA, WSH, bash, …)]

to alter the color of a part of the screen following the bit pattern of a file. To pick up the sequence
all you need is a small recording device (light sensor, mcu, flash, power) and stick it [close] to the
screen. No WLAN, no HDD or FLASH drive, no physical intrusion.

Well, as long as you are able to record something somehow the easiest thing is, apparently, Morse code
(or, even better, your own custom variant of it that no one in the world, apart from you, is able to understand). Just take a pencil and start knocking on the table in a certain sequence that corresponds to the data that you want to record, and sound recorder will take care of the rest…

Anton Bassov

> On 2/25/2012 11:36 AM, xxxxx@flounder.com wrote:

> Oh, yes, make sure all your equipment, including cables and peripherals,
> are TEMPEST-certified.
Ah! – Reminds me… don’t forget “optical tempest”:

One of the many reasons camera phones may not enter secured areas. This
is part of the “physical security” issue. Without physical security,
other forms don’t matter.

Consider a hard drive which does encryption in its firmware. If I can get
ANY sensor in the plaintext path, there is no security. I helped one site
by being part of the “think tank” for attacks. Filter drivers are the
easiest, but stealing the hard drive and reading pagefile.sys isn’t bad,
and getting an active (in-circuit) or passive (near-circuit) sniffer works
well. The hardware guy on the team asked if they could wait until Monday
for the prototype, because he planned to spend the weekend with his family
(his way of saying , on Thursday, that the effort was near-trivial). Note
that these attacks do require physical access to the machine. He did say
that if we wanted something that sat outside the box, he could have it by
Tuesday, but the DSP software to isolate the disk data might take a month
to write.

Someone could write a simple program [with anything that’s available
(VBA, WSH, bash, …)] to alter the color of a part of the screen
following the bit pattern of a file. To pick up the sequence all you
need is a small recording device (light sensor, mcu, flash, power) and
stick it [close] to the screen. No WLAN, no HDD or FLASH drive, no
physical intrusion.
(Of course a mobile phone camera would do just as well. But I assume
these are already taken care of.)

To prevent this attack, just completely cover all screens with black
resin.

The only truly secure computer is encased in a 5-foot cube of concrete and
buried ten feet deep on an active artillery range. You can say this is
truly secure, providing it has no external connections and is not powered
up. But don’t be surprised when someone demonstrates that this is
insufficient.

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Sounds like a personal financial article I recently read in a famous
website titled “Is $4 million enough to retire”. Dang, gotta update my
latest balance sheet to see how far away I am.

Calvin