This OpenWRT package is a USB firewall between your corporate infrastructure and the public domain.
DISCLAIMER - THIS IS STILL A WORK IN PROGRESS
Let's say you work for a serious company, with strict policies and periodic audits. One of your partners puts an important file on his USB stick and wants to share it with you.
Three options are available to you:
- (BAD) plug the stick on your desk, bypassing the policies
- (GOOD) give the stick to your IT department so that they can sanitize it
- (BETTER) plug it into an OpenWRT sandbox with USBleach, use your web browser to pick-up the files
The one and only goal of this project is to bring back the simplicity of USB's file sharing feature, without the flaws.
We considered multiple attacks using USB keys, not all of them are in the scope of this project:
- Physical threats: depends on your hardware, can't be done with soft.
- Mass Storage: we detect bad files and we either sanitize them when we can, or we prevent them from being used.
- Everything else is assumed safe enough to be used on your desktop, but plugging anything else than an USB stick will warn you.
Using this scheme, Bash Bunny, Rubber Ducky, O.MG Cable and BadUSB are blocked: if they "look like" USB keys but are not, you know something is odd.
This project is bundled into an .ipk package, that you can install directly on your OpenWRT box.
USBleach depends on yara, so be sure to install it too.
If you're using a raw OpenWRT:
To Be Done
If you're using an OverTheBox:
$ wget https://github.com/docbleach/USBleach/releases/download/v0.4.12/usbleach_0.6-1_all.ipk
$ opkg install usbleach_0.6-1_all.ipk
git clone https://github.com/docbleach/USBleach.git
cd usbleach
# Start hackingYou have developed a cool new feature ? Fixed an annoying bug ? We would be happy to hear from you !
Edit the file ./luasrc/usbleach/modules/email.lua to set the right domains:
local DEFAULT_DOMAIN = "@gmail.com"
local SMTP_HOST = "your_smtp_server.com"