eylenburg
commented
7 months ago Thank you, I added a row for this.
Closed thestinger closed 7 months ago
eylenburg
commented
7 months ago Thank you, I added a row for this.
AOSP has support for USB gadget mode, USB peripherals and USB alternate modes. It also has all the underlying attack surface of the USB protocol itself.
By default, AOSP has USB gadget mode in MTP mode with MTP disabled and requires unlocking to enable MTP via the USB gadget mode menu which also has PTP, MIDI, Webcam, etc. ADB is also a gadget mode, but configured separately and usable at the same time as another mode. This is negligible attack surface by default.
AOSP also has the standard Linux kernel support for USB peripherals, with many kinds enabled. This includes keyboards, mice, joysticks, game controllers, cameras, microphones, ethernet, storage and much more. USB peripherals add a massive amount of attack surface.
Android has a standard USB toggle available in the USB HAL and device administration API. This disables USB peripherals and USB gadget mode, although USB gadget mode is essentially already disabled by default so it mostly means disabling peripherals. This feature does not disable the USB protocol itself or the USB data lines for the USB controller. Most USB attack surface is still present at a firmware and OS level including the very complex USB driver itself, but not drivers for specific peripherals. This feature can be used on any Android 12 or later OS on devices providing the USB HAL toggle feature. It can used from an app implementing it, and an app can toggle it automatically when locking the device. This will eject currently plugged in USB devices when locking, so it can be delayed until that happens, although that means new USB connections can be made until that happens. LineageOS and CalyxOS use this standard Android feature for this and don't enable it by default. They use the delayed approach for locking which continues allowing new USB devices until the last one is removed, since the standard toggle is either on or off and isn't enabled until that happens.
GrapheneOS provides a USB port control feature with modes for Off, Charging-only, Charging-only while locked, Charging-only while locked except before first unlock (default) and On. This disables USB gadget mode, USB peripherals and USB alternate modes but also disables USB at the USB controller level in hardware to truly disable the data lines. It blocks connecting new devices as soon as the device is locked for the modes relating to unlocking. As soon as the devices connected while locked are disconnected, it gets disabled. It also has the special Off mode for even disabling charging while the OS is enabled to disable the separate USB-PD related data lines and protocol too. That's also at a hardware level. The default allows USB in BFU to support desktop usage, accessibility devices, etc. The expectation is that most users can switch it to "Charging-only while locked" if they don't need that and "Charging-only" if they don't use USB or at least while they aren't using it. "Off" mode is a special mode for high security situations and can be used to do things like disabling USB completely when leaving your home and then turning it back on to "Charging-only" when you get back. This is much different than the standard Android feature.
tl;dr: software-level control for Android 12+ hardware vs. software level control for GrapheneOS with more options. LineageOS, DivestOS, CalyxOS, etc. are just using the standard Android feature in the same way as an app, with the option to delay activating it until last USB device is disconnected while notably still completely allows using USB until the last device is disconnected such as allowing connecting via ADB until a USB keyboard is unplugged after locking. The USB port data lines and protocol handling remain active with this. Not sure what you would consider yellow vs. red since the baseline feature is standard and just requires a commonly available app to enable it, but is high level software control only.