Security/B2G/USB file-reading API

From MozillaWiki
< Security‎ | B2G
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Project Info

USB File Reading API
Project Page `
Next Milestone `
Security Resource `


Security Information

Status: OK
Securtiy Approved for Beta Launch?: No
Data Flow Diagram: `
Threat Model: `
Bugs: `
Security Review: `
Final Security Approval: no

Background

This feature allows to a b2g device plugged into a computer via a USB cable to be auto-mounted as a file system. Mounting happens automatically, and the entire contents of the sdcard partition are available.

Open Questions

Is access read-only? If not, what damage could someone do by modifying files? Is this enabled by default, or by enabling a setting?

Architecture Diagram

Not applicable as this scenario is limited to a b2g device communicating with a PC via USB.

Detailed Application Diagram

Not applicable due to the simplistic nature of this scenario.

Data-flow Enumeration

Data-flows depend on the actions taken by the user once the file system is mounted.

Threat Model

ID Title Threat Proposed Mitigations Threat Agent Rating Likelihood Notes Impact Notes
1 Casual data theft User has data stolen by an attacker who has limited physical access Disable mounting device while device is locked Attacker with physical access to the phone mod Requires physical device access Access sensitive data.
2 Casual data tampering User has data modified by an attacker who has limited physical access Limiting file access and permissions Attacker with physical access to the phone mod Requires physical device access Potentially make the phone non-functional
3 Data theft/tampering if device is stolen Attacker has physical possession of the phone for unlimted time, attempting to read or change devices on the phone None - an determined attacker who has the device could likely gain access to the file system regardless of this feature (e.g put the device in download mode). Encryption of the file system is the only protection against this threat, and is outside the scope of this feature. Attacker with physical access to the phone

Authorization Model

Not applicable.

Implementation Requirements

  1. Prevent USB mounting when phone is locked.
  2. Enforce permissions to prevent access to read or modify sensitive files.
  3. Provide a setting to enable/disable feature, consider disabling by default.

Post-review follow-up

  1. Gaia modifies a setting when the phone is locked to prevent UMS. See https://github.com/mozilla-b2g/gaia/pull/1467 for details.
  2. UMS Mounts /sdcard only which is user data only (no system files)
  3. Setting is provided under settings->storage, disabled by default