Security/B2G/USB file-reading API
From MozillaWiki
Please use "Edit with form" above to edit this page.
Project Info
| USB File Reading API | |
| Project Page | ` |
| Next Milestone | ` |
| Security Resource | ` |
Security Information
| Status: | OK |
| Securtiy Approved for Beta Launch?: | No |
| Data Flow Diagram: | ` |
| Threat Model: | ` |
| Bugs: | ` |
| Security Review: | ` |
| Final Security Approval: | no |
Background
This feature allows to a b2g device plugged into a computer via a USB cable to be auto-mounted as a file system. Mounting happens automatically, and the entire contents of the sdcard partition are available.
- Feature Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=737153
- Security Review Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=751048
- Wiki: Not available.
Open Questions
Is access read-only? If not, what damage could someone do by modifying files? Is this enabled by default, or by enabling a setting?
Architecture Diagram
Not applicable as this scenario is limited to a b2g device communicating with a PC via USB.
Detailed Application Diagram
Not applicable due to the simplistic nature of this scenario.
Data-flow Enumeration
Data-flows depend on the actions taken by the user once the file system is mounted.
Threat Model
| ID | Title | Threat | Proposed Mitigations | Threat Agent | Rating | Likelihood | Notes | Impact | Notes |
| 1 | Casual data theft | User has data stolen by an attacker who has limited physical access | Disable mounting device while device is locked | Attacker with physical access to the phone | mod | Requires physical device access | Access sensitive data. | ||
| 2 | Casual data tampering | User has data modified by an attacker who has limited physical access | Limiting file access and permissions | Attacker with physical access to the phone | mod | Requires physical device access | Potentially make the phone non-functional | ||
| 3 | Data theft/tampering if device is stolen | Attacker has physical possession of the phone for unlimted time, attempting to read or change devices on the phone | None - an determined attacker who has the device could likely gain access to the file system regardless of this feature (e.g put the device in download mode). Encryption of the file system is the only protection against this threat, and is outside the scope of this feature. | Attacker with physical access to the phone |
Authorization Model
Not applicable.
Implementation Requirements
- Prevent USB mounting when phone is locked.
- Enforce permissions to prevent access to read or modify sensitive files.
- Provide a setting to enable/disable feature, consider disabling by default.
Post-review follow-up
- Gaia modifies a setting when the phone is locked to prevent UMS. See https://github.com/mozilla-b2g/gaia/pull/1467 for details.
- UMS Mounts /sdcard only which is user data only (no system files)
- Setting is provided under settings->storage, disabled by default
