Security/B2G/USB file-reading API
|USB File Reading API|
|Securtiy Approved for Beta Launch?:||No|
|Data Flow Diagram:||`|
|Final Security Approval:||no|
This feature allows to a b2g device plugged into a computer via a USB cable to be auto-mounted as a file system. Mounting happens automatically, and the entire contents of the sdcard partition are available.
- Feature Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=737153
- Security Review Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=751048
- Wiki: Not available.
Is access read-only? If not, what damage could someone do by modifying files? Is this enabled by default, or by enabling a setting?
Not applicable as this scenario is limited to a b2g device communicating with a PC via USB.
Detailed Application Diagram
Not applicable due to the simplistic nature of this scenario.
Data-flows depend on the actions taken by the user once the file system is mounted.
|ID||Title||Threat||Proposed Mitigations||Threat Agent||Rating||Likelihood||Notes||Impact||Notes|
|1||Casual data theft||User has data stolen by an attacker who has limited physical access||Disable mounting device while device is locked||Attacker with physical access to the phone||mod||Requires physical device access||Access sensitive data.|
|2||Casual data tampering||User has data modified by an attacker who has limited physical access||Limiting file access and permissions||Attacker with physical access to the phone||mod||Requires physical device access||Potentially make the phone non-functional|
|3||Data theft/tampering if device is stolen||Attacker has physical possession of the phone for unlimted time, attempting to read or change devices on the phone||None - an determined attacker who has the device could likely gain access to the file system regardless of this feature (e.g put the device in download mode). Encryption of the file system is the only protection against this threat, and is outside the scope of this feature.||Attacker with physical access to the phone|
- Prevent USB mounting when phone is locked.
- Enforce permissions to prevent access to read or modify sensitive files.
- Provide a setting to enable/disable feature, consider disabling by default.
- Gaia modifies a setting when the phone is locked to prevent UMS. See https://github.com/mozilla-b2g/gaia/pull/1467 for details.
- UMS Mounts /sdcard only which is user data only (no system files)
- Setting is provided under settings->storage, disabled by default