Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Attack option with a USB stick

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 6 Posters 160 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deleted
      last edited by

      Hello everyone,

      I have a question regarding an attack option.

      This possibility is on my mind and I just wanted to ask;
      If an attacker has the possibility to connect a USB stick directly to the pfsense for a short time.

      The connection of the stick can be traced in the logs as long as the entry is still there.
      However, if this is no longer possible, is there a tool that checks the integrity? Or does this happen during the update?

      Sorry for the perhaps stupid question, I would just like to check this as it is a possible attack.

      patient0P GertjanG AndyRHA 3 Replies Last reply Reply Quote 0
      • patient0P
        patient0 @deleted
        last edited by

        @deleted I don't know about a health check for the system.

        In general: If someone has physical access to the pfSense, fun starts.

        First step: you want to password protect the console (System > Advanced, Admin Access).

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @deleted
          last edited by

          @deleted said in Attack option with a USB stick:

          is there a tool that checks the integrity?

          There is a tool, a device actually.
          Be assured : FreeBSD, and pfSense, don't ask for it yet.
          The solution for software / OS tampering has been found years ago, and hundreds of millions are confronted with right now : they can't upgrade from Windows 10 to 11 ... and you know why : some of them are using decade old Intel/AMD CPUs that's missing 'some instructions', but most are locked out because : no TPM.

          If FreeBSD supports (maybe it does already ?) a TPM and pfSense also, binaries could be signed, and any modification to the system would be impossible. That's is, you could probably modify 'something' but the process / (system) would boot anymore. Modifying a core file would trigger a watchdog so it reboot, no harm done, the system goes down and stays down. A firewall powered down is ... a perfect barrier.

          Btw : an expensive device like this needs loads of security for obvious reasons. Yet, when you manage to enter into it, there is no pass code, no key, nothing. Sit down, start the engines, and have a go for it.
          Same thing for routers firewalls etc : the golden rule is : if you have physical access to them, all security is gone.
          So : restrict access.

          Sticking USB drives into devices so do bad things happen is a Hollywood thing.
          And maybe this can happen as my pfSense and yours are in the living room, surround with people that you don't trust at all (pretty awkward already) ... then, yeah, we should do something about it ^^^

          Visiting a data-center filled up to the ceiling with servers and stuff like ? That's possible.
          Stripping naked first is just one of the initial security checks ... Visiting Fort Knox is easier.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @Gertjan
            last edited by

            @Gertjan “So glad I don’t have to strip naked in our data center” is not something I ever thought I’d write. ;)

            @deleted https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html#restore-using-the-external-configuration-locator-ecl

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • AndyRHA
              AndyRH @deleted
              last edited by

              @deleted Perhaps a slightly different set of questions are needed.
              Does pfSense automount USB devices?
              Does pfSense autorun things on USB devices when inserted?

              Windows is famous for doing both. I have never tested pfSense in this way. If the first answer is no, then the system is self preserving and safe. However, as others have pointed out, "If I can touch it, I can own it."

              Just one example:
              https://shop.hak5.org/products/usb-rubber-ducky

              o||||o
              7100-1u

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @AndyRH
                last edited by Gertjan

                @AndyRH said in Attack option with a USB stick:

                Does pfSense automount USB devices?

                Noop.
                Afaik, only end-user desk top devices do such things.
                The Linux/freeBSD kernel well detect the usb connection event, get the device ID, and looks for a convenient driver.
                It's up to the (console) user = pfSense admin to mount de device.

                If the device you use for pfSense has an accessible BIOS, you could de-activate all the build in USB hubs. But then, where do you connect the UPS ?

                @AndyRH said in Attack option with a USB stick:

                Does pfSense autorun things on USB devices when inserted?

                Same as above. If such a concept exists, it would be something for .... Windows ?
                FreeBSD, Linux, I tend to say : never.
                But hey, admins can do with their system whatever they want.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  pfSense will look for an pull in a config on a fat32 partition on a USB stick at boot. That's useful for recovery but also means if a bad actor has physical access to your firewall they could insert a USB stick and power cycle it to load a modified config. Of course you would see that logged. And they would need to know a config that worked there.

                  1 Reply Last reply Reply Quote 0
                  • D
                    deleted
                    last edited by

                    Hi everyone,

                    I'm glad that a few thoughts have come together after all.

                    Sure, if I have access, then it's over. But that's also the point, so that you can make entries.

                    I actually imagined it to be like “Hollywood”.
                    Or rather scenarios along the lines of Stuxnet.

                    What is possible if you have the option of connecting a stick briefly.

                    However, if in any case, even if you extend the scenario and you still have a keyboard with you and the menu in your head always needs a restart, this is conspicuous at the latest.

                    Thank you and I am now quite relaxed.

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.