canmove, Confirmed users
1,220
edits
Ptheriault (talk | contribs) No edit summary |
Ptheriault (talk | contribs) (Initial security review) |
||
Line 1: | Line 1: | ||
{{SecTracker}} | {{SecTracker | ||
|Component=USB File Reading API | |||
}} | |||
{{SecTrackerItem | {{SecTrackerItem | ||
|Sectrackerstatus=OK | |Sectrackerstatus=OK | ||
Line 8: | Line 10: | ||
===Background=== | ===Background=== | ||
This feature allows to a b2g device plugged into a computer via a USB cable to be auto-mounted as a file system. Mounting happens automatically, and the entire contents of the sdcard partition are available. | |||
Feature Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=737153 | |||
Security Review Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=751048 | |||
Wiki: Not available. | |||
===Open Questions=== | ===Open Questions=== | ||
Is access read-only? | |||
If not, what damage could someone do by modifying files? | |||
Is this enabled by default, or by enabling a setting? | |||
===Threat Model=== | ===Threat Model=== | ||
{| | |||
! ID!!Title!!Threat!!Proposed Mitigations!!Threat Agent!!Rating!!Likelihood!!Notes!!Impact!!Notes | |||
|- | |||
| 1||Casual data theft||User has data stolen by an attacker who has limited physical access||\"Disable mounting device while device is locked | |||
|- | |||
| \"||Attacker with physical access to the phone||mod||||Requires physical device access||||Access sensitive data. | |||
|- | |||
| 2||Casual data tampering||User has data modified by an attacker who has limited physical access||Limiting file access and permissions||Attacker with physical access to the phone||mod||||Requires physical device access||||Potentially make the phone non-functional | |||
|- | |||
| 3||Data theft/tampering if device is stolen||Attacker has physical possession of the phone for unlimted time, attempting to read or change devices on the phone||\"None - an determined attacker who has the device could likely gain access to the file system regardless of this feature (e.g put the device in download mode). | |||
|- | |||
| Encryption of the file system is the only protection against this threat, and is outside the scope of this feature.\"||Attacker with physical access to the phone|||||||||| | |||
|} | |||
===Authorization Model=== | ===Authorization Model=== | ||
Not applicable. | |||
===Implementation Requirements=== | ===Implementation Requirements=== | ||
Prevent USB mounting when phone is locked. | |||
Enforce permissions to prevent access to read or modify sensitive files. | |||
Provide a setting to enable/disable feature, consider disabling by default. |