#821923 android-tools-adb: udev rules allow raw access to unrelated devices

#821923#5
Date:
2016-04-20 13:24:36 UTC
From:
To:
Dear Maintainer,

I just found out that I could open a few USB devices on my system that I did
not expect to be able to:
- an Intel bluetooth dongle (actually, a mini-PCI-x card exposing bluetooth
  function on USB and wifi on PCI-x)
  VendorID: 0x8087
  udev rule: ATTR{idVendor}=="8087", ENV{adb_user}="yes"
- a Huawei 3G modem USB dongle
  VendorID: 0x12d1
  udev rule: ATTR{idVendor}=="12d1", ENV{adb_user}="yes"
And, last but not least:
- my ThinkPad USB keyboard (actually an USB keyboard with the same layout as
  on a ThinkPad laptop)
  VendorID: 0x17ef
  udev rule: ATTR{idVendor}=="17ef", ENV{adb_user}="yes"

As you can see, none of these is an android device.
I am not member of the adb group, but because of logind-handled udev device
tags, ACLs are granted to my user on these devices.
I am *not* comfortable with the idea of any process running in my session
being technically allowed to open any USB device, even less my keyboard, for
security reasons which should be blindingly obvious.

Please do not allow such broad udev rules to be installed !

#821923#16
Date:
2018-03-01 09:49:59 UTC
From:
To:
control: reassign -1 android-sdk-platform-tools-common

I agree: ideally, these rules would not have any false positives.  I
have yet to find anywhere a reasonably complete list of USB
vendorId/productId pairs for Android devices.  This is the best I've
found, but it is missing lots of devices:
https://github.com/M0Rf30/android-udev-rules/blob/master/51-android.rules

Any process can already log all your keyboard activity from all
keyboards, so these rules aren't increasing the risk there:
http://techtrickery.com/keyloggers.html

Matching by manufacterer i.e vendorId means we can cover the vast
majority of devices.