Project Zero Team of Google is responsible for detecting security loopholes. The team revealed that Google Chrome OS is prone to severe USB vulnerability in a recent discovery.
This loophole was detected by the team, flagging it as highly vulnerable, and reported the issue to the Chrome OS team in February.
Besides detecting flaws in Google’s products, the Project Zero Team also discovered critical security loopholes in different products.
Earlier, the team detected security flaws in Windows, iPhone, and Github. The team provides a 90-day notice period to the platform before the security flaw is publicly exposed.
What’s the Exact Issue?
Google Project Zero Team detected this Chrome OS bug and made it public when the vendor failed to take necessary action within 90 days. Google’s USBGuard does not allow and authenticate USB devices of a particular class when the screen is locked.
However, incorrect configurations can cause unauthenticated USB devices to gain access to your PC storage and Kernel.
It means that even when an unauthenticated USB device is blocked on the locked screen, other additional devices can make changes in the attacker kernel to not show up as a USB device.
The Chrome OS team showed its progress on this flaw on May 11 but was unsuccessful in resolving it. After completing a 90 days period, the issue was made public on May 24.
What does Google Project Zero Team have to say?
One of the researchers of the Google Project Zero Team said, “The Kernel often does not care what USB class a device claims to be. The way USB drivers tend to work, even for standardized protocols, is that the drivers specify with a low priority that they would like to bind to standards-compliant devices using the proper USB interface class. But also specifies with high priority that they would like to bind to specific USB devices based on vendor ID and product ID, without caring about their USB interface class.”