It appears that Linux will stop supporting USB cellphone tethering?!?

[KGIII]

I'm still doing a bunch of reading, but I wanted to get this thread started to see the input from others.

Start here:

https://www.reddit.com/r/linux/comments/18orwnc

This is a bad thing, maybe? I'm not sure if this is accurate, or that there's just a new protocol that will be used and that it is limited to just older phones...

One of the ways we get around wireless problems is by telling people to tether their phones via USB so that they can go online long enough to find the drivers needed for their devices. This is a very, very valuable tool. I'd say we suggest this at least once a week for people who are installing their distro of choice only to find out that their wireless hardware won't work without a special driver.

I'm not sure of the ramifications at this point and I think this could use more eyes than my own. If it is as implied, I don't think this is a good path to take. If this is as implied, I hope this choice is reverted and that Linux continues to support the appropriate protocol. USB tethering is a valuable tool. This is like a carpenter throwing out their crosscut saw.

 

[Condobloke]

Comment from reddit:
For what it's worth, this change didn't happen. It didn't make it into git master and the merge period for 6.7 is closed.

You can check https://github.com/torvalds/linux/commits?author=gregkh and also https://github.com/torvalds/linux/blob/master/drivers/net/usb/rndis_host.c

Alternatively, you could read the Phoronix article cited in the original post, which is dated almost three months ago. The actual article says the commit was pushed to one of gregkh's personal branches (not master), and the article doesn't make any statement about how this is definitely in mainline 6.7. On the other hand, it says "We'll see if Greg KH ends up submitting this as part of the USB changes for the Linux 6.7 kernel merge window." Turns out, that didn't make it in.

And maybe, just maybe, the

Linux To Try Again To Disable All RNDIS Protocol Drivers​

rndis = Remote Network Driver Interface Specification is the Microsoft specification......

might just say it all.

All people associated with Linux....in whatever distro they happen to represent, will take any SECURITY threat/risk, seriously. Obviously.

No doubt Greg KH has other plans in mind for whatever risk it may or may not pose.

Panic?
No.

I will place trust in the powers that be, to sort it out

 

[KGIII]

It didn't make it into git master and the merge period for 6.7 is closed.

From what I read, it may get into the next master. If not then, then at some point - perhaps for some legitimate security reasons. Specifically, 'BadUSB' reasons (and similar).

But, for now - as in this release - it's not an issue. It looks like it's still on the agenda - unless I'm misreading.

IIUC, it's a matter of security.

We, as the support community, rely on this. Hopefully, it's a nothingburger.

Some additional reading says that some newer Android devices use another protocol and those would still be okay as there's some sort of authentication going on.

It seems to me that they could add something to userland that prompts the user to accept the connection. Right now, anything spoofing that protocol could connect and have kernel-read privileges - which is the security vulnerability that needs to be fixed.

Ripping that out means ripping out the protocol used for USB tethering.

That's a pretty major security concern, so they're gonna address it at some point. That whole 'evil USB found in a parking lot' is a major concern.

IMPORTANT: Even back in the day, as in more than 15 years ago, we'd test our employees by salting the common areas with USB devices that used the autorun (Windows) to pop up a screen that would inform the user that plugging in unknown USB devices was a bad idea. It would also let IT know which seat had done the deed, but was useful as an employee training tool.

We home users don't think too much about it, but this is a risk.

Right now, a USB device can spoof this and read the kernel state among other things. So, they're gonna do something to fix this.

Again, what I read/understood could be wrong.

 

[Haui111]

From what I read, it may get into the next master. If not then, then at some point - perhaps for some legitimate security reasons. Specifically, 'BadUSB' reasons (and similar).

But, for now - as in this release - it's not an issue. It looks like it's still on the agenda - unless I'm misreading.

IIUC, it's a matter of security.

We, as the support community, rely on this. Hopefully, it's a nothingburger.

Some additional reading says that some newer Android devices use another protocol and those would still be okay as there's some sort of authentication going on.

It seems to me that they could add something to userland that prompts the user to accept the connection. Right now, anything spoofing that protocol could connect and have kernel-read privileges - which is the security vulnerability that needs to be fixed.

Ripping that out means ripping out the protocol used for USB tethering.

That's a pretty major security concern, so they're gonna address it at some point. That whole 'evil USB found in a parking lot' is a major concern.

IMPORTANT: Even back in the day, as in more than 15 years ago, we'd test our employees by salting the common areas with USB devices that used the autorun (Windows) to pop up a screen that would inform the user that plugging in unknown USB devices was a bad idea. It would also let IT know which seat had done the deed, but was useful as an employee training tool.

We home users don't think too much about it, but this is a risk.

Right now, a USB device can spoof this and read the kernel state among other things. So, they're gonna do something to fix this.

Again, what I read/understood could be wrong.

Awesome read! Thank you