2.32. Accessing USB devices Exposed Over the Network with USB/IP

Oracle VM VirtualBox supports passing through USB devices which are exposed over the network using the USB over IP protocol without the need to configure the client side provided by the kernel and usbip tools. Furthermore, this feature works with Oracle VM VirtualBox running on any supported host, rather than just Linux alone, as is the case with the official client.

To enable support for passing through USB/IP devices, use the following command to add the device server that exports the devices:

VBoxManage usbdevsource add unique-name --backend USB-IP --address device-server[:port]

USB devices exported on the device server are then accessible through the GUI or VBoxManage, like any USB devices attached locally. This can be used multiple times to access different device servers.

To remove a device server, the following command can be used:

$ VBoxManage usbdevsource remove unique-name

2.32.1. Setting up USB/IP Support on a Linux System

This section gives a brief overview on how to set up a Linux based system to act as a USB device server. The system on the server requires that the usbip-core.ko and usbip-host.ko kernel drivers are available, and that the USB/IP tools package is installed. The particular installation method for the necessary tools depends on which distribution is used. For example, for Debian based systems, use the following command to install the required tools:

$ apt-get install usbip-utils

To check whether the necessary tools are already installed use the following command:

$ usbip list -l

This should produce output similar to that shown in the example below:

 - busid 4-2 (0bda:0301)
   Realtek Semiconductor Corp. : multicard reader (0bda:0301)

 - busid 5-1 (046d:c52b)
   Logitech, Inc. : Unifying Receiver (046d:c52b)

If everything is installed, the USB/IP server needs to be started as root using the following command:

# usbipd -D

See the documentation for the installed distribution to determine how to start the service when the system boots.

By default, no device on the server is exported. This must be done manually for each device. To export a device use the following command:

# usbip bind -b "bus identifier"

To export the multicard reader in the previous example:

# usbip bind -b 4-2

2.32.2. Security Considerations

The communication between the server and client is unencrypted and there is no authorization required to access exported devices. An attacker might sniff sensitive data or gain control over a device. To mitigate this risk, the device should be exposed over a local network to which only trusted clients have access. To access the device remotely over a public network, a VPN solution should be used to provide the required level of security protection.