USB Keyboard thoughts...

185 views
Skip to first unread message

Matty South

unread,
Dec 1, 2017, 1:10:07 PM12/1/17
to qubes-users
I love the Qubes project! I've been thinking of ways to improve the security when it comes to USB Keyboards.

I'm sure a lot of us who use Qubes as our day-to-day OS have a nice keyboard attached to the system. Upon plugging in the USB keyboard for the first time, I rightfully got a security warning about the implications of passing USB Keyboard input into dom0 (think USB Rubber Ducky attack among others). OK, I'm on board so far. What surprises me is that I didn't just authorize THIS keyboard to pass through to dom0, I have authorized *ANY* USB keyboard to access dom0. I verified this with other keyboards and even a home-made Rubber Ducky attack using a teensy.

Curious, is there a reason why we don't restrict the authorized USB keyboard based on USB Serial number or even VID or PID. Sure with PID/VID, a physical attacker who knows your brand of keyboard could still pass through keystrokes, but it would still up the bar a little for these style of attacks.

I'm on Version 3.2 so forgive me if this has been addressed in 4.0.

Secondly, I don't want to be the guy begging for improvements, I would like to contribute. Can anyone point me to a good place to start if I want to add this feature? I'm thinking here maybe? https://github.com/QubesOS/qubes-app-linux-usb-proxy

Yethal

unread,
Dec 2, 2017, 12:39:29 PM12/2/17
to qubes-users
All of these values can be forged by the attacker. You may want to try using udev rules to block all keyboards except the ones that were present during boot process. You'd lose the ability to use USB keyboard plugged into a live system but it would also force a potential attacker to reboot your machine in order to use a rubber ducky.

Jean-Philippe Ouellet

unread,
Dec 2, 2017, 3:37:54 PM12/2/17
to Matty South, qubes-users
See https://github.com/QubesOS/qubes-issues/issues/2518

Tai...@gmx.com

unread,
Dec 3, 2017, 12:29:51 AM12/3/17
to Yethal, qubes-users
I would consider purchasing one of unicomps excellent mechanical
keyboards, they don't have re-writable firmware so a malicious computer
can't install a virus (unlike most keyboards) and they are also made in
america thus much more trustworthy.

Truly a pleasure to type on, they are made with the original IBM Model M
tooling.

Yethal

unread,
Dec 3, 2017, 5:17:33 AM12/3/17
to qubes-users
Try Bathroom Epiphanies. These are replacement keyboard controllers for select mechanical keyboards. Fully open source, fully open hardware. Allow full control over the keyboard and the code that it runs.

Robert Fisk

unread,
Dec 3, 2017, 9:19:31 PM12/3/17
to Jean-Philippe Ouellet, Matty South, qubes-users
Hi Matty and all,

I am the developer of the USG hardware firewall mentioned in issue 2518.
On its own this gadget can do most of what you want - it blocks hidden
hubs so a flash drive cannot also supply keystrokes, and it blocks
devices re-enumerating as a keyboard after first enumerating as
something else.

Issue 2518 is about encrypting keystrokes from the keyboard to dom0, so
that a compromised sys-usb cannot sniff or spoof them. Jean-Philippe
suggested borrowing ideas from CrypTech's HSM design, which is worth
looking into. However I don't have time to look into this myself right
now. I would also require help with the qubes-side implementation of
whatever secure channel we choose. You are welcome to look through the
thread and let us know what you think!

Regards,
Robert

cooloutac

unread,
Dec 4, 2017, 7:31:08 PM12/4/17
to qubes-users
I use a usb to ps2 adapter for my keyboard.

Tai...@gmx.com

unread,
Dec 4, 2017, 11:09:24 PM12/4/17
to cooloutac, qubes-users
On 12/04/2017 07:31 PM, cooloutac wrote:

> I use a usb to ps2 adapter for my keyboard.
I assume with the mistaken impression that PS/2 is more secure for some
reason - for the record it sends your keystrokes out on the ground wire.

Robert Fisk

unread,
Dec 5, 2017, 3:39:03 AM12/5/17
to Tai...@gmx.com, cooloutac, qubes-users
Sends keystrokes out? To where? Inquiring minds request further
information / references!

cooloutac

unread,
Dec 12, 2017, 10:24:17 AM12/12/17
to qubes-users

what?

well I'm no expert but with ps/2 keyboard it will be the only thing attached, unlike usb which can have multiple devices on same controller, spoofed as other devices. Is there a better option?

USB to ps/2 adapter works, i apologize if it is a too simple and practical cheap solution. If you are oldschool you probably have some laying around the house.

Tom Zander

unread,
Dec 12, 2017, 11:06:40 AM12/12/17
to qubes...@googlegroups.com, cooloutac
On Tuesday, 12 December 2017 16:24:16 CET cooloutac wrote:
> well I'm no expert but with ps/2 keyboard it will be the only thing
> attached, unlike usb which can have multiple devices on same controller,
> spoofed as other devices. Is there a better option?

The attack modes are two very different ones.

Taiidan is thinking about someone coming in, installing a snooping device
and waiting for you to type something critical.

In contrary your ps2 solution is one which protects against people at any
time entering your OS through compromised (usb) hardware.

Either by giving you a pen, or entering the pen themselves.
It seems that if you drop usb pens in the parking lot of a mall or company,
you have a very very high chance some unsuspecting person will insert it in
their machine.

With the amount of bad USB drivers in the linux tree (not to mention in
Windows) this is a worrying attack allowing the machine to be rooted without
the attacker even being physically present.

sys-usb limits this attack.

> USB to ps/2 adapter works, i apologize if it is a too simple and
> practical cheap solution. If you are oldschool you probably have some
> laying around the house.

I think thats a great solution for the more common attack.

--
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel
Reply all
Reply to author
Forward
0 new messages