Do allowing USB Keyboard expose to badusb attacks?
koto...@gmail.com
Yuraeitha
> If a USB keyboard is allowed with /etc/qubes-rpc/policy/qubes.InputKeyboard, does it increase the risk for badusb kind of attacks?
It's been explicitly said by the Qubes developers that it's best to use PS2 keyboard/mouse, or internal laptop keyboards, if possible. Since USB keyboard/mouse poses risk. This "risk" is highly subject to your risk profile and environment, as well as your needs. Really, some people may need to worry much more about badUSB, than other people need to. At least in the current day and age, it might be much more worrysome for more people in the future.
It's my understanding, that all USB devices have firmware memory, even if the device has no computer within it (such as usb headphones or speakers, and yes, keyboards too). Few vendors "lock" the firmware, hench without a lock on the firmware, it can be modified. If the firmware is "locked", then it's likely that the device is immune to badUSB, however, few vendors do this, and it's certainly not a marketing information available when buying either, nor is it industry recommended (although it probably should be).
By that definition, whereever there is USB, there is an unlocked firmware. Whereever there is an unlocked firmnware, there is a risk of USB-exploit. Whereever there is a risk of USB-exploit, there is a risk of badUSB.
- Limit the amount of USB devices that come near your Desktop/Laptop, since even a single bad exposure means you have to throw the machine away to get rid of the badUSB.
- Limit USB to trusted USB devices, don't put in other people's USB devices. BadUSB is like a virus, it can spread from one firmware to the next, and since there is a firmware on both ends, then it can easily spread.
- Only use new USB devices, never use used ones.
- Don't leave your computer or laptop exposed to questionable people, or people you don't know well. For example at work, or in the class-room. Even if you put it to sleep with a password protection when you leave the area, even if you trust it won't be stolen, you should here still worry if someone inserts a badUSB to your machine. If power is on, irregardless if it can boot up or not, then you've been infected the moment firmware talks to each others, and that happens already at BIOS/UEFI level, or even if there is password protection.
- If you got a desktop, then you can put in a USB-PCI card, and whenever you feel your USB might be exposed, you can always throw away the PCI card and buy a new one. Hopefully the badUSB did not spread to other firmwares, but whether that is likely to happen is outside my knowledge area.
Really, if you're careful, then you don't have to worry as much with badUSB in comparison to when being reckless and inserting whatever USB. Think of it like a human infection, you don't go around touching questionable surfaces and then stick your finger in your mouth, right? The same goes to BadUSB, take your precautions, and if done right, then you minimize the risk dramatically. No matter what you do though, there will always be a risk, but the size of the risk is however still very much in your control, you can minimize it.
Tai...@gmx.com
capability for no reason then yes, or if you let random people plug
devices in to your "trusted" usb controller (most boards have two)
I would suggest only buying USB devices where the firmware can only be
re-written externally not internally from the computer.
Unicomp's high quality mechanical keyboards (they are also made in
america not china so they are trustworthy) come with write-locked ROM
firmware as there is no reason to have re-writable firmware on a keyboard.
I am not sure what to buy for a mouse however but unicomp makes a
keyboard with a trackball and another with a pointing stick similar to a
laptop keyboard.
If you purchase a motherboard with libre firmware (not purism) such as
the KCMA-D8 or the (blobs for video and power unfortunately, so open
source but not libre) lenovo g505s laptop you can easily verify that the
firmware has not been fucked around with via a usb attack such as the
intel skylake debug controller exploit.
cooloutac
> If a USB keyboard is allowed with /etc/qubes-rpc/policy/qubes.InputKeyboard, does it increase the risk for badusb kind of attacks?
yes. like yuraeitha said, I use a usb to ps/2 adapter for my keyboard. and when using usb mouse in sys-usb I set screenlock to like 1 min.
Matty South
> If a USB keyboard is allowed with /etc/qubes-rpc/policy/qubes.InputKeyboard, does it increase the risk for badusb kind of attacks?
Yes, it does. I asked a similar question here: https://groups.google.com/forum/#!topic/qubes-users/52d0rqNnVqU
The TLDR I got is that someone is working on a "USG hardware firewall mentioned in issue 2518" to prevent this kind of thing.