I love the Qubes project! I've been thinking of ways to improve the security 
when it comes to USB Keyboards. 

I'm sure a lot of us who use Qubes as our day-to-day OS have a nice keyboard 
attached to the system. Upon plugging in the USB keyboard for the first time, I 
rightfully got a security warning about the implications of passing USB 
Keyboard input into dom0 (think USB Rubber Ducky attack among others). OK, I'm 
on board so far. What surprises me is that I didn't just authorize THIS 
keyboard to pass through to dom0, I have authorized *ANY* USB keyboard to 
access dom0. I verified this with other keyboards and even a home-made Rubber 
Ducky attack using a teensy.

Curious, is there a reason why we don't restrict the authorized USB keyboard 
based on USB Serial number or even VID or PID. Sure with PID/VID, a physical 
attacker who knows your brand of keyboard could still pass through keystrokes, 
but it would still up the bar a little for these style of attacks. 

I'm on Version 3.2 so forgive me if this has been addressed in 4.0.

Secondly, I don't want to be the guy begging for improvements, I would like to 
contribute. Can anyone point me to a good place to start if I want to add this 
feature? I'm thinking here maybe? 

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to