On 12/03/2017 09:37 AM, Jean-Philippe Ouellet wrote: > On Fri, Dec 1, 2017 at 1:10 PM, Matty South <matty.so...@gmail.com> wrote: >> I love the Qubes project! I've been thinking of ways to improve the security >> when it comes to USB Keyboards. >> >> I'm sure a lot of us who use Qubes as our day-to-day OS have a nice keyboard >> attached to the system. Upon plugging in the USB keyboard for the first >> time, I rightfully got a security warning about the implications of passing >> USB Keyboard input into dom0 (think USB Rubber Ducky attack among others). >> OK, I'm on board so far. What surprises me is that I didn't just authorize >> THIS keyboard to pass through to dom0, I have authorized *ANY* USB keyboard >> to access dom0. I verified this with other keyboards and even a home-made >> Rubber Ducky attack using a teensy. >> >> Curious, is there a reason why we don't restrict the authorized USB keyboard >> based on USB Serial number or even VID or PID. Sure with PID/VID, a physical >> attacker who knows your brand of keyboard could still pass through >> keystrokes, but it would still up the bar a little for these style of >> attacks. >> >> I'm on Version 3.2 so forgive me if this has been addressed in 4.0. >> >> Secondly, I don't want to be the guy begging for improvements, I would like >> to contribute. Can anyone point me to a good place to start if I want to add >> this feature? I'm thinking here maybe? >> https://github.com/QubesOS/qubes-app-linux-usb-proxy > See https://github.com/QubesOS/qubes-issues/issues/2518 >
Hi Matty and all, I am the developer of the USG hardware firewall mentioned in issue 2518. On its own this gadget can do most of what you want - it blocks hidden hubs so a flash drive cannot also supply keystrokes, and it blocks devices re-enumerating as a keyboard after first enumerating as something else. Issue 2518 is about encrypting keystrokes from the keyboard to dom0, so that a compromised sys-usb cannot sniff or spoof them. Jean-Philippe suggested borrowing ideas from CrypTech's HSM design, which is worth looking into. However I don't have time to look into this myself right now. I would also require help with the qubes-side implementation of whatever secure channel we choose. You are welcome to look through the thread and let us know what you think! Regards, Robert -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a64e8e14-1378-e0ee-89d2-65433414f17f%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
