On Wednesday, January 24, 2018 at 11:47:58 AM UTC+1, koto...@gmail.com wrote:
> If a USB keyboard is allowed with /etc/qubes-rpc/policy/qubes.InputKeyboard, 
> does it increase the risk for badusb kind of attacks?

It's been explicitly said by the Qubes developers that it's best to use PS2 
keyboard/mouse, or internal laptop keyboards, if possible. Since USB 
keyboard/mouse poses risk. This "risk" is highly subject to your risk profile 
and environment, as well as your needs. Really, some people may need to worry 
much more about badUSB, than other people need to. At least in the current day 
and age, it might be much more worrysome for more people in the future. 

It's my understanding, that all USB devices have firmware memory, even if the 
device has no computer within it (such as usb headphones or speakers, and yes, 
keyboards too). Few vendors "lock" the firmware, hench without a lock on the 
firmware, it can be modified. If the firmware is "locked", then it's likely 
that the device is immune to badUSB, however, few vendors do this, and it's 
certainly not a marketing information available when buying either, nor is it 
industry recommended (although it probably should be).

By that definition, whereever there is USB, there is an unlocked firmware. 
Whereever there is an unlocked firmnware, there is a risk of USB-exploit. 
Whereever there is a risk of USB-exploit, there is a risk of badUSB.

- Limit the amount of USB devices that come near your Desktop/Laptop, since 
even a single bad exposure means you have to throw the machine away to get rid 
of the badUSB.

- Limit USB to trusted USB devices, don't put in other people's USB devices. 
BadUSB is like a virus, it can spread from one firmware to the next, and since 
there is a firmware on both ends, then it can easily spread.

- Only use new USB devices, never use used ones. 

- Don't leave your computer or laptop exposed to questionable people, or people 
you don't know well. For example at work, or in the class-room. Even if you put 
it to sleep with a password protection when you leave the area, even if you 
trust it won't be stolen, you should here still worry if someone inserts a 
badUSB to your machine. If power is on, irregardless if it can boot up or not, 
then you've been infected the moment firmware talks to each others, and that 
happens already at BIOS/UEFI level, or even if there is password protection.

- If you got a desktop, then you can put in a USB-PCI card, and whenever you 
feel your USB might be exposed, you can always throw away the PCI card and buy 
a new one. Hopefully the badUSB did not spread to other firmwares, but whether 
that is likely to happen is outside my knowledge area. 

Really, if you're careful, then you don't have to worry as much with badUSB in 
comparison to when being reckless and inserting whatever USB. Think of it like 
a human infection, you don't go around touching questionable surfaces and then 
stick your finger in your mouth, right? The same goes to BadUSB, take your 
precautions, and if done right, then you minimize the risk dramatically. No 
matter what you do though, there will always be a risk, but the size of the 
risk is however still very much in your control, you can minimize it.

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to