On Wednesday, January 24, 2018 at 11:47:58 AM UTC+1, koto...@gmail.com wrote: > If a USB keyboard is allowed with /etc/qubes-rpc/policy/qubes.InputKeyboard, > does it increase the risk for badusb kind of attacks?
It's been explicitly said by the Qubes developers that it's best to use PS2 keyboard/mouse, or internal laptop keyboards, if possible. Since USB keyboard/mouse poses risk. This "risk" is highly subject to your risk profile and environment, as well as your needs. Really, some people may need to worry much more about badUSB, than other people need to. At least in the current day and age, it might be much more worrysome for more people in the future. It's my understanding, that all USB devices have firmware memory, even if the device has no computer within it (such as usb headphones or speakers, and yes, keyboards too). Few vendors "lock" the firmware, hench without a lock on the firmware, it can be modified. If the firmware is "locked", then it's likely that the device is immune to badUSB, however, few vendors do this, and it's certainly not a marketing information available when buying either, nor is it industry recommended (although it probably should be). By that definition, whereever there is USB, there is an unlocked firmware. Whereever there is an unlocked firmnware, there is a risk of USB-exploit. Whereever there is a risk of USB-exploit, there is a risk of badUSB. - Limit the amount of USB devices that come near your Desktop/Laptop, since even a single bad exposure means you have to throw the machine away to get rid of the badUSB. - Limit USB to trusted USB devices, don't put in other people's USB devices. BadUSB is like a virus, it can spread from one firmware to the next, and since there is a firmware on both ends, then it can easily spread. - Only use new USB devices, never use used ones. - Don't leave your computer or laptop exposed to questionable people, or people you don't know well. For example at work, or in the class-room. Even if you put it to sleep with a password protection when you leave the area, even if you trust it won't be stolen, you should here still worry if someone inserts a badUSB to your machine. If power is on, irregardless if it can boot up or not, then you've been infected the moment firmware talks to each others, and that happens already at BIOS/UEFI level, or even if there is password protection. - If you got a desktop, then you can put in a USB-PCI card, and whenever you feel your USB might be exposed, you can always throw away the PCI card and buy a new one. Hopefully the badUSB did not spread to other firmwares, but whether that is likely to happen is outside my knowledge area. Really, if you're careful, then you don't have to worry as much with badUSB in comparison to when being reckless and inserting whatever USB. Think of it like a human infection, you don't go around touching questionable surfaces and then stick your finger in your mouth, right? The same goes to BadUSB, take your precautions, and if done right, then you minimize the risk dramatically. No matter what you do though, there will always be a risk, but the size of the risk is however still very much in your control, you can minimize it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d4a8affb-ba74-4d67-9c06-066cdbe7a589%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.