On Wednesday, January 24, 2018 at 11:47:58 AM UTC+1, koto...@gmail.com wrote:
> If a USB keyboard is allowed with /etc/qubes-rpc/policy/qubes.InputKeyboard,
> does it increase the risk for badusb kind of attacks?
It's been explicitly said by the Qubes developers that it's best to use PS2
keyboard/mouse, or internal laptop keyboards, if possible. Since USB
keyboard/mouse poses risk. This "risk" is highly subject to your risk profile
and environment, as well as your needs. Really, some people may need to worry
much more about badUSB, than other people need to. At least in the current day
and age, it might be much more worrysome for more people in the future.
It's my understanding, that all USB devices have firmware memory, even if the
device has no computer within it (such as usb headphones or speakers, and yes,
keyboards too). Few vendors "lock" the firmware, hench without a lock on the
firmware, it can be modified. If the firmware is "locked", then it's likely
that the device is immune to badUSB, however, few vendors do this, and it's
certainly not a marketing information available when buying either, nor is it
industry recommended (although it probably should be).
By that definition, whereever there is USB, there is an unlocked firmware.
Whereever there is an unlocked firmnware, there is a risk of USB-exploit.
Whereever there is a risk of USB-exploit, there is a risk of badUSB.
- Limit the amount of USB devices that come near your Desktop/Laptop, since
even a single bad exposure means you have to throw the machine away to get rid
of the badUSB.
- Limit USB to trusted USB devices, don't put in other people's USB devices.
BadUSB is like a virus, it can spread from one firmware to the next, and since
there is a firmware on both ends, then it can easily spread.
- Only use new USB devices, never use used ones.
- Don't leave your computer or laptop exposed to questionable people, or people
you don't know well. For example at work, or in the class-room. Even if you put
it to sleep with a password protection when you leave the area, even if you
trust it won't be stolen, you should here still worry if someone inserts a
badUSB to your machine. If power is on, irregardless if it can boot up or not,
then you've been infected the moment firmware talks to each others, and that
happens already at BIOS/UEFI level, or even if there is password protection.
- If you got a desktop, then you can put in a USB-PCI card, and whenever you
feel your USB might be exposed, you can always throw away the PCI card and buy
a new one. Hopefully the badUSB did not spread to other firmwares, but whether
that is likely to happen is outside my knowledge area.
Really, if you're careful, then you don't have to worry as much with badUSB in
comparison to when being reckless and inserting whatever USB. Think of it like
a human infection, you don't go around touching questionable surfaces and then
stick your finger in your mouth, right? The same goes to BadUSB, take your
precautions, and if done right, then you minimize the risk dramatically. No
matter what you do though, there will always be a risk, but the size of the
risk is however still very much in your control, you can minimize it.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/d4a8affb-ba74-4d67-9c06-066cdbe7a589%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
