I love the Qubes project! I've been thinking of ways to improve the security when it comes to USB Keyboards.
I'm sure a lot of us who use Qubes as our day-to-day OS have a nice keyboard attached to the system. Upon plugging in the USB keyboard for the first time, I rightfully got a security warning about the implications of passing USB Keyboard input into dom0 (think USB Rubber Ducky attack among others). OK, I'm on board so far. What surprises me is that I didn't just authorize THIS keyboard to pass through to dom0, I have authorized *ANY* USB keyboard to access dom0. I verified this with other keyboards and even a home-made Rubber Ducky attack using a teensy. Curious, is there a reason why we don't restrict the authorized USB keyboard based on USB Serial number or even VID or PID. Sure with PID/VID, a physical attacker who knows your brand of keyboard could still pass through keystrokes, but it would still up the bar a little for these style of attacks. I'm on Version 3.2 so forgive me if this has been addressed in 4.0. Secondly, I don't want to be the guy begging for improvements, I would like to contribute. Can anyone point me to a good place to start if I want to add this feature? I'm thinking here maybe? https://github.com/QubesOS/qubes-app-linux-usb-proxy -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fe3f39b9-8b1c-48b1-b1f8-f82882bce81d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
