Re: [qubes-users] USB Keyboard thoughts...

2017-12-03 Thread Robert Fisk
On 12/03/2017 09:37 AM, Jean-Philippe Ouellet wrote:
> On Fri, Dec 1, 2017 at 1:10 PM, Matty South  wrote:
>> I love the Qubes project! I've been thinking of ways to improve the security 
>> when it comes to USB Keyboards.
>>
>> I'm sure a lot of us who use Qubes as our day-to-day OS have a nice keyboard 
>> attached to the system. Upon plugging in the USB keyboard for the first 
>> time, I rightfully got a security warning about the implications of passing 
>> USB Keyboard input into dom0 (think USB Rubber Ducky attack among others). 
>> OK, I'm on board so far. What surprises me is that I didn't just authorize 
>> THIS keyboard to pass through to dom0, I have authorized *ANY* USB keyboard 
>> to access dom0. I verified this with other keyboards and even a home-made 
>> Rubber Ducky attack using a teensy.
>>
>> Curious, is there a reason why we don't restrict the authorized USB keyboard 
>> based on USB Serial number or even VID or PID. Sure with PID/VID, a physical 
>> attacker who knows your brand of keyboard could still pass through 
>> keystrokes, but it would still up the bar a little for these style of 
>> attacks.
>>
>> I'm on Version 3.2 so forgive me if this has been addressed in 4.0.
>>
>> Secondly, I don't want to be the guy begging for improvements, I would like 
>> to contribute. Can anyone point me to a good place to start if I want to add 
>> this feature? I'm thinking here maybe? 
>> https://github.com/QubesOS/qubes-app-linux-usb-proxy
> See https://github.com/QubesOS/qubes-issues/issues/2518
>

Hi Matty and all,

I am the developer of the USG hardware firewall mentioned in issue 2518.
On its own this gadget can do most of what you want - it blocks hidden
hubs so a flash drive cannot also supply keystrokes, and it blocks
devices re-enumerating as a keyboard after first enumerating as
something else.

Issue 2518 is about encrypting keystrokes from the keyboard to dom0, so
that a compromised sys-usb cannot sniff or spoof them. Jean-Philippe
suggested borrowing ideas from CrypTech's HSM design, which is worth
looking into. However I don't have time to look into this myself right
now. I would also require help with the qubes-side implementation of
whatever secure channel we choose. You are welcome to look through the
thread and let us know what you think!

Regards,
Robert

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a64e8e14-1378-e0ee-89d2-65433414f17f%40fastmail.fm.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] USB Keyboard thoughts...

2017-12-02 Thread Jean-Philippe Ouellet
On Fri, Dec 1, 2017 at 1:10 PM, Matty South  wrote:
> I love the Qubes project! I've been thinking of ways to improve the security 
> when it comes to USB Keyboards.
>
> I'm sure a lot of us who use Qubes as our day-to-day OS have a nice keyboard 
> attached to the system. Upon plugging in the USB keyboard for the first time, 
> I rightfully got a security warning about the implications of passing USB 
> Keyboard input into dom0 (think USB Rubber Ducky attack among others). OK, 
> I'm on board so far. What surprises me is that I didn't just authorize THIS 
> keyboard to pass through to dom0, I have authorized *ANY* USB keyboard to 
> access dom0. I verified this with other keyboards and even a home-made Rubber 
> Ducky attack using a teensy.
>
> Curious, is there a reason why we don't restrict the authorized USB keyboard 
> based on USB Serial number or even VID or PID. Sure with PID/VID, a physical 
> attacker who knows your brand of keyboard could still pass through 
> keystrokes, but it would still up the bar a little for these style of attacks.
>
> I'm on Version 3.2 so forgive me if this has been addressed in 4.0.
>
> Secondly, I don't want to be the guy begging for improvements, I would like 
> to contribute. Can anyone point me to a good place to start if I want to add 
> this feature? I'm thinking here maybe? 
> https://github.com/QubesOS/qubes-app-linux-usb-proxy

See https://github.com/QubesOS/qubes-issues/issues/2518

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_At%2BPXpw0y%3DQgCKZQqYKjSJRCRqbNjD3VtdW%3D9H%2B1kvqg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] USB Keyboard thoughts...

2017-12-01 Thread Matty South
I love the Qubes project! I've been thinking of ways to improve the security 
when it comes to USB Keyboards. 

I'm sure a lot of us who use Qubes as our day-to-day OS have a nice keyboard 
attached to the system. Upon plugging in the USB keyboard for the first time, I 
rightfully got a security warning about the implications of passing USB 
Keyboard input into dom0 (think USB Rubber Ducky attack among others). OK, I'm 
on board so far. What surprises me is that I didn't just authorize THIS 
keyboard to pass through to dom0, I have authorized *ANY* USB keyboard to 
access dom0. I verified this with other keyboards and even a home-made Rubber 
Ducky attack using a teensy.

Curious, is there a reason why we don't restrict the authorized USB keyboard 
based on USB Serial number or even VID or PID. Sure with PID/VID, a physical 
attacker who knows your brand of keyboard could still pass through keystrokes, 
but it would still up the bar a little for these style of attacks. 

I'm on Version 3.2 so forgive me if this has been addressed in 4.0.

Secondly, I don't want to be the guy begging for improvements, I would like to 
contribute. Can anyone point me to a good place to start if I want to add this 
feature? I'm thinking here maybe? 
https://github.com/QubesOS/qubes-app-linux-usb-proxy 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fe3f39b9-8b1c-48b1-b1f8-f82882bce81d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.