oss-sec mailing list archives
Re: BadUSB discussion
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Fri, 08 Aug 2014 09:56:34 -0400
On 08/08/2014 07:58 AM, Florian Weimer wrote:
On 08/08/2014 01:20 PM, Dan Carpenter wrote:We could put a popup if there is a second keyboard attached to check that the person controlling the existing keyboard is aware of the second one.Wouldn't this make using Yubikeys quite inconvenient?
It sure would. And if the popup were modal/blocking (i.e. if it refused to connect the new device until the user agreed to it), which is the safest approach on a single-seat system, it causes another issue: if the user's HID devices are failing, and they're plugging in a new keyboard specifically to work around their failed hardware, there would be no way to dismiss the popup/grant permissions on the new device. You could have a more nuanced approach, though, to improve things at least for a machine used regularly. For example, you could register keyboards by serial number with the system, and have an allowlist that wouldn't cause modal blocking. This would handle the yubikey case, and potentially also the failing HID case, if the user had cleared the secondary kbd before the primary failed. You could also avoid the popup if the system doesn't detect *any* actual HID device plugged in, to solve the problem of a machine that booted with no devices available. But please remember that a second keyboard is only one vector of attack. There are other user-interface devices and other system hardware that can be emulated by a sufficiently devious USB device. The same thing goes, of course, for PCI devices, disks, CPUs, expressCards (or whatever they're called today), firewire, RAM, etc. all of which are becoming more hot-pluggable on modern hardware. A well-thought-out system-wide policy of what to do on device hotplug might be useful, with a set of standard profiles (single-seat personal desktop (laptop), server, multi-seat desktop) to encourage sane behavior by default. I have no idea what form such a policy might take, though. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- BadUSB discussion Dan Carpenter (Aug 08)
- Re: BadUSB discussion Florian Weimer (Aug 08)
- Re: BadUSB discussion Daniel Kahn Gillmor (Aug 08)
- Re: BadUSB discussion Greg KH (Aug 08)
- Re: BadUSB discussion Daniel Kahn Gillmor (Aug 08)
- Re: BadUSB discussion Greg KH (Aug 08)
- Re: BadUSB discussion Eddie Chapman (Aug 08)
- Re: BadUSB discussion Greg KH (Aug 08)
- Re: BadUSB discussion Eddie Chapman (Aug 08)
- Re: BadUSB discussion Greg KH (Aug 08)
- Re: BadUSB discussion Eddie Chapman (Aug 08)
- Re: BadUSB discussion Greg KH (Aug 08)
- Re: BadUSB discussion Eddie Chapman (Aug 08)
- Re: BadUSB discussion Daniel Kahn Gillmor (Aug 08)
- Re: BadUSB discussion Florian Weimer (Aug 08)