Date: Fri, 08 Aug 2014 09:56:34 -0400 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: oss-security@...ts.openwall.com Subject: Re: BadUSB discussion On 08/08/2014 07:58 AM, Florian Weimer wrote: > On 08/08/2014 01:20 PM, Dan Carpenter wrote: >> We could put a popup if there is a second keyboard attached to check >> that the person controlling the existing keyboard is aware of the second >> one. > > Wouldn't this make using Yubikeys quite inconvenient? It sure would. And if the popup were modal/blocking (i.e. if it refused to connect the new device until the user agreed to it), which is the safest approach on a single-seat system, it causes another issue: if the user's HID devices are failing, and they're plugging in a new keyboard specifically to work around their failed hardware, there would be no way to dismiss the popup/grant permissions on the new device. You could have a more nuanced approach, though, to improve things at least for a machine used regularly. For example, you could register keyboards by serial number with the system, and have an allowlist that wouldn't cause modal blocking. This would handle the yubikey case, and potentially also the failing HID case, if the user had cleared the secondary kbd before the primary failed. You could also avoid the popup if the system doesn't detect *any* actual HID device plugged in, to solve the problem of a machine that booted with no devices available. But please remember that a second keyboard is only one vector of attack. There are other user-interface devices and other system hardware that can be emulated by a sufficiently devious USB device. The same thing goes, of course, for PCI devices, disks, CPUs, expressCards (or whatever they're called today), firewire, RAM, etc. all of which are becoming more hot-pluggable on modern hardware. A well-thought-out system-wide policy of what to do on device hotplug might be useful, with a set of standard profiles (single-seat personal desktop (laptop), server, multi-seat desktop) to encourage sane behavior by default. I have no idea what form such a policy might take, though. --dkg [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ