Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 08 Aug 2014 09:56:34 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: oss-security@...ts.openwall.com
Subject: Re: BadUSB discussion

On 08/08/2014 07:58 AM, Florian Weimer wrote:
> On 08/08/2014 01:20 PM, Dan Carpenter wrote:
>> We could put a popup if there is a second keyboard attached to check
>> that the person controlling the existing keyboard is aware of the second
>> one.
> 
> Wouldn't this make using Yubikeys quite inconvenient?

It sure would.

And if the popup were modal/blocking (i.e. if it refused to connect the
new device until the user agreed to it), which is the safest approach on
a single-seat system, it causes another issue: if the user's HID devices
are failing, and they're plugging in a new keyboard specifically to work
around their failed hardware, there would be no way to dismiss the
popup/grant permissions on the new device.

You could have a more nuanced approach, though, to improve things at
least for a machine used regularly.

For example, you could register keyboards by serial number with the
system, and have an allowlist that wouldn't cause modal blocking.  This
would handle the yubikey case, and potentially also the failing HID
case, if the user had cleared the secondary kbd before the primary failed.

You could also avoid the popup if the system doesn't detect *any* actual
HID device plugged in, to solve the problem of a machine that booted
with no devices available.

But please remember that a second keyboard is only one vector of attack.
 There are other user-interface devices and other system hardware that
can be emulated by a sufficiently devious USB device.

The same thing goes, of course, for PCI devices, disks, CPUs,
expressCards (or whatever they're called today), firewire, RAM, etc. all
of which are becoming more hot-pluggable on modern hardware.

A well-thought-out system-wide policy of what to do on device hotplug
might be useful, with a set of standard profiles (single-seat personal
desktop (laptop), server, multi-seat desktop) to encourage sane behavior
by default.  I have no idea what form such a policy might take, though.

	--dkg


Download attachment "signature.asc" of type "application/pgp-signature" (950 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ