Feature #9569

Research available protections against rogue USB devices

Added by intrigeri 2015-06-13 07:31:15 . Updated 2020-04-11 06:18:57 .

Status:
Confirmed
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2015-06-13
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

By “rogue USB” here we refer, for example, to the BadUSB attack described by SRLabs in https://srlabs.de/badusb and that can spread malicious firmware across USB peripherals.


Subtasks


Related issues

Related to Tails - Feature #5684: Screen locker Resolved 2014-12-03
Related to Tails - Bug #15767: Inserting encrypted USB drive does not prompt for decryption Confirmed 2018-08-06
Related to Tails - Feature #15900: Consider mounting external drives automatically (enable automount) Confirmed 2018-09-02
Has duplicate Tails - Feature #8989: Prompt before activating non-storage USB devices plugged after login Duplicate 2015-03-01

History

#1 Updated by intrigeri 2015-06-13 07:31:34

#2 Updated by intrigeri 2015-06-13 07:31:52

  • related to Feature #5451: Protect against external bus exploitation added

#3 Updated by sajolida 2015-06-16 07:33:14

What do you mean by “rogue USB devices” here?

#4 Updated by sajolida 2015-06-16 07:33:55

Found an answer already.

#5 Updated by sajolida 2015-06-16 07:37:43

  • Description updated

#6 Updated by intrigeri 2015-07-01 02:59:18

  • related to Feature #8989: Prompt before activating non-storage USB devices plugged after login added

#7 Updated by intrigeri 2015-07-01 02:59:55

  • related to deleted (Feature #8989: Prompt before activating non-storage USB devices plugged after login)

#8 Updated by intrigeri 2015-07-01 03:00:08

  • has duplicate Feature #8989: Prompt before activating non-storage USB devices plugged after login added

#9 Updated by intrigeri 2017-03-20 10:04:12

  • related to deleted (Feature #5451: Protect against external bus exploitation)

#10 Updated by intrigeri 2017-03-20 10:04:20

#11 Updated by intrigeri 2017-03-20 10:32:06

  • Description updated

#12 Updated by muri 2018-12-13 17:18:21

intrigeri wrote:
> needs some UX improvements before we ship it: https://github.com/dkopecek/usbguard/issues/157

for the record: there is ongoing work to include usbguard protection in gnome3: https://ryuzakikk.github.io/gnome/internship-preparation/ & https://ryuzakikk.github.io/gnome/internship-update-1/

#13 Updated by sajolida 2019-01-23 13:24:57

  • related to Bug #15767: Inserting encrypted USB drive does not prompt for decryption added

#14 Updated by sajolida 2019-01-23 13:25:21

  • related to Feature #15900: Consider mounting external drives automatically (enable automount) added

#15 Updated by sajolida 2019-01-23 13:27:56

  • Description updated

#16 Updated by intrigeri 2019-02-01 10:07:05

  • Description updated

#17 Updated by intrigeri 2020-03-18 09:31:18

  • Description updated

The first iteration of USBGuard support in GNOME was released in GNOME 3.36 :)
It is opt-in for now. Shall we enable it in Tails 5.0?

#18 Updated by intrigeri 2020-04-11 06:18:57

> The first iteration of USBGuard support in GNOME was released in GNOME 3.36 :)
> It is opt-in for now.

To block non-keyboard USB devices while the desktop is locked, on
current sid, I had to:

sudo apt install usbguard
sudo perl -pi \
-E 's{^PresentDevicePolicy=.*}{PresentDevicePolicy=allow}' \
/etc/usbguard/usbguard-daemon.conf
gsettings set org.gnome.desktop.privacy usb-protection true

When this functionality blocks a device, I see a notification on the
lock screen and after unlocking the screen, that tells me a device was
blocked; that notification instructs me to unplug + plug back that USB
device after unlocking the screen if I want it to work.