Feature #9569
Research available protections against rogue USB devices
0%
Description
By “rogue USB” here we refer, for example, to the BadUSB attack described by SRLabs in https://srlabs.de/badusb and that can spread malicious firmware across USB peripherals.
- USBGuard
- source code
- Rule language for writting USB device authorization policies, supporting whitelisting and blacklisting based on device attributes
- daemon + IPC + a Qt applet
- in Debian Stretch
- needs some UX improvements before we ship it: https://github.com/dkopecek/usbguard/issues/157
- Linux kernel’s “authorized_default” option for the
usbcore
module- could be set to 0 when the system is locked (logind may help); note that this breaks things if the system’s USB keyboard was unplugged while being locked
- setting this parameter on-the-fly isn’t enough, one also needs to
for bus in /sys/bus/usb/devices/usb*; do echo 0 > ${bus}/authorized_default ; done
- GNOME support for USBGuard:
- Announcement
- Earlier posts https://ryuzakikk.github.io/gnome/internship-preparation/, https://ryuzakikk.github.io/gnome/internship-update-1/, https://ryuzakikk.github.io/gnome/internship-update-2/, https://ryuzakikk.github.io/gnome/internship-update-3/, https://ryuzakikk.github.io/gnome/internship-update-4/
Subtasks
Related issues
Related to Tails - |
Resolved | 2014-12-03 | |
Related to Tails - Bug #15767: Inserting encrypted USB drive does not prompt for decryption | Confirmed | 2018-08-06 | |
Related to Tails - Feature #15900: Consider mounting external drives automatically (enable automount) | Confirmed | 2018-09-02 | |
Has duplicate Tails - |
Duplicate | 2015-03-01 |
History
#1 Updated by intrigeri 2015-06-13 07:31:34
- related to
Feature #5684: Screen locker added
#2 Updated by intrigeri 2015-06-13 07:31:52
- related to Feature #5451: Protect against external bus exploitation added
#3 Updated by sajolida 2015-06-16 07:33:14
What do you mean by “rogue USB devices” here?
#4 Updated by sajolida 2015-06-16 07:33:55
Found an answer already.
#5 Updated by sajolida 2015-06-16 07:37:43
- Description updated
#6 Updated by intrigeri 2015-07-01 02:59:18
- related to
Feature #8989: Prompt before activating non-storage USB devices plugged after login added
#7 Updated by intrigeri 2015-07-01 02:59:55
- related to deleted (
)Feature #8989: Prompt before activating non-storage USB devices plugged after login
#8 Updated by intrigeri 2015-07-01 03:00:08
- has duplicate
Feature #8989: Prompt before activating non-storage USB devices plugged after login added
#9 Updated by intrigeri 2017-03-20 10:04:12
- related to deleted (
Feature #5451: Protect against external bus exploitation)
#10 Updated by intrigeri 2017-03-20 10:04:20
- Parent task set to Feature #5451
#11 Updated by intrigeri 2017-03-20 10:32:06
- Description updated
#12 Updated by muri 2018-12-13 17:18:21
intrigeri wrote:
> needs some UX improvements before we ship it: https://github.com/dkopecek/usbguard/issues/157
for the record: there is ongoing work to include usbguard protection in gnome3: https://ryuzakikk.github.io/gnome/internship-preparation/ & https://ryuzakikk.github.io/gnome/internship-update-1/
#13 Updated by sajolida 2019-01-23 13:24:57
- related to Bug #15767: Inserting encrypted USB drive does not prompt for decryption added
#14 Updated by sajolida 2019-01-23 13:25:21
- related to Feature #15900: Consider mounting external drives automatically (enable automount) added
#15 Updated by sajolida 2019-01-23 13:27:56
- Description updated
#16 Updated by intrigeri 2019-02-01 10:07:05
- Description updated
#17 Updated by intrigeri 2020-03-18 09:31:18
- Description updated
The first iteration of USBGuard support in GNOME was released in GNOME 3.36 :)
It is opt-in for now. Shall we enable it in Tails 5.0?
#18 Updated by intrigeri 2020-04-11 06:18:57
> The first iteration of USBGuard support in GNOME was released in GNOME 3.36 :)
> It is opt-in for now.
To block non-keyboard USB devices while the desktop is locked, on
current sid, I had to:
sudo apt install usbguard
sudo perl -pi \
-E 's{^PresentDevicePolicy=.*}{PresentDevicePolicy=allow}' \
/etc/usbguard/usbguard-daemon.conf
gsettings set org.gnome.desktop.privacy usb-protection true
When this functionality blocks a device, I see a notification on the
lock screen and after unlocking the screen, that tells me a device was
blocked; that notification instructs me to unplug + plug back that USB
device after unlocking the screen if I want it to work.