Feature #9569: Research available protections against rogue USB devices

Feature #9569

Research available protections against rogue USB devices

Added by intrigeri 2015-06-13 07:31:15 . Updated 2020-04-11 06:18:57 .

Status:

Confirmed

Priority:

Normal

Assignee:

Category:

Target version:

Start date:

2015-06-13

Due date:

% Done:

Feature Branch:

Type of work:

Research

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

By “rogue USB” here we refer, for example, to the BadUSB attack described by SRLabs in https://srlabs.de/badusb and that can spread malicious firmware across USB peripherals.

USBGuard
- source code
- Rule language for writting USB device authorization policies, supporting whitelisting and blacklisting based on device attributes
- daemon + IPC + a Qt applet
- in Debian Stretch
- needs some UX improvements before we ship it: https://github.com/dkopecek/usbguard/issues/157
Linux kernel’s “authorized_default” option for the usbcore module
- could be set to 0 when the system is locked (logind may help); note that this breaks things if the system’s USB keyboard was unplugged while being locked
- setting this parameter on-the-fly isn’t enough, one also needs to for bus in /sys/bus/usb/devices/usb*; do echo 0 > ${bus}/authorized_default ; done
GNOME support for USBGuard:
- Announcement
- Earlier posts https://ryuzakikk.github.io/gnome/internship-preparation/, https://ryuzakikk.github.io/gnome/internship-update-1/, https://ryuzakikk.github.io/gnome/internship-update-2/, https://ryuzakikk.github.io/gnome/internship-update-3/, https://ryuzakikk.github.io/gnome/internship-update-4/

Subtasks

Related issues

Related to Tails - ~~Feature #5684~~: Screen locker	Resolved	2014-12-03
Related to Tails - Bug #15767: Inserting encrypted USB drive does not prompt for decryption	Confirmed	2018-08-06
Related to Tails - Feature #15900: Consider mounting external drives automatically (enable automount)	Confirmed	2018-09-02
Has duplicate Tails - ~~Feature #8989~~: Prompt before activating non-storage USB devices plugged after login	Duplicate	2015-03-01

History

#1 Updated by intrigeri 2015-06-13 07:31:34

related to ~~Feature #5684~~: Screen locker added

#2 Updated by intrigeri 2015-06-13 07:31:52

related to Feature #5451: Protect against external bus exploitation added

#3 Updated by sajolida 2015-06-16 07:33:14

What do you mean by “rogue USB devices” here?

#4 Updated by sajolida 2015-06-16 07:33:55

Found an answer already.

#5 Updated by sajolida 2015-06-16 07:37:43

Description updated

#6 Updated by intrigeri 2015-07-01 02:59:18

related to ~~Feature #8989~~: Prompt before activating non-storage USB devices plugged after login added

#7 Updated by intrigeri 2015-07-01 02:59:55

related to deleted (~~~~Feature #8989~~: Prompt before activating non-storage USB devices plugged after login~~)

#8 Updated by intrigeri 2015-07-01 03:00:08

has duplicate ~~Feature #8989~~: Prompt before activating non-storage USB devices plugged after login added

#9 Updated by intrigeri 2017-03-20 10:04:12

related to deleted (~~Feature #5451: Protect against external bus exploitation~~)

#10 Updated by intrigeri 2017-03-20 10:04:20

Parent task set to Feature #5451

#11 Updated by intrigeri 2017-03-20 10:32:06

Description updated

#12 Updated by muri 2018-12-13 17:18:21

intrigeri wrote:
> needs some UX improvements before we ship it: https://github.com/dkopecek/usbguard/issues/157

for the record: there is ongoing work to include usbguard protection in gnome3: https://ryuzakikk.github.io/gnome/internship-preparation/ & https://ryuzakikk.github.io/gnome/internship-update-1/

#13 Updated by sajolida 2019-01-23 13:24:57

related to Bug #15767: Inserting encrypted USB drive does not prompt for decryption added

#14 Updated by sajolida 2019-01-23 13:25:21

related to Feature #15900: Consider mounting external drives automatically (enable automount) added

#15 Updated by sajolida 2019-01-23 13:27:56

Description updated

#16 Updated by intrigeri 2019-02-01 10:07:05

Description updated

#17 Updated by intrigeri 2020-03-18 09:31:18

Description updated

The first iteration of USBGuard support in GNOME was released in GNOME 3.36 :)
It is opt-in for now. Shall we enable it in Tails 5.0?

#18 Updated by intrigeri 2020-04-11 06:18:57

> The first iteration of USBGuard support in GNOME was released in GNOME 3.36 :)
> It is opt-in for now.

To block non-keyboard USB devices while the desktop is locked, on
current sid, I had to:

sudo apt install usbguard
sudo perl -pi \
-E 's{^PresentDevicePolicy=.*}{PresentDevicePolicy=allow}' \
/etc/usbguard/usbguard-daemon.conf
gsettings set org.gnome.desktop.privacy usb-protection true

When this functionality blocks a device, I see a notification on the
lock screen and after unlocking the screen, that tells me a device was
blocked; that notification instructs me to unplug + plug back that USB
device after unlocking the screen if I want it to work.