USB device registration
rikona
rikona at sonic.net
Mon Jan 31 20:00:34 UTC 2022
On Sun, 30 Jan 2022 13:43:49 -0600
Keith <keith at caramail.com> wrote:
> On 1/30/22 12:28 AM, rikona wrote:
>
> [snip]
>
> >
> > Thanks much for the reply. I installed hwinfo and can see the
> > device(s). I'm familiar with how the exploit works, which is why I
> > asked how to see it. And it does work immediately, unfortunately.
> > Tricky to avoid this. I have a real USB keyboard so can't disable
> > that in the comp to avoid the 'instant' problem. Is there a way to
> > just disable one selected port on the internal root usb Linux hub
> > on the MB?
> >
> > Or, is there another way to selectively disable just that USB
> > keyboard and allow other USB keyboards to work? Or, wild idea -
> > would a virtual comp/OS shield the hardware box from being
> > infected, or does this run at a MB level?
> >
> > BTW - there is S/W that can install this kind of malware on any USB
> > device, by essentially upgrading the firmware. Easier to do than I
> > first thought - any good hack could do it. Major potential threat.
> >
> > Anyway, thanks for the info re how to see it. Now need a way to see
> > it WITHOUT HAVING IT DO ANYTHING TO A COMP with an operating USB
> > keyboard.
> >
> > All ideas much appreciated.
> >
>
> 1. Plug any untrusted usb devices into an air-gapped system and
> monitor the logs for any unusual behavior, i.e. a storage device
> identifying itself as a keyboard.
>
> 2. Install the usbguard package
>
> "The USBGuard software framework helps to protect your computer
> against rogue USB devices (a.k.a. BadUSB) by implementing basic
> whitelisting and blacklisting capabilities based on device
> attributes."
>
> https://usbguard.github.io/
Thank you!! That software looks like just what is needed.
Re the 1,2 order above, AIUI BadUSB and others install on the comp and
try to infect any USB devices connected later. Would #1 really require
a 'throw away' comp to look at the device? Right now #1 is my main
box and no spares. That's why I was thinking of a virtual machine
originally.
Would it be better to do #2 first, then #1? It looks like USBGuard can
look at the device info without allowing the device to register.
Thanks again,
Rik
More information about the ubuntu-users
mailing list