Discussion:
Tails and USB controls
(too old to reply)
Julien T
2014-10-05 22:39:04 UTC
Permalink
Hello,

Following Badusb, the code release (https://github.com/adamcaudill/Psychson)
and other older stuff, I'm asking myself if it's not an opportunity to
integrate more control on usb in tails as an example for other other
distributions

Badusb is not fully new as many attacks show that USB was lacking security
http://theinvisiblethings.blogspot.ca/2011/06/usb-security-challenges.html
http://www.theregister.co.uk/2011/06/27/mission_impossible_mouse_attack/
https://srlabs.de/badusb/
http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/

Some ways to control it better
http://www.irongeek.com/i.php?page=videos/bsideslasvegas2014/bg01-usb-write-blocking-with-usbproxy-dominic-spill

Lock USB when screensaver is active
http://www.openwall.com/lists/oss-security/2014/08/08/30
echo "0" > /sys/module/usbcore/parameters/authorized_default
either with logind or dbus-monitor

No automount (already the case?) except for a defined whitelist that user
can easily extend/import/export
something to prevent rubber ducky
http://www.usbrubberducky.com
https://hakshop.myshopify.com/collections/usb-rubber-ducky

By default, mount usb storage as ro,noexec,nodev,nosuid unless defined
specific in whitelist. Possible with udev but depends on the rest of the
environment, sometimes not playing will if udev, udisk, u*

Those control should apply to all usb devices as not only storage can be
used by malware

For now, it only seems QuubeOS going in the direction of more control (
http://theinvisiblethings.blogspot.ca/2014/08/qubes-os-r2-rc2-debian-template-ssled.html
)

Comments?

Cheers,

J
intrigeri
2014-10-06 09:11:46 UTC
Permalink
Hi,
Post by Julien T
Comments?
It would be awesome if someone who's not already overwhelmed did work
on this. I would suggest the following course of action:

1. Write a blueprint that:
- Makes it clear what threat model we should better address
- Roughly describes a few candidate solutions, along with their
pros/cons (especially the usability ones)
2. Start a discussion on tails-dev@, based on the aforementioned
blueprint
3. Implement the chosen solution

Cheers,
--
intrigeri

Loading...